Search

Complience Centre

Our Security

At CMS InfoSec Ltd, the security of our platform, Cyber Made Simple, and the protection of customer data is our highest priority. This Security Overview outlines the principles, technologies, and practices we use to maintain a secure and resilient environment.

 

1. Security Governance
We operate under a security-first mindset guided by:

  • Defined security policies and procedures

  • Regular audits and reviews

  • A dedicated security lead reporting to the executive team

 

2. Infrastructure Security
Our platform is hosted using industry-leading providers:

  • Frontend: Bubble.io (secure hosting, WAFs, uptime monitoring)

  • Backend/API: Xano (role-based access, API throttling, secure authentication)

  • Storage: Cloud Storage (S3-compatible, encrypted)

  • Automation: n8n with restricted API keys and OAuth scopes

  • Global Protection: Cloudflare for DDoS mitigation, CDN, and TLS enforcement

 

3. Data Encryption

  • In Transit: TLS 1.2+ encryption across all endpoints

  • At Rest: AES-256 encryption for stored data

  • Backups: Encrypted, redundant, and tested regularly

 

4. Access Control

  • Role-based access for internal staff

  • Principle of least privilege enforced across services

  • Multi-factor authentication (MFA) on admin systems

  • Session controls and audit logging on user accounts

 

5. Secure Development Lifecycle (SDLC)

  • Code reviews and approvals required for all changes

  • Regular dependency scanning (e.g., OWASP checks)

  • Staging environments isolated from production

 

6. Monitoring and Incident Response

  • Real-time monitoring with alerts on critical actions

  • Uptime and health monitored via Cronitor and UptimeRobot

  • Incident response plan with 24-hour internal escalation

  • Logs retained securely with tamper-evident storage

 

7. Data Privacy and Compliance

  • GDPR and UK GDPR aligned

  • Privacy by Design and by Default integrated into workflows

  • Data subject rights handling processes in place

 

8. AI and Automation Security

  • OpenAI API use with anonymized prompts

  • Rate-limiting and sanitization for all AI endpoints

  • AI outputs logged and monitored for abuse

 

9. Third-Party Risk Management

  • Sub-processors vetted and bound by Data Processing Agreements (DPAs)

  • Annual security assessments of critical vendors

  • Access scoped and time-limited for integrations

 

10. Responsible Disclosure

We welcome security researchers to report vulnerabilities. Reports can be sent to security@cmsinfosec.com. We follow a coordinated disclosure process.

 

11. Business Continuity and Disaster Recovery

  • Regular tested backups with geographic redundancy

  • DR plans reviewed semi-annually

  • RPO: 24 hours | RTO: 4 hours

 

12. Contact
For more information, contact our security team at: security@cmsinfosec.com

Terms & Conditions

Effective Date: 01 Jan 2025

Last Updated: 28 May 2025

Welcome to Cyber Made Simple, a cybersecurity SaaS platform operated by CMS InfoSec Ltd. These Terms and Conditions (“Terms”) govern your use of our services and website. By accessing or using Cyber Made Simple, you agree to be bound by these Terms.

 

1. Definitions

  • “Platform” refers to the Cyber Made Simple software and associated services.

  • “User” or “you” refers to anyone accessing or using the Platform.

  • “We,” “us,” “our” refers to CMS InfoSec Ltd.

 

2. Access and Use

  • You must be at least 18 years old and authorized to act on behalf of your organization.

  • Access is granted per your subscription plan via Chargebee.

  • You agree not to misuse the Platform, reverse engineer, or interfere with operations.

 

3. Account and Subscription

  • Each user must maintain a secure password and is responsible for account activity.

  • Billing is managed through Chargebee; fees are subject to your plan.

  • Downgrades, cancellations, or failed payments may result in restricted access.

 

4. Acceptable Use You agree not to:

  • Violate applicable laws or regulations

  • Upload harmful, illegal, or infringing content

  • Exploit the Platform’s AI or automation for unauthorized purposes

 

5. Intellectual Property

  • All platform content, architecture, and modules remain the intellectual property of CMS InfoSec Ltd.

  • You retain rights to your uploaded content and documents.

  • AI outputs are licensed for your organization’s internal use only.

 

6. Privacy Policy 

Privacy Your data is handled in accordance with our Privacy Policy. All personal data is processed within the EU in compliance with GDPR.

 

7. User-Generated Content 

You are solely responsible for all content uploaded, entered, or generated through the Platform under your account. CMS InfoSec Ltd is not liable for the legality, accuracy, or completeness of such content.

 

8. AI Usage Notice

  • AI-generated content may not always be accurate or suitable for all use cases.

  • Human oversight is recommended for all decisions made based on AI outputs.

 

9. Service Availability

  • We strive for 99.9% uptime but do not guarantee uninterrupted access.

  • Maintenance windows and outages (planned or unplanned) may occur.

 

10. Feature Testing 

Beta Features and Modules Some services may be labelled as Beta, Preview, or Experimental. These are offered “as-is” and may be modified, deprecated, or removed at any time. Use them at your discretion.

 

11. Third-Party Services

Third-Party Services Cyber Made Simple integrates with third-party services such as OpenAI, Stripe, and Chargebee. We are not responsible for their services or their terms. Your use of such features is subject to the respective provider’s policies.

 

12. Export Compliance

Export Compliance You agree to comply with all applicable export laws and regulations. Cyber Made Simple may not be used in countries subject to embargoes or sanctions by the UK, EU, or US governments.

 

13. Feedback and Contributions 

Feedback and Contributions Feedback or suggestions provided to CMS InfoSec Ltd may be used freely to improve the Platform. By submitting feedback, you grant us a royalty-free, irrevocable right to use it, unless otherwise agreed in writing.

 

14. Modifications 

We may revise these Terms at any time. Continued use after changes means you accept the new Terms.

 

15. Suspension for Security or Abuse  

We reserve the right to suspend your access without notice if we detect abuse, security risks, or violations that threaten the platform, other users, or data integrity. We will notify you after the suspension, if feasible.

 

16. Termination

CMS InfoSec Ltd may suspend or terminate your access if:

  • You violate these Terms

  • Payment fails or is overdue

  • Continued access poses security, compliance, or legal risk

Termination does not release you from prior payment obligations.


17. Data Portability and Retention

You may export your data at any time. Upon termination, your data will be retained for up to 90 days and then deleted unless legally required otherwise. Refer to our Privacy Policy for details.


18. Audit Rights

CMS InfoSec Ltd reserves the right to audit user activity for the purpose of enforcing these Terms, ensuring security, or responding to incidents. Any audit will respect confidentiality and privacy rights as required by law.


19. Fair Use and Resource Limits

You agree not to exceed fair use thresholds set by your subscription plan. CMS InfoSec Ltd reserves the right to throttle, suspend, or charge for excessive usage that impacts platform performance or other users.

 

20. Disclaimer for Advice and Compliance Tools 

Cyber Made Simple provides templates, AI-generated content, and recommendations to support your security and compliance efforts. This does not constitute legal or professional advice. You should consult qualified advisors for regulatory compliance decisions.

 

21. No Warranty on Outcomes 

The Platform and all content are provided “as-is” and “as available,” without warranties of any kind. We do not guarantee that use of the Platform will result in compliance, reduced risk, or legal/regulatory approval.

 

22. Limitation of Liability 

To the fullest extent permitted by law:

  • CMS InfoSec Ltd disclaims all warranties, express or implied, including fitness for a particular purpose.

  • CMS InfoSec Ltd is not liable for any indirect, incidental, special, or consequential damages, including loss of data, business, or revenue.

  • Total liability for any claim under these Terms shall not exceed the amount you paid for the service in the preceding 12 months.

You use Cyber Made Simple at your own risk, and we recommend complementing our services with appropriate internal reviews, controls, and safeguards.

 

23. Indemnity 

You agree to indemnify and hold CMS InfoSec Ltd harmless from any claims, losses, or damages arising from your misuse of the Platform or violation of these Terms.

 

24. Governing Law 

These Terms are governed by the laws of England and Wales, without regard to conflict of law principles.

 

25. Dispute Resolution and Venue 

We encourage informal resolution of disputes. If a resolution cannot be reached:

  • Governing law is England and Wales

  • Jurisdiction lies exclusively with English courts

  • Mediation may be attempted before formal legal action

 

26. Entire Agreement & Severability 

These Terms, together with our Privacy Policy and any applicable subscription terms, constitute the entire agreement. If any provision is held invalid, the rest of the Terms remain enforceable.

 

27. Survival 

Sections relating to intellectual property, disclaimers, limitation of liability, indemnity, dispute resolution, and data obligations shall survive termination or expiration of these Terms.

 

28. Contact 

For questions or legal notices, contact us at:
legal@cmsinfosec.com

Privacy Policy

Effective Date: 01 Jan 2025

Last Updated: 28 May 2025

CMS InfoSec Ltd (“we”, “our”, “us”) is committed to protecting your privacy. This Privacy Policy outlines how we collect, use, and safeguard your information when you use Cyber Made Simple, our cybersecurity SaaS platform.

 

1. Who We Are

Cyber Made Simple is a modular platform that helps small and mid-sized organizations manage cybersecurity and compliance. It is operated by CMS InfoSec Ltd, a company registered in England and Wales.

 

2. Data We Collect

We collect the following categories of data:

  • Account Data: Name, email, organization details, and roles

  • Billing Data: Processed through Chargebee and Stripe (EU-based)

  • Usage Data: Platform activity, logs, AI interactions

  • Uploaded Content: Policies, assessments, files entered by users

  • AI Prompts: Scrubbed of identifiable information before transmission

 

3. How We Use Data

We use your data to:

  • Provide, maintain, and improve our services

  • Authenticate users and manage accounts

  • Deliver AI-generated insights and reports

  • Fulfill legal, billing, and compliance requirements

  • Analyze anonymized usage for platform optimization

 

4. Legal Basis for Processing

We rely on:

  • Consent: For cookies and optional communications

  • Contractual Necessity: To provide you the services you subscribed to

  • Legal Obligation: For tax and data protection compliance

  • Legitimate Interests: Security monitoring and product development

 

5. Data Hosting and Transfers

  • All user data is stored on EU-based infrastructure (Linode London VPS, EU SaaS providers).

  • Cross-border data transfers (e.g., Bubble frontend) use SCCs and are strictly limited to non-sensitive assets.

 

6. AI & Automation

  • AI services are provided by OpenAI and/or Google Gemini are integrated via anonymized, secured APIs.

  • You retain control: AI suggestions can be accepted, ignored, or overridden.

  • Logs of AI prompts and outputs are stored for auditability.

 

7. Your Rights

You have rights under GDPR and UK data protection laws to:

  • Access your data

  • Request correction or deletion

  • Object to or restrict processing

  • Request data portability

  • Withdraw consent at any time

Requests can be made through your account dashboard or by emailing privacy@cmsinfosec.com.

 

8. Data Retention

  • Personal data is retained while your account is active and up to 90 days post-termination.

  • AI logs and audit trails are retained for security, with lifecycle management applied.

  • Backups are encrypted and rotated per our disaster recovery policy.

 

9. Cookies and Tracking

  • The backend platform does not use cookies.

  • Frontend analytics are anonymized and cookie-free by default.

  • Cookie banners and opt-in/opt-out settings are managed in the UI.

 

10. Security Practices

  • TLS encryption for all data in transit

  • Encrypted storage and backups

  • Role-based access controls and session management

  • Monitoring, audit logs, and regular vulnerability scanning

 

11. Sharing and Disclosure

We only share your data with:

  • Trusted service providers under strict DPAs

  • Legal authorities when required

  • External advisors only with explicit authorization from your organization

We do not sell or trade your data.

 

12. Children’s Data

Cyber Made Simple is not intended for use by children under the age of 16. We do not knowingly collect personal data from minors. If we discover that such data has been collected, we will delete it promptly.

 

13. Data Protection Oversight

We monitor our data handling practices internally. For any concerns, contact privacy@cmsinfosec.com. A formal Data Protection Officer has not been designated at this time.

 

14. Supervisory Authority

If you believe your data has not been handled in accordance with the law, you may lodge a complaint with the UK Information Commissioner’s Office (ICO) or your local data protection authority.

 

15. Lawful Use

You must not use the Platform to process or transmit personal data in ways that violate data protection laws or infringe on the rights of third parties. CMS InfoSec Ltd disclaims responsibility for unlawful data usage initiated by users.

 

16. Changes to This Policy

We may update this policy from time to time. Material changes will be communicated via the platform or email.

 

17. Contact

For any privacy-related inquiries, contact us at:
privacy@cmsinfosec.com

Code of Conduct

Effective Date: 1 Jan 2025

Last Updated: 28 May 2025

This Code of Conduct outlines the principles and expectations for all staff, contractors, and affiliated individuals working with CMS InfoSec Ltd and its platform, Cyber Made Simple. It reflects our values of integrity, professionalism, and accountability in cybersecurity and compliance.

 

1. Purpose and Scope

This Code applies to all employees, partners, advisors, and service providers of CMS InfoSec Ltd. It governs behaviour in the workplace, online interactions, and use of the Cyber Made Simple platform.

 

2. Core Values

  • Integrity: We act honestly and ethically in all business dealings.

  • Respect: We treat colleagues, clients, and users with dignity and fairness.

  • Accountability: We take responsibility for our actions and decisions.

  • Confidentiality: We protect sensitive data and respect privacy.

  • Compliance: We follow all applicable laws, regulations, and standards.

 

3. Professional Conduct

All personnel must:

  • Uphold the highest standards of ethical behavior

  • Avoid conflicts of interest or disclose them promptly

  • Use company resources responsibly and legally

  • Refrain from harassment, discrimination, or abusive behavior

  • Cooperate fully in audits, investigations, or compliance reviews

 

4. Information Security and Data Protection

  • Follow CMS InfoSec’s security policies, including strong password practices, access control, and data handling protocols

  • Report security incidents or policy violations immediately

  • Never share user or customer data without proper authorization

 

5. Communication and Representation

  • Communicate professionally in all public and internal channels

  • Do not speak on behalf of CMS InfoSec Ltd without prior authorization

  • Use disclaimers where personal opinions are shared externally

 

6. Compliance with Laws and Policies

  • Abide by local, national, and international laws

  • Follow all internal policies, including those on privacy, ethics, security, and equal opportunity

 

7. AI and Automation Ethics

  • Ensure AI tools are used transparently and with human oversight

  • Avoid relying solely on automation for critical legal or ethical decisions

  • Flag any inappropriate, biased, or harmful outputs

 

8. Conflicts of Interest
Disclose any situation where personal, financial, or external interests might conflict with company responsibilities. Examples include:

  • Secondary employment with a competitor

  • Personal gain from confidential information

  • Involvement in decisions affecting family or close associates

 

9. Reporting Misconduct

  • All team members are encouraged to report violations of this Code

  • Reports can be made confidentially to ethics@cmsinfosec.com

  • Retaliation against whistleblowers is strictly prohibited

 

10. Enforcement and Disciplinary Action

Violations of this Code may result in disciplinary measures, including warnings, suspension, termination, or legal action. Serious breaches may be referred to authorities.

 

11. Digital Conduct

Personnel must use digital tools (e.g., email, messaging, collaboration platforms) responsibly and in accordance with CMS InfoSec Ltd’s Acceptable Use Policy. Unauthorized surveillance, spamming, or misuse of company systems is prohibited.

 

12. Remote and Hybrid Work

Remote workers must ensure a secure, distraction-free environment and follow company protocols for VPNs, device encryption, and work-related communications.

 

13. Diversity, Equity, and Inclusion (DEI)

We are committed to fostering an inclusive, respectful, and equitable environment. Discrimination, microaggressions, or exclusionary behavior based on race, gender, ability, age, or background are not tolerated.

 

14. Training and Awareness

All staff are required to complete regular training on ethics, cybersecurity, data protection, and AI safety. Participation is tracked and enforced as part of our compliance program.

 

15. Acknowledgment Requirement

All personnel must acknowledge this Code electronically or in writing during onboarding and annually thereafter.

 

16. Review and Acknowledgment

This Code is reviewed annually and may be updated. All personnel must acknowledge and agree to comply with the current version.

 

17. Questions or Clarifications

For any questions about this Code, contact the Compliance Officer at compliance@cmsinfosec.com

Data Processing Agreement

Effective Date: 1 Jan 2025

Last Updated: 25 May 2025

This Data Processing Agreement (“Agreement”) forms part of the Terms and Conditions between CMS InfoSec Ltd (“Processor”) and the Customer (“Controller”) for the processing of personal data under applicable data protection laws, including the UK GDPR and EU GDPR.


1. Subject Matter and Duration

This Agreement governs the processing of personal data by CMS InfoSec Ltd as part of providing the Cyber Made Simple platform. It remains in effect for the duration of the services provided under the Terms and Conditions.


2. Roles and Responsibilities

  • Controller: The Customer determines the purposes and means of the data processing.

  • Processor: CMS InfoSec Ltd processes personal data on behalf of the Controller, only as instructed.


3. Nature and Purpose of Processing

Processing involves the storage, organization, analysis, and transmission of personal data to deliver cybersecurity, compliance, and automation services as part of the Cyber Made Simple platform.


4. Categories of Data Subjects

  • Employees and users of the Controller

  • Customers or stakeholders input by the Controller


5. Types of Personal Data

  • Contact data (name, email)

  • Employment-related data (role, department)

  • Platform usage and behavior

  • Policy and risk documentation


6. Processor Obligations

CMS InfoSec Ltd shall:

  • Process data only on documented instructions from the Controller

  • Ensure confidentiality and data security

  • Limit access to authorized personnel

  • Assist the Controller with data subject rights requests

  • Enable audits by the Controller or their representative

  • Notify the Controller of any data breach promptly


7. Sub-processors

Sub-processors may include:

  • Bubble (frontend infrastructure)

  • Xano (backend)

  • Chargebee (billing)

  • OpenAI (AI services)

  • DigitalOcean (cloud storage)

  • Stripe (payments)

All sub-processors are subject to written agreements ensuring equivalent data protection obligations.


8. International Transfers

Cross-border transfers shall be made in accordance with applicable laws using mechanisms such as Standard Contractual Clauses (SCCs) or adequacy decisions.


9. Security Measures

CMS InfoSec Ltd shall implement appropriate technical and organizational measures, including:

  • TLS encryption

  • Access control and role-based permissions

  • Regular audits and vulnerability scans

  • Data minimization and retention limits


10. Data Subject Rights

CMS InfoSec Ltd shall assist the Controller in responding to requests from data subjects, including access, correction, deletion, and portability.


11. Deletion or Return of Data

Upon termination of the service, CMS InfoSec Ltd shall delete or return all personal data, unless retention is required by law. Deletion will occur within 90 days.


12. Audit Rights

The Controller may audit the Processor once per year or in the event of a security incident. CMS InfoSec Ltd may require reasonable notice and conduct audits remotely or via verified third-party certifications (e.g., SOC 2, ISO 27001) unless otherwise agreed.


13. DPIAs and Consultations

Upon request, CMS InfoSec Ltd will assist the Controller in fulfilling its obligations regarding Data Protection Impact Assessments (DPIAs) and prior consultations with supervisory authorities, considering the nature of processing and information available.


14. Record Keeping

CMS InfoSec Ltd maintains a record of processing activities in accordance with Article 30 of the GDPR and shall make it available to the Controller or authorities upon request.


15. Breach Notification

In the event of a personal data breach, CMS InfoSec Ltd shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach, including all relevant information known at the time.


16. Liability and Indemnity

Each party remains liable for its obligations under this Agreement. The Controller indemnifies the Processor against claims arising from unlawful data instructions.


17. Governing Law and Jurisdiction

This Agreement is governed by the laws of England and Wales. Disputes shall be resolved in the courts of London unless otherwise agreed.


18. Contact
For privacy-related matters, contact: privacy@cmsinfosec.com

Site Update:
Usage notification

THE PROBLEM 

As you know, this site is maintained and personally funded by it’s creator. 

We aim to keep this site free for all, but to do so we need people to use it. 

Having seen a decline in users accessing Cyber Made Simple, if this down trend continues the cost of running it will out perform its usefulness and we will have to consider shutting it down.

HOW YOU CAN HELP

  • Share this site with you friends and family
  • Post CyberMAdeSimple on social media 
  • Share your favorite articles and guides 
Business