Security Policy

How we protect your data and keep this website secure.

Last updated: 22 April 2026

1. Our commitment

Shaun Allen takes the security of your data and the integrity of this website seriously. We apply industry good practice to protect against unauthorised access, loss, alteration and misuse of personal data, in line with the UK GDPR, the Data Protection Act 2018 and the NCSC guidance where applicable.

2. HTTPS and encryption

All traffic to and from this site is encrypted using TLS (HTTPS). This protects the data you send (including contact form submissions) from being read or altered in transit. We use strong, up-to-date cryptographic standards and encourage you to use a modern, supported browser and to avoid using the site on untrusted or public networks where possible.

3. Security headers

We use HTTP security headers to harden the site, including:

  • Strict-Transport-Security (HSTS) – to enforce HTTPS and reduce the risk of downgrade attacks
  • Content-Security-Policy (CSP) – to reduce the risk of cross-site scripting (XSS) and related attacks
  • X-Content-Type-Options – to prevent MIME-type sniffing
  • X-XSS-Protection – additional protection where supported by the browser
  • Referrer-Policy – to control what referrer information is sent to third parties

4. Contact form and data handling

Contact form submissions are validated and sanitised to prevent injection (e.g. email header injection, XSS) and abuse. We use CSRF tokens, rate limiting and CAPTCHA (after a number of attempts) to protect against automated abuse. We do not store form submissions in a database; they are sent by email and handled in line with our Privacy Policy. We do not sell or rent your data.

5. Email security

We take email security seriously. Business and enquiry-related email is handled via a provider that offers end-to-end encryption and zero-knowledge architecture where applicable—the same security model used by leading high-security email services. This means your messages and our correspondence are protected in transit and at rest, and the provider cannot decrypt the content of our mailbox. We use strong authentication and keep email access restricted to reduce the risk of compromise.

6. Sessions and cookies

We use a single, secure session cookie (HttpOnly, Secure, SameSite) for essential site operation (e.g. form security and rate limiting). Session identifiers are regenerated appropriately. See our Cookie Policy for details.

7. Server and infrastructure

We keep server software and dependencies updated to address known vulnerabilities. Access to hosting and systems is restricted and protected. We do not expose unnecessary services or sensitive paths. We follow principle of least privilege where practicable.

8. Proactive vulnerability scanning

We do not rely on security by obscurity. This website and its infrastructure are scanned regularly for security vulnerabilities by multiple independent third-party services—on a weekly and monthly schedule—so we can find and fix issues before they can be exploited. Our scanning approach includes:

  • External vulnerability scanning – automated checks for known CVEs, misconfigurations, exposed services and common weaknesses across our public-facing assets
  • Web application scanning – testing for OWASP Top 10 issues (e.g. injection, XSS, broken authentication) and other web-specific vulnerabilities
  • Security header and SSL/TLS grading – ongoing assessment of our HTTP security headers, TLS configuration and certificate hygiene, with remediation when standards are not met
  • HSTS preload – this site is submitted to the browser HSTS preload list, so supported browsers will only connect to us over HTTPS from the first visit, reducing the risk of downgrade or man-in-the-middle attacks

We treat scan findings according to risk, prioritise remediation, and re-scan to confirm fixes. This forms part of our commitment to maintaining a strong security posture.

9. Personal data breach – our obligations to you

Under the UK GDPR and the Data Protection Act 2018, if a personal data breach occurs that is likely to result in a risk to your rights and freedoms, we will:

  • Notify the Information Commissioner’s Office (ICO) without undue delay and, where feasible, within 72 hours of becoming aware of the breach (unless the breach is unlikely to result in a risk to individuals)
  • Notify you without undue delay where the breach is likely to result in a high risk to your rights and freedoms, so that you can take steps to protect yourself (e.g. changing passwords, monitoring accounts)

We will document any personal data breaches and the facts, effects and remedial action taken, as required by law.

10. Reporting a vulnerability

If you believe you have found a security vulnerability on this site, please report it responsibly. You can contact us via the details on our contact page or refer to our security.txt file. We will acknowledge receipt and, where appropriate, work with you to understand and address the issue. We ask that you do not disclose the issue publicly before we have had a reasonable opportunity to respond. We do not pursue legal action against researchers who report vulnerabilities in good faith and in line with responsible disclosure.

11. No guarantees

While we take reasonable steps to secure the site and your data, no system can be guaranteed secure. We encourage you to use strong, unique passwords where relevant and to keep your own devices and software up to date. We are not liable for loss or damage arising from factors outside our reasonable control (e.g. sophisticated attacks, third-party failures).

Return to home