This page summarises how CritiCall Ops protects data for pilot and production customers.
It is intended for security reviewers, procurement, and control-room managers — not as a
substitute for your own legal advice or a signed data processing agreement where one is required.
1. What we host
| Service |
Location |
Data |
Marketing website (criticallops.co.uk) |
UK/EU web hosting |
Contact enquiries, essential cookies |
Business email (contact@) |
UK/EU |
Enquiry correspondence |
CAD / MDT platform (respond.criticallops.co.uk) |
United Kingdom (dedicated VPS) |
Operational data, accounts, audit logs, database |
Our infrastructure uses professionally operated UK and European data centres with physical
security (24/7 staffing, CCTV, access controls), uninterruptible power, and generator backup
for continuity during outages.
2. Platform security (CritiCall Ops)
- Multi-tenant isolation — each customer organisation's data is separated at the application and database layer.
- Role-based access control — dispatch, admin, and field roles see only what their permissions allow.
- Session security — authenticated sessions for CAD and MDT; essential cookies and storage for login state.
- Audit logging — material actions on incidents, resources, and configuration are recorded for accountability.
- Least-privilege operations — production access is limited to personnel who need it for support and incident response.
- Secure maintenance — dependency and operating-system security updates applied on a regular cadence.
3. Encryption
In transit
All public access to the marketing site and the CAD/MDT platform uses TLS (HTTPS)
with current SSL/TLS certificates. Unencrypted HTTP is not used for customer-facing services.
At rest
Platform data is stored on encrypted-capable infrastructure in the United Kingdom. Automated
backups are stored off-site separately from the live server, with
encrypted backup options aligned to UK GDPR good practice.
User passwords are stored using industry-standard one-way hashing — never in plain text.
4. Backups & availability
-
Daily automated backups of the platform database and critical configuration,
with multiple restore points retained.
-
Off-site backup storage in a separate European location from the live UK server,
so a single-site failure does not destroy both live data and backups.
-
Self-service restore capability for disaster recovery within our hosting environment.
-
High-availability hosting on Tier-3+ UK infrastructure with redundant power and
network paths where our providers support it.
-
Customer responsibility: you should still export operational data you rely on for
compliance or continuity. Infrastructure backups are provided on a best-effort basis.
See our Terms on data and backups.
5. Network & infrastructure hardening
- DDoS protection on UK-facing network paths to reduce volumetric attack impact.
- Only required ports exposed publicly (typically HTTPS); administrative access restricted.
- Database not exposed to the public internet; application connects over local binding.
- Malware scanning and automatic security updates on the public website hosting tier.
- Geo-redundant options for the marketing site to maintain availability during datacentre incidents.
- Fast storage (NVMe) on the application server for consistent operational performance.
6. Legal & regulatory alignment (UK)
We design for UK business customers operating control rooms and field teams.
-
UK GDPR and the Data Protection Act 2018 — we act as
controller for website enquiries and our own billing contact data; as
processor for operational data your organisation enters into the platform.
-
Data Processing Agreement — available for pilot and commercial customers who need
processor terms documented (see onboarding pack).
-
Subprocessors — hosting, email, and optional tooling providers are documented
for customers who require it; material changes communicated where contract requires.
-
Data subject rights — access, rectification, erasure, restriction, objection, and
portability as described in our Privacy Policy. Platform users should also contact
their organisation as controller for operational data.
-
Right to erasure — on termination, customer data and associated backups are
deleted within agreed timeframes, subject to legal retention requirements.
-
Breach notification — we will notify affected customers without undue delay when we
become aware of a personal data breach affecting processor data, consistent with UK GDPR Article 33
and customer agreements.
Your organisation remains the controller for operational data you enter into the platform.
You are responsible for lawful basis, retention schedules, staff training, and any sector-specific rules
(e.g. health, safeguarding, or licensing) that apply to your deployment.
7. Martyn's Law & event security operations
Martyn's Law is the common name for the
Terrorism (Protection of Premises) Act 2025 — legislation
introduced in memory of Martyn Hett, one of the victims of the Manchester Arena attack in 2017.
It requires those responsible for certain public premises and events to take steps that reduce
vulnerability to terrorism and the risk of physical harm if an attack occurs.
The Act received Royal Assent on 3 April 2025. The Home Office expects
an implementation period of at least 24 months before substantive requirements
are legally enforceable; statutory guidance was published in 2026 to help organisations prepare.
The Security Industry Authority (SIA) will regulate compliance once the Act is
fully commenced. This summary is for operational context only — not legal advice.
Who it applies to
The Act uses a tiered model based on how premises and events are used and how many people may
reasonably be present at the same time (including staff):
-
Qualifying premises — generally where 200 or more individuals may
reasonably be expected from time to time for uses listed in the Act (entertainment, retail,
hospitality, sports, transport hubs, and similar public-facing uses).
-
Standard tier — 200 to 799 individuals at the same time, from time to time.
Responsible persons must have appropriate public protection procedures in place,
so far as is reasonably practicable.
-
Enhanced tier — 800 or more individuals. In addition to public protection
procedures, responsible persons must have appropriate public protection measures
(for example monitoring, movement control, and physical security considerations) and prepare
compliance documentation. Some premises (such as places of worship and most education settings)
remain standard tier even above 800 people.
-
Qualifying events — temporary events at locations not already covered as
enhanced-tier premises, subject to similar enhanced-tier requirements when thresholds are met.
What responsible persons must consider
Across standard and enhanced tiers, the Act focuses on preparedness rather than predicting where
an attack might occur. Key expectations include:
-
Public protection procedures — plans staff can follow if they suspect
terrorism is occurring or about to occur: evacuation,
invacuation, lockdown, and communication.
-
Proportionality — what is “reasonably practicable” depends on
the nature, layout, and staffing of each premises or event.
-
Training and rehearsal — staff understanding their roles; procedures tested
and kept under review.
-
Coordination — co-operation between responsible persons, tenants, contractors,
and neighbouring premises where control is shared (for example shopping centres, festival sites, or
multi-venue complexes).
-
Record-keeping — enhanced tier premises and qualifying events must document
compliance; standard tier organisations are encouraged to document procedures to demonstrate readiness
to the SIA.
-
Enhanced-tier measures — additional steps to reduce vulnerability and harm,
such as monitoring and information security, where reasonably practicable.
Official guidance:
Terrorism (Protection of Premises) Act 2025 — GOV.UK.
How CritiCall Ops can support your operations
CritiCall Ops is operational command software for control rooms, event security,
and field teams — not a venue operator, physical security installer, or legal compliance
consultant. We do not certify your Martyn's Law compliance and we do
not replace physical protective measures, risk assessments, or statutory
documentation that remain your responsibility.
Where your public protection procedures rely on coordinated incident response, our platform can
help teams execute and evidence the operational aspects of those plans:
-
Incident logging and timeline — structured record of what was reported,
when actions were taken, and who was involved — supporting post-incident review and audit.
-
Resource assignment and tracking — deploy security, medical, and supervisory
staff to posts or zones; see who is where during an evolving situation.
-
Unified messaging — broadcast instructions to field teams and log
acknowledgements when communication procedures are activated.
-
Operations map and wallboard — shared situational awareness for control
room and supervisory staff during peak load.
-
Audit trail — material changes to incidents, resources, and configuration
are logged for accountability.
-
Forms and documents — attach run sheets, contact lists, and site plans
your team already uses (your content; your compliance ownership).
-
Resilience on poor connectivity — field teams can queue updates when
masts are overloaded, then sync when signal returns — relevant at festivals and crowded venues.
Important: Martyn's Law compliance is determined by your organisation as
the responsible person for the premises or event, with reference to the Act and statutory guidance.
CritiCall Ops provides software tooling only. You remain responsible for public protection procedures
and measures, staff training, liaison with emergency services, physical security, and any inspection
by the SIA. Discuss your deployment during pilot onboarding if procurement needs a written summary
of how the platform fits your operational plans.
8. What we do not claim
CritiCall Ops is operational command software for events, retail, transport, security, and medical
standby — not a certified medical device or emergency-services dispatch system of record unless
you explicitly qualify it as such in your own governance.
We do not hold ISO 27001 certification in our own company name. Our hosting uses facilities
operated to recognised security standards; we layer application controls on top. Customers with NHS,
PCI, or sector-specific schemes should raise requirements during pilot onboarding so we can confirm fit or gaps.
9. Questions & incident contact
Security or data protection questions:
contact@criticallops.co.uk
(subject line: Security enquiry).
Related pages:
Privacy Policy ·
Terms and Conditions ·
FAQ (data, security & Martyn's Law)