This page explains how Served HQ approaches security and cyber risk, and how responsibility for cyber incidents is shared between Served HQ and the businesses that use the platform.
1. Purpose of this page
Businesses increasingly need to understand a vendor's security posture and liability position as part of their own procurement and risk management. This page summarises our approach; it is not itself an insurance policy or a guarantee of an incident-free service.
2. Security measures
- Encryption of data in transit using industry-standard protocols.
- Access controls and role-based permissions for staff, business users and support tooling.
- Separation between environments, with restricted access to production systems.
- Logging and monitoring to help detect unusual account or system activity.
- Use of reputable, security-reviewed hosting, payment and infrastructure providers.
- Ongoing review and patching of dependencies and platform infrastructure.
3. Incident response
If we identify a security incident affecting the platform, we will investigate, take reasonable steps to contain and remediate the issue, and assess whether personal data was affected. Where a personal data breach affects a business's customer data, we will notify the affected business without undue delay, consistent with the Data Processing Agreement.
4. Breach notification
Where required by applicable law, Served HQ will support affected businesses in meeting their own regulatory notification obligations, including providing available information about the nature, scope and likely consequences of an incident and the measures taken or proposed in response.
5. Risk management
We focus our efforts on the preventative and responsive measures described above — access controls, encryption, monitoring and incident response — as these are what actually reduce the likelihood and impact of a security incident. We keep our broader risk management arrangements under periodic review as the business and its customer base evolve. Nothing on this page constitutes a representation as to the existence, scope or availability of any specific insurance arrangement, and businesses with specific risk, insurance or procurement requirements should contact us to discuss their needs.
6. Shared responsibility
Security is a shared responsibility. Served HQ secures the platform, infrastructure and the data it directly controls. Businesses are responsible for their own account credentials, staff access, device security, exported data, and for promptly reporting suspected compromise of their own account.
7. Liability for cyber incidents
To the maximum extent permitted by law, liability for cyber incidents and data breaches is allocated exclusively in accordance with the limitation of liability terms in the Terms of Service and, where applicable, a signed order form referencing the Master Service Agreement. Nothing on this page creates any liability, warranty, guarantee or representation beyond those terms, and this page is provided for general information only.
8. Reporting a security concern
If you discover a potential security vulnerability or believe data may have been exposed, contact Served HQ support with details of the issue, steps to reproduce it where relevant, and your contact information, so we can investigate promptly.