About DoesQA
Who are you?
We’re DoesQA Ltd, a UK-registered company (Company No. 14499059), based in Leamington Spa. We provide a Software as a Service (SaaS) Test Automation Platform.
Website: https://does.qa
Where are you based?
Registered address:
Fulford House,
Newbold Terrace,
Leamington Spa,
Warwickshire,
United Kingdom,
CV32 4EA
Our team is fully remote but UK-based.
Who is the responsible person for IT systems?
Samuel Smith, Co-Founder.
How do you handle updates?
Automatic updates are enabled wherever possible.
High-risk or critical security updates are applied within 14 days.
Unsupported or end-of-life software is removed.
Certification & Assurance
Certification Held
Pending
Pending
Scheduled
What security certifications are held currently?
Cyber Essentials: Certification Held.
Cyber Essentials Plus: Certification Pending.
SOC2: Certification Pending.
ISO 27001: Certification is scheduled for 2026.
Why did you pursue security certification?
To improve our security practices and to give customers confidence in how we handle data.
Do you stay up to date with Cyber Essentials requirements?
Yes, our leadership team reviews and approves security controls and documentation on an annual basis.
Devices & Software
What devices do you use?
We use a mix of Windows, macOS, iOS, and Android devices. All are vendor-supported, patched promptly, and protected by firewalls and malware protection.
Do you run unsupported operating systems or beta software?
No - only vendor-supported versions are used. Devices must be kept current to remain in scope.
How do you manage software?
Unnecessary software and services are removed or disabled.
Only licensed, supported applications are used.
Cloud services (e.g., Google Workspace, Slack, GitHub) are automatically kept up to date.
How do you protect against malware?
Windows and macOS devices use Malwarebytes Endpoint Protection.
Mobile devices are restricted to official app stores (Apple App Store, Google Play).
Browsers and anti-malware tools block access to malicious sites.
Networks & Cloud
Do you have offices or servers?
No, we’re fully cloud-based. All infrastructure runs on AWS in the UK (eu-west-2).
What networks are in scope?
Contractors’ home/remote networks: secured with WPA2/3 encryption, unique strong passwords, and software firewalls.
AWS cloud networks: managed by the provider with strict access controls.
Which cloud services do you use?
SaaS: Google Workspace, Slack, GitHub/GitLab, Trello, HubSpot, Xero, and more.
IaaS: AWS.
PaaS: None.
Access & Accounts
How do you manage user accounts?
All accounts are unique, not shared.
New accounts require management approval.
Accounts are disabled promptly when staff or contractors leave.
How do you enforce least privilege?
Users get standard access by default; admin rights are only granted when necessary and approved at senior level.
Do you separate admin and user accounts?
Yes - administrators use separate named accounts with MFA, never for day-to-day tasks like email or browsing.
How do you prevent brute-force attacks?
MFA is enforced for Google Workspace and critical systems.
Login attempts are throttled or accounts locked after repeated failures.
Passwords & Authentication
How do you ensure password quality?
MFA everywhere it’s supported.
Passwords must be at least 12 characters (or 8 with MFA).
Common or guessable passwords are blocked automatically.
How do you support users in choosing secure passwords?
Guidance on using long passphrases (e.g. three random words).
Use of password managers is encouraged.
No forced password expiry.
What if an account is compromised?
Immediate suspension and password reset.
MFA re-checked.
Logs reviewed for suspicious activity.
Firewalls
How do you protect devices with firewalls?
All devices use built-in software firewalls (Windows, macOS, iOS, Android).
AWS security groups act as cloud firewalls, blocking inbound traffic by default.
Do you review firewall rules?
Yes, at least annually or whenever infrastructure changes.
Data & Services
How do you secure customer-facing services?
All external services require authentication, with MFA enforced.
Only essential inbound connections (e.g., HTTPS/TLS) are allowed.
Business cases for any inbound rules are documented and approved at board level.
Brute-force protections (throttling and account lockouts) are applied by default via vendor systems.
