Information Security at Decode

Decode.UK Limited takes information security seriously and applies a proportionate, risk-based approach to protecting information entrusted to us.

This page provides an overview of our information security principles and practices. It is intended as a high-level summary rather than a detailed policy document.

Our approach

Information security at Decode is guided by the following principles:

  • Risk-based and proportionate
    Security controls are selected based on the nature of the work we undertake, the sensitivity of information involved, and the risks presented.

  • Least privilege by default
    Access to systems and data is restricted to what is necessary for an individual’s role and responsibilities.

  • Privacy and security by design
    Security and data protection considerations are incorporated into our working practices and technical decisions from the outset.

  • Client-appropriate controls
    Where work is performed within client-managed environments, we follow agreed client security requirements and access controls.

How we protect information

Our security practices include, where appropriate:

  • Strong authentication and access controls, including multi-factor authentication
  • Secure configuration and maintenance of devices and services
  • Use of reputable, security-conscious cloud and software providers
  • Encryption and secure communication methods for sensitive data
  • Regular review of access and security settings
  • Ongoing security awareness for employees and contractors

Remote-first working

Decode operates as a remote-first organisation. We apply security practices designed to support secure remote working, including:

  • Secure device usage and operating system protections
  • Careful handling of information in home and shared environments
  • Use of approved collaboration and communication tools

Secure development

Where we develop software, we follow secure development practices appropriate to the engagement, including:

  • Secure coding principles
  • Code review and testing
  • Avoidance of hard-coded secrets or credentials
  • Sensible use of third-party libraries and dependencies

Incident handling

We maintain procedures for identifying, responding to, and managing security incidents. Where an incident may impact client systems or data, we work with the affected client promptly and in line with contractual and legal obligations.

Governance and assurance

Decode maintains a set of internal information security and governance policies covering areas such as access control, data handling, incident response, and secure development. These materials are made available to clients and partners on request, where appropriate.