Security and Data Handling

Custom Iron On Patches Ltd handles customer personal data, payment information and artwork files in accordance with UK GDPR, the Data Protection Act 2018, PCI-DSS standards (via Stripe) and documented internal security practices. This page describes the technical security infrastructure, hosting, encryption, access controls, artwork file protection, data retention, and breach response, that supports those legal commitments.

This statement is the technical companion to the privacy policy (which covers the legal and regulatory framework) and the payment methods and security page (which covers payment processing security specifically). It is intended for B2B procurement teams, public sector buyers, sensitive-sector clients and anyone evaluating Custom Iron On Patches’ technical security posture.

Hosting Infrastructure

Website Hosting

The Custom Iron On Patches website is hosted on a UK-based commercial hosting provider with the following standard security infrastructure:

  • TLS encryption – all traffic to and from the website is encrypted in transit using TLS 1.2 or higher
  • DDoS protection – hosting provider includes baseline DDoS protection at network level
  • Server hardening – hosting provider applies security patches, firewall rules and intrusion detection at infrastructure level
  • Backup infrastructure – automated daily backups of website files and database, retained per provider’s standard retention schedule

The hosting provider operates under UK and EU data protection law. Specific hosting provider name and certifications are available on request to verified B2B procurement contacts.

Server Location

Website data is hosted in UK data centres. Customer personal data, order records and artwork files are stored within the UK or EU. Data is not transferred outside UK/EU jurisdictions without appropriate safeguards (Standard Contractual Clauses or adequacy decisions).

For B2B procurement teams requiring specific data residency confirmation, the hosting provider’s data centre location confirmation can be supplied as part of supplier onboarding documentation.

Encryption and Data Protection in Transit

Website Traffic

All traffic between visitors and the Custom Iron On Patches website is encrypted using TLS (Transport Layer Security):

  • Minimum protocol: TLS 1.2
  • Preferred protocol: TLS 1.3 where supported
  • Certificate: Let’s Encrypt or commercial SSL certificate (auto-renewing)
  • Forced HTTPS: all HTTP requests automatically redirect to HTTPS
  • HSTS header: HTTP Strict Transport Security enabled to prevent downgrade attacks

Customers can verify encryption by checking the padlock icon in their browser’s address bar when visiting the site.

Form Submissions

All form submissions on the site (quote forms, contact forms, B2B enquiry forms) are transmitted over HTTPS. Form data is processed by:

  • Server-side validation – all incoming form data is validated and sanitised before processing
  • Anti-bot protection – reCAPTCHA v3 plus honeypot fields prevent automated submissions
  • Email notification encryption – form notifications to the support inbox are transmitted over TLS

File Uploads (Artwork Submission)

Customer artwork files uploaded via the quote form are:

  • Transmitted over HTTPS during upload
  • Scanned for malware before being saved to server storage
  • File-type restricted to approved formats (.ai, .eps, .pdf, .svg, .png, .jpg, .psd), executable files are blocked at upload
  • Size-limited to 25MB per file to prevent server resource abuse
  • Stored in restricted directories, uploaded files are stored outside web-publicly-accessible directories

Payment Data Security

Payment processing is handled by Stripe, a PCI-DSS Level 1 certified payment processor. Custom Iron On Patches’ role in payment security is therefore:

  • No raw card data is stored on Custom Iron On Patches’ servers, at any time, by any process
  • No raw card data is transmitted through Custom Iron On Patches’ infrastructure, card details are entered directly into Stripe’s secure form
  • No raw card data is logged in server logs, application logs or backups
  • Tokenised payment references only, Custom Iron On Patches’ systems only ever see Stripe’s tokenised reference, which cannot be used to recreate the original card

For full payment security detail, see the payment methods and security page.

Strong Customer Authentication (SCA)

Card payments are protected by Strong Customer Authentication under PSD2 regulations. This includes:

  • 3D Secure 2 verification, card-not-present transactions require additional verification (typically biometric or one-time-code)
  • Stripe Radar fraud detection, machine-learning fraud screening on every transaction
  • Authorisation checks, issuer-side verification before transaction approval

Customer Personal Data

Custom Iron On Patches processes the following categories of personal data:

Data CategorySourceStorage
Contact details (name, email, phone)Quote forms, contact forms, account creationEncrypted database, retention per privacy policy
Delivery addressesQuote forms, order formsEncrypted database, retention per privacy policy
Order historyOrder processing systemsEncrypted database, retention per privacy policy
Communication recordsCustomer service email, phoneEncrypted email/CRM, retention per privacy policy
B2B procurement detailsB2B account applicationEncrypted database, retention per privacy policy

Access Controls

Personal data access is restricted to authorised team members on a least-privilege basis:

  • Customer service team, access to contact details, orders and communication records (read/write)
  • Production team, access to order specifications and artwork files (read-only)
  • B2B account managers, access to B2B account details and order history (read/write)
  • Senior management, access to all data for operational oversight

Access is managed via:

  • Individual user accounts, no shared logins
  • Strong password requirements, minimum length, complexity rules
  • Two-factor authentication, required for systems accessing customer data
  • Activity logging, significant data access events are logged
  • Account deactivation, individual accounts deactivated when team members leave

Customer Artwork File Handling

Customer artwork is one of the most security-sensitive categories of data Custom Iron On Patches handles. Artwork files frequently include:

  • Brand logos protected by trademark and copyright
  • Bespoke designs created exclusively for the customer
  • Military insignia, police identifiers and uniformed services badges
  • School and university crests and house designs
  • Confidential pre-launch product or campaign artwork

The Company applies the following protections to customer artwork:

File Storage

  • Artwork files are stored in restricted server directories not accessible from the public web
  • Files are organised by order reference and customer identifier
  • Access is restricted to the in-house design and digitising team for production work
  • Artwork is not visible to other customers, third parties or the public web at any time

File Use

Customer artwork is used exclusively for fulfilling the specific order it was supplied for. The Company does not:

  • Reuse customer artwork for other customers’ orders
  • Display customer artwork in marketing materials without explicit written permission
  • Sell customer artwork to third parties (this would never be done)
  • Allow third-party access to customer artwork
  • Use customer artwork for AI training purposes

For artwork that becomes part of a published case study, explicit written customer permission is obtained before publication. See the editorial policy and the case studies hub for case study standards.

File Retention

Artwork files are retained:

  • During production, for the duration of the order
  • For repeat orders, for 24 to 60 months after order completion to enable repeat orders without re-digitising
  • For warranty and dispute support, for the warranty period (typically 14 days from delivery) plus reasonable dispute window

After the retention period, artwork files are deleted from active production systems. Backup copies are retained per backup retention schedule and deleted on rotation.

Customers can request earlier deletion of their artwork at any time. To request artwork deletion, email [email protected] with the order reference and “Artwork Deletion Request” in the subject line.

Customer Artwork Ownership

The customer retains all intellectual property rights in artwork they supply. Custom Iron On Patches does not claim ownership of customer artwork at any time. This includes:

  • Original artwork files supplied by the customer
  • Modified versions created by the in-house design team during production preparation
  • Digitised production files derived from the customer’s artwork

The Company holds a limited licence to use the artwork solely for fulfilling the customer’s order.

For full intellectual property terms, see the acceptable use and IP policy.

Email and Communication Security

Inbound Email

Customer emails to Custom Iron On Patches are handled via:

  • TLS-encrypted email transport, supported by all major UK email providers
  • Anti-spam and anti-phishing filtering, applied at email service provider level
  • Anti-malware scanning, attachments scanned before delivery
  • Sender authentication, SPF, DKIM and DMARC records validated

Outbound Email

Custom Iron On Patches’ outbound email is configured with:

  • SPF (Sender Policy Framework), published DNS records authorising authorised sending servers
  • DKIM (DomainKeys Identified Mail), cryptographically signed outbound emails
  • DMARC (Domain-based Message Authentication), policy enforcement against email spoofing

These protections reduce the risk of impersonation and ensure customers can verify that emails purporting to be from Custom Iron On Patches are genuine.

If a customer receives a suspicious email claiming to be from Custom Iron On Patches, they can verify by contacting the team directly via the published contact details (not by replying to the suspicious email).

Backup and Continuity

Backup Schedule

Custom Iron On Patches maintains backups of:

  • Website files and configuration, automated daily backups by hosting provider
  • Customer database, automated daily backups, retained per provider standard retention
  • Order records, backed up as part of database backup
  • Artwork files, backed up to secure offsite storage on rotation

Continuity Planning

In the event of system disruption (hosting provider outage, hardware failure, data corruption), recovery procedures include:

  • Restore from latest backup within 24 hours of incident detection
  • Customer service via phone, 07746 501247, available even during website outage
  • Manual order processing, quote and order handling can continue via email and phone if web systems are unavailable
  • Customer notification, significant disruptions affecting customer-facing services are communicated promptly via email

For B2B accounts requiring specific business continuity assurance (e.g. NHS Trust suppliers, MoD framework holders), additional continuity documentation is available on request.

Breach Response

In the rare event of a security breach affecting customer data, Custom Iron On Patches follows a documented breach response process:

Detection and Containment

  1. Detection, breach identified through monitoring, customer report or internal review
  2. Initial assessment, scope, severity and affected data categories assessed within 24 hours
  3. Containment, affected systems isolated and immediate technical mitigations applied

Notification

Custom Iron On Patches commits to:

  • ICO notification within 72 hours of awareness of a breach affecting personal data, where required under UK GDPR Article 33
  • Affected customer notification without undue delay where the breach is likely to result in a high risk to individuals’ rights and freedoms (UK GDPR Article 34)
  • Public sector and B2B contractual notification per the customer’s specific contractual requirements where these exceed UK GDPR baseline requirements

Remediation

After breach response, the Company:

  • Conducts a root-cause analysis to identify how the breach occurred
  • Implements technical and operational changes to prevent recurrence
  • Documents the incident and response in the internal breach log
  • Reviews relevant policies and procedures for revision

The Company maintains an internal breach response procedure document available to senior staff and to public sector procurement teams on request.

Third-Party Service Providers

Custom Iron On Patches uses the following third-party services that have access to data:

ServiceFunctionData CategoriesCompliance
StripePayment processingCard data (tokenised), payment metadataPCI-DSS Level 1
PayPalPayment processingPayPal account references, payment metadataPCI-DSS, regulated by FCA
Royal Mail / DPDUK deliveryDelivery addresses, order weightUK GDPR data processors
Hosting providerWebsite hostingAll website dataUK GDPR data processor
Email service providerOutbound emailCustomer email addresses, communication contentUK GDPR data processor
CRM / Customer managementOrder and B2B account managementCustomer contact data, order historyUK GDPR data processor
Analytics provider (e.g. Google Analytics 4)Website usage analyticsCookie-based usage dataSubject to consent, see cookie policy

Each third-party processor is subject to a data processing agreement (DPA) under UK GDPR Article 28. The list above is not exhaustive, for the full list of processors, contact the team via the contact page.

For the full data handling and processing position, see the privacy policy.

Security Documentation Available on Request

For B2B procurement teams, public sector buyers and sensitive-sector clients conducting supplier security evaluation, the following documentation can be supplied:

  • Hosting provider security certifications
  • Data processor list with DPA confirmations
  • Backup and disaster recovery procedure summary
  • Breach response procedure summary
  • Internal access control documentation summary
  • Insurance certificates (cyber insurance, public liability, product liability)
  • ICO data protection registration confirmation
  • Companies House and VAT registration confirmation

To request supplier security documentation, contact the team via bulk and trade enquiries with “Supplier Security Documentation” specified. Sensitive documentation may require an NDA before release.

Reporting a Security Concern

If a customer or external researcher identifies a potential security vulnerability or concern, the Company welcomes responsible disclosure.

To report a security concern:

  • Email: [email protected] (subject: “Security Concern”, confidential)
  • Phone: 07746 501247

For confidential disclosure, mark the email “Confidential, Security” and the team will respond with secure communication arrangements.

The Company commits to:

  • Acknowledge security reports within 2 working days
  • Investigate reported concerns and provide a status update within 14 days
  • Address valid security issues per the severity assessment
  • Not pursue legal action against good-faith security researchers who follow responsible disclosure principles

Frequently Asked Security Questions

Where is customer data stored?

Customer personal data, order records and artwork files are stored in UK or EU data centres. Data is not transferred outside UK/EU jurisdictions without appropriate UK GDPR safeguards.

Is card data stored on Custom Iron On Patches’ servers?

No. Card data is processed entirely by Stripe (PCI-DSS Level 1 certified). Custom Iron On Patches’ systems only ever see tokenised payment references. Raw card data never touches the Company’s infrastructure.

Who can access my artwork files?

Customer artwork is stored in restricted server directories accessible only to authorised members of the in-house design and digitising team for production work. Files are not visible to other customers, third parties or the public web. The Company does not reuse customer artwork for other orders or for AI training purposes.

How long is my data retained?

Personal data is retained per the privacy policy, which sets specific retention periods by data category. Artwork files are retained during production and for a period after to enable repeat orders. Customers can request earlier deletion at any time.

What happens if there’s a data breach?

The Company follows a documented breach response process: detection within 24 hours, ICO notification within 72 hours where required, affected customer notification where high risk to individuals exists, root-cause analysis and remediation. The Company has not experienced a notifiable data breach to date.

Are you ICO-registered?

Yes. Custom Iron On Patches Ltd is registered with the Information Commissioner’s Office.

What documentation can you provide for procurement security review?

Hosting certifications, data processor list, backup and breach response summaries, access control documentation, insurance certificates, ICO and Companies House registration. Request via bulk and trade enquiries with “Supplier Security Documentation” specified.

Get In Touch

For security and data handling enquiries, supplier procurement security documentation, or to report a security concern:

  • Email: [email protected] (subject: “Security” or “Data Handling”)
  • Phone: 07746 501247
  • Address: Custom Iron On Patches Ltd, 10 Newhall Street, Birmingham, B3 3AG