Skip to content
Growcreate Marque White Web 1
Let's talk

Growcreate is committed to maintaining the highest standards of security, privacy, and regulatory compliance. We have achieved ISO/IEC 27001 certification and are Cyber Essentials certified, which underscores our Information Security Management System and robust cyber hygiene practices.

Growcreate earned these certifications through rigorous independent audits, internal security testing, and continuous improvements. As a result, our clients and partners can trust that we have effective controls in place to protect their data and digital assets.

Certifications and Standards

ISO/IEC 27001:2022 – Information Security Management

We are certified to the ISO 27001 standard, an internationally recognised framework for managing information security. Growcreate follows a systematic approach to securing data, including risk assessments, security controls, and ongoing monitoring, to safeguard sensitive information. Achieving ISO 27001 involves demonstrating that we have identified potential risks and implemented comprehensive controls to manage or mitigate them. Certification is performed by an accredited third-party auditor, providing independent assurance of the effectiveness of our security program.

Cyber Essentials (UK)

Growcreate is also certified under the UK government's Cyber Essentials scheme. Cyber Essentials outlines five key controls (firewalls, secure configuration, patch management, user access control, and malware protection) that form a baseline of good cybersecurity practice. Being Cyber Essentials certified means we have verified our defences against common threats and have fundamental technical controls in place to protect against cyber attacks. This government-backed certification provides our customers with added confidence that we take cybersecurity seriously and continually address common vulnerabilities.

Additional Frameworks and Best Practices

In addition to our formal certifications, we align our security and privacy practices with industry best-practice frameworks. For example, we adhere to GDPR requirements (and the UK Data Protection Act) for data protection and privacy, and we monitor emerging regulations such as the EU Artificial Intelligence Act to ensure our services remain compliant with new standards. (The EU AI Act is a forthcoming regulatory framework establishing rules for developing and using AI systems in Europe.) We proactively adjust our policies and procedures in anticipation of such regulations, ensuring that we deliver any AI-driven solutions or data processing in an ethical and compliant manner. Growcreate also follows principles from standards such as ISO 27017 (cloud security) and ISO 27018 (cloud privacy), where applicable, leveraging them to guide our cloud architecture and data handling processes, even if we do not hold separate certificates for these. We have designed our overall compliance program to meet or exceed the expectations of modern security frameworks and laws, providing you with peace of mind that working with Growcreate will help you fulfil your own compliance obligations.

Cloud & Platform Compliance (Azure, Optimizely, Umbraco)

We build and host solutions on trusted platforms that carry their own robust compliance credentials. By leveraging these leading platforms, we inherit world-class security controls and certifications:

  • Microsoft Azure: As a Microsoft Azure specialist, Growcreate hosts many of its solutions on Azure's cloud infrastructure. Azure maintains one of the broadest portfolios of compliance certifications in the industry, including ISO/IEC 27001, 27017, and 27018, as well as SOC 1/2/3 attestation reports, PCI DSS, and numerous other global, regional, and industry-specific standards. Independent assessors regularly audit Azure's data centres and services. Azure services are in scope for ISO 27001 and provide audit reports via Microsoft's Service Trust Portal at growcreate.co.uk. When we deploy your solution on Azure, it is running on infrastructure that meets rigorous security and privacy requirements. We can also take advantage of Azure's built-in compliance tools (such as Azure Policy and Microsoft Defender for Cloud) to ensure your solution's configuration remains compliant with standards like ISO 27001, NIST, PCI DSS, and GDPR. Furthermore, Azure offers data residency options – we can host data in EU or UK Azure regions to help you meet GDPR or other data localisation needs.
  • Optimizely: Growcreate is an Optimizely Solutions Partner, and we often implement Optimizely's Digital Experience Platform (DXP) for our clients. Optimizely's cloud services are certified and attested by third parties for multiple standards, including ISO/IEC 27001:2022 (information security), ISO/IEC 27017:2015 (cloud security controls), ISO/IEC 27018:2019 (cloud privacy for PII), SOC 2 Type II, PCI DSS v4.0.1, and TISAX. These certifications indicate that Optimizely has undergone rigorous evaluation for its security, availability, and confidentiality controls. By building on Optimizely, we ensure that the underlying platform meets enterprise-grade security requirements. For example, Optimizely's platform undergoes regular independent audits and assessments. Upon request, Growcreate can provide customers with Optimizely's SOC 2 Type 2 report or ISO certificates for assurance. Optimizely also supports compliance needs like HIPAA for healthcare clients by acting as a Business Associate and signing BAAs when required, implementing appropriate safeguards for Protected Health Information. In short, if your project utilises Optimizely, you benefit from a range of certified security controls that protect your data.
  • Umbraco: Growcreate is a Platinum Partner of Umbraco, an open-source .NET content management system. We deliver Umbraco solutions in a way that meets strict security and compliance requirements. When hosting Umbraco projects, we typically use our Umbhost managed hosting on Azure, which means the solution inherits Azure's certified security controls and compliance coverage. Umbraco HQ (Umbraco A/S in Denmark) adheres to ISO 27001 best practices and is actively working towards achieving ISO/IEC 27001 certification by the end of 2025. In the meantime, Umbraco Cloud (the official hosting service by Umbraco) runs on Azure infrastructure and leverages Azure's compliance achievements. Umbraco Cloud has many of the same security assurances (such as ISO 27001-aligned processes and EU/UK data residency) even before formal certification is complete. For self-hosted or Azure-hosted Umbraco implementations (as used by Growcreate), we implement robust cloud security controls – including network protections, encryption, and identity management – to ensure the solution can pass security audits and protect data, as detailed in our blog on Secure and Compliant Umbraco Hosting. In summary, whether using Umbraco Cloud or a custom Azure setup, our Umbraco solutions are designed to be secure, GDPR-compliant, and aligned with the principles of ISO 27001.

By relying on these platforms (Azure, Optimizely DXP, and Umbraco on Azure), Growcreate ensures that the foundational infrastructure and software in our projects meet stringent compliance standards. We are happy to include the official compliance attestations of these platforms in any tender or due diligence process. We demonstrate that not only is Growcreate as a company certified and security-conscious, but the tools and hosting environments we use are also independently audited and compliant with global standards.

Security Practices and Risk Management

Beyond certifications on paper, Growcreate maintains robust day-to-day security practices to ensure the safety of our clients' data. Our security framework includes:

  • Strong Access Controls: We enforce role-based access and the principle of least privilege for all systems and applications. Multi-factor authentication (MFA) is required for access to production environments and sensitive data, preventing unauthorised access even if credentials are leaked. We also implement strict password policies and use single sign-on where appropriate to centralise and secure identity management.
  • Encryption: All client data handled by Growcreate is encrypted in transit and at rest using industry-standard protocols. For instance, websites and applications we build are served exclusively over HTTPS/TLS. In cloud deployments, we use Azure's encryption capabilities (such as encryption at rest with Azure SQL Transparent Data Encryption and encryption of VM disks, as well as options for customer-managed keys in Azure Key Vault) to ensure stored data is protected. Backup data and secrets are likewise encrypted. These measures help prevent data breaches by rendering data unreadable to unauthorised parties.
  • Vulnerability Management: We conduct regular vulnerability assessments and prompt patch management to keep our systems and software up to date. Our teams continuously monitor for security patches for operating systems, frameworks, and the CMS platforms (Umbraco/Optimizely) we implement. We apply critical updates in a timely manner to address newly discovered vulnerabilities. Additionally, we configure Web Application Firewalls (WAFs) and endpoint protection to guard against common threats, such as SQL injection, XSS, malware, and DDoS attacks.
  • Penetration Testing: Growcreate regularly engages independent CREST-accredited penetration testers to test our solutions and infrastructure for vulnerabilities on behalf of our clients. These third-party pen tests help validate our security from an attacker's perspective. If any issues are identified, we remediate them swiftly and document the resolution. We can provide summaries of recent penetration test reports, along with our remediation actions, to clients upon request. This proactive testing regime ensures that our defences are not just theoretically sound, but also effective against real-world attack techniques.
  • Continuous Monitoring and Incident Response: Our operations team uses 24/7 monitoring and logging to maintain situational awareness of our hosted platforms. Azure Monitor and Security Centre (Defender for Cloud) alerts us to any anomalies, intrusions, or failures in real-time. We have incident response procedures in place so that if a security incident were to occur, we can react immediately to contain and resolve it. We perform regular internal audits to ensure compliance with our policies and to verify that security controls remain effective over time. We also undergo periodic external audits as required for ISO 27001 surveillance and recertification, which provides an objective check on our security posture.
  • Risk Assessments: In line with our ISO 27001 ISMS, Growcreate conducts periodic risk assessments to identify and evaluate security risks to our organisation and client projects. Our Management Team reviews these assessments, prioritises the top risks, and oversees the implementation of risk treatment plans. This formal risk management process involves continuously scanning for potential weaknesses – whether technological, procedural, or human – and taking steps to mitigate risk to an acceptable level. By regularly reviewing and updating our risk register, we adapt to new threats and ensure ongoing improvement of our security controls.

Business Continuity and Disaster Recovery

We recognise that robust security also involves preparedness for the unexpected. Growcreate has a Business Continuity and Disaster Recovery (BCDR) program to maintain operations and recover quickly in the event of a disruption. Our Business Continuity Plan outlines how we keep critical business functions running during incidents (for example, shifting work to alternate locations or communicative tools during an office outage). Our Disaster Recovery Plan focuses on restoring IT systems and customer platforms in the event of a significant incident, such as data loss, ransomware attacks, or infrastructure failures. We perform regular backups of websites, databases, and code repositories, and these backups are tested periodically to ensure we can restore them. For hosted client solutions, we design architectures with resilience in mind – leveraging features like Azure's redundant storage, geo-replication, and failover capabilities to minimise downtime. We also carry out drills and tests of our DR procedures (at least annually) to validate that recovery time objectives can be met. By planning, we help ensure that even in a worst-case scenario, we can recover your digital platforms with minimal data loss and downtime.

Our commitment to continuity extends to cyber incidents as well. In the event of a security breach or other incident affecting client data, our incident response plan requires prompt notification to affected clients and complete transparency in remediation steps, in line with regulatory requirements (for instance, GDPR's breach notification rules and any contractual obligations). We also maintain cyber insurance coverage as an additional layer of protection, which can provide resources and support in recovery (for example, specialist response services) in case of a significant cyber event.

Transparency and Documentation

Growcreate believes that trust is earned through transparency. We maintain documentation for all our security and compliance practices and are happy to share these details upon request, subject to appropriate confidentiality agreements. For our clients and prospects (especially those in regulated industries or undergoing vendor due diligence), we can provide the following on request:

  • Certification Proof – Copies of our ISO/IEC 27001:2022 certificate and Cyber Essentials certificate, verifying our compliance status.
  • Audit and Attestation Reports – If required, we can arrange access to third-party audit reports that are relevant to our services. For example, Microsoft's ISO 27001 attestation reports (available via Microsoft's Trust Portal) or Optimizely's compliance attestations (such as their SOC 2 Type 2 report or PCI Attestation of Compliance) can be furnished to provide you with direct insight from the auditors at optimizely.com. These demonstrate how the underlying platforms meet control objectives.
  • Policies and Procedures – We can provide overviews of key policies (Information Security Policy, Data Protection Policy, Incident Response Plan, etc.) to show how we govern and enforce security internally.
  • Data Protection Agreements – For clients processing personal data, we are prepared to sign Data Processing Agreements (DPAs) and adhere to EU Standard Contractual Clauses or UK International Data Transfer Agreements for cross-border data transfers, ensuring GDPR compliance in our partnership.
  • Service Level and Availability Commitments – We can include our standard Service Level Agreements for hosting or support services, which define uptime commitments and support response times, to meet your operational resilience requirements.

All requests for security and compliance documentation can be directed to our team (your Growcreate account manager or our security point of contact). We handle these requests promptly, typically providing the requested information under NDA to protect sensitive details. By sharing this information, we aim to make due diligence for your IT security teams as straightforward as possible and demonstrate that Growcreate is a supplier you can trust with critical systems.

Continual Improvement and Support

Security and compliance at Growcreate are ongoing commitments. We continuously monitor changes in the threat landscape and the regulatory environment to update our practices. Our internal security team, in coordination with management, reviews our controls and policies regularly – fostering a culture of continuous improvement. We also invest in training our staff on security awareness and best practices, so that everyone at Growcreate contributes to maintaining a strong security posture.

Most importantly, we integrate security into our project delivery from day one. From secure coding practices and code reviews to DevOps processes that incorporate security checks and final deployment hardening, security is built into each step. This means that when you engage Growcreate, you're getting a solution designed for long-term safety, compliance, and reliability. We follow "security by design" and "privacy by design" principles, ensuring that compliance requirements (be it GDPR, industry regulations, or internal policies) are considered early in the project and baked into the architecture.

Lastly, our support doesn't end at go-live; it continues through our Support. Enhance. Evolve. model, we offer ongoing maintenance and enhancements for your digital platforms. Part of that ongoing service is keeping your platform secure and up to date. We will continuously apply patches, monitor for vulnerabilities, and improve configurations over time. If new compliance needs arise (for example, a new regulation or a new corporate policy you must adhere to), we will work with you to implement the necessary changes or controls. Our goal is to be a long-term partner in your security and compliance journey, enabling you to focus on your business objectives with confidence, knowing that the foundations are safe, sound, and compliant.

In summary, Growcreate provides enterprise-grade security and compliance as a core part of our services. Our ISO 27001 and Cyber Essentials certifications validate our commitment to information security, and our alignment with GDPR and other regulations ensures data privacy is upheld in all our projects. By leveraging certified platforms like Azure, Umbraco and Optimizely and following best practices for cloud and application security, we help you meet stringent compliance requirements with confidence. Whether you need documentation for a tender or assurance for your internal stakeholders, we deliver transparent and dependable information security so that you and your customers can trust the solutions we build together. Security is built into everything we do, and we strive to exceed compliance benchmarks so that working with Growcreate is a secure and worry-free experience.

Is your Umbraco platform end-of-life ready?

Take the test