Official Document
Information Security Policy
How OurNurseryGrid protects the data entrusted to us by nurseries, parents and children.
1 Purpose & Scope
This policy defines the information security controls in place for all systems operated by OurGrid, trading as OurNurseryGrid, OurFamilyGrid, OurKitchenGrid, OurHealthGrid, OurTeamGrid, OurEventsGrid, OurTicketGrid, OurFinanceGrid and OurProjectGrid.
In scope: All services hosted on the OurGrid production VPS running Ubuntu 24.04 LTS. This includes all web applications, databases, mail services, and associated Node.js processes.
Out of scope: End-user devices (staff computers, phones). Third-party SaaS services — none currently in use; all services are self-hosted.
This policy is aligned with the NCSC Cyber Essentials framework (Montpellier v3.1) and UK GDPR requirements for processing children's personal data.
2 Roles & Responsibilities
| Role | Person | Responsibilities |
|---|---|---|
| Security Owner | Tim Jollie | Policy ownership, patch oversight, incident response, CE certification |
| System Administrator | Tim Jollie | Server access, firewall rules, user accounts, backups |
| Data Controller | Each nursery customer | GDPR obligations for their nursery's data |
| Data Processor | OurGrid | Processing children's data on behalf of nursery customers |
3 Asset Inventory
| Asset | Description | Criticality |
|---|---|---|
| Production VPS | Ubuntu 24.04 LTS | Critical |
| MySQL Database | All application data (localhost:3306) | Critical |
| PostgreSQL Database | TicketGrid, EventsGrid, ProjectGrid (localhost:5432) | Critical |
| Apache Web Server | Reverse proxy, SSL termination (443) | Critical |
| SSL Certificates | Let's Encrypt, auto-renewing | Critical |
| Mail Server | Postfix/Dovecot for OurGrid apps | High |
| Monarx Agent | Real-time malware scanning | High |
| Cloudflare R2 Backup | Daily encrypted offsite backup | High |
4 Firewall Policy
All internet-facing traffic is controlled by UFW (Uncomplicated Firewall) with a default-deny incoming policy. Only the following ports are permitted:
| Port | Service | Access | Justification |
|---|---|---|---|
| 22/tcp | SSH | All IPs | Remote server administration (key auth only) |
| 80/tcp | HTTP | All IPs | Redirected to HTTPS |
| 443/tcp | HTTPS | All IPs | All web applications |
| 25/465/587 | SMTP/S | All IPs | Mail server for OurGrid apps |
| 110/143/993/995 | IMAP/POP3 | All IPs | Email retrieval for OurGrid apps |
| 2222/tcp | SFTP | All IPs | Secure file transfer |
| 53 | DNS | All IPs | DNS resolution |
| 10000/tcp | Webmin | Admin subnet only | Server admin panel — IP-restricted |
| 20000/tcp | Usermin | Admin subnet only | Server admin panel — IP-restricted |
Disabled 12 May 2026: ProFTPD (plain FTP port 21) — stopped, disabled and removed from firewall. Replaced by SFTP over SSH.
5 Secure Configuration
5.1 SSH Hardening
PermitRootLogin no
PasswordAuthentication no
AuthenticationMethods publickey
PasswordAuthentication no
AuthenticationMethods publickey
Root SSH login is disabled. Password authentication is disabled. The only accepted authentication method is a passphrase-protected RSA public key — providing two-factor access (something you have + something you know).
5.2 HTTP Security Headers
All HTTPS responses include the following security headers:
| Header | Value |
|---|---|
Strict-Transport-Security | max-age=31536000; includeSubDomains; preload |
Content-Security-Policy | default-src 'self'; frame-ancestors 'none'; form-action 'self' |
X-Frame-Options | DENY |
X-Content-Type-Options | nosniff |
Referrer-Policy | strict-origin-when-cross-origin |
Permissions-Policy | geolocation=(), microphone=(), camera=(), payment=() |
5.3 Application Security
- SQL injection: All database queries use parameterised prepared statements — user input is never interpolated into SQL strings
- XSS: EJS templating auto-escapes all output by default; Content Security Policy provides defence-in-depth
- CSRF: Session-bound tokens validated on all state-changing requests;
SameSite=Laxcookies provide additional protection - File uploads: MIME type and file extension whitelist (JPEG/PNG/GIF/WebP only); maximum 5MB
- Rate limiting: 10 login attempts per 15 minutes per IP address; 120 requests/minute global cap
- Session cookies:
HttpOnly,Secure,SameSite=Lax— never accessible via JavaScript - Multi-tenant isolation: Every database query is scoped by nursery ID — architecturally impossible for one nursery to access another's data
6 Access Control
6.1 Server Access
- One named administrator account — no shared server logins
- Authentication: RSA 2048 private key with passphrase (two factors)
- Root direct login disabled; privilege escalation via
sudoonly
6.2 Application — Staff
- Individual accounts per staff member — no shared logins
- 14 defined roles with least-privilege access enforced server-side
- Admin-only functions (settings, staff management) are restricted in code, not just hidden in the UI
- Account lockout: 5 failed login attempts triggers a 15-minute lockout
- Password policy: Minimum 10 characters, hashed with bcrypt (cost factor 12)
- When staff leave: account deactivated immediately — deactivated accounts cannot log in
6.3 Application — Parents
- Individual parent accounts with explicit portal access flag
- Same lockout policy as staff (5 attempts, 15 minutes)
- Parent access strictly limited to their own children's data
7 Malware Protection
Monarx Agent v4.3.22 — Real-time webshell and malware scanning, enabled on boot, auto-updating.
Monarx Protect v5.2.24 — PHP runtime extension for active file protection.
Monarx Protect v5.2.24 — PHP runtime extension for active file protection.
- Scan scope: all application directories and web roots — covers all web application code
- Real-time detection: files are scanned on write, not just on schedule
- Detections are flagged immediately for manual review and deletion
- Monarx definitions updated automatically
8 Patch Management
8.1 Operating System
- Automatic:
unattended-upgradesapplies security patches daily fromubuntu-security - Target: Security patches applied within 14 days of release (typically same-day via automation)
- Last full manual patch: 12 May 2026 — all packages current
- OS: Ubuntu 24.04 LTS — supported until April 2029
8.2 Application Dependencies
| Task | Frequency |
|---|---|
| npm audit — check for known CVEs | Monthly |
| npm update — apply non-breaking updates | Monthly |
| Major version upgrades assessed | Quarterly |
Planned: Upgrade from Node.js 20 (maintenance) to Node.js 22 LTS by Q4 2026.
9 Data Protection & UK GDPR
9.1 Data categories processed
- Children's personal data (name, DOB, medical conditions, allergies, SEND needs)
- Parent/guardian personal data (name, email, phone)
- Staff personal data (name, email, DBS numbers, qualifications)
- Attendance, diary, incident and billing records
9.2 Lawful basis
- Processing under UK GDPR Article 6(1)(b) — contract performance and Article 6(1)(c) — legal obligation (Ofsted/EYFS requirements)
- Special category data (health/medical) under Article 9(2)(a) — explicit parental consent
- OurGrid acts as data processor; each nursery is the data controller
9.3 Technical measures
- At rest: AES-256 server disk encryption
- In transit: TLS 1.3, enforced via HSTS (1-year max-age with preload)
- Location: UK-hosted server — no transfers outside UK or EEA
- Sessions: Server-side only — no sensitive data stored in client cookies
9.4 Data retention & deletion
- Active child records retained for the duration of the nursery's subscription
- On account closure: data retained for 30 days then permanently deleted
- Earlier deletion available on request
9.5 Data Processing Agreement
A DPA is available on request and provided as standard to all Nursery, Professional and Enterprise plan customers. Contact hello@ournurserygrid.com to request a copy.
10 Incident Response
A security incident is defined as: unauthorised access, malware detection, data breach (actual or suspected), credential compromise, or denial of service.
| Step | Action | Timeframe |
|---|---|---|
| 1. Detect | Monarx alert, log review, or user report | Immediate |
| 2. Contain | Block IP, disable affected account, take snapshot | Within 1 hour |
| 3. Assess | Determine scope — what data, how, how long | Within 4 hours |
| 4. Notify ICO | Personal data breach: notify ICO (UK GDPR Article 33) | Within 72 hours |
| 5. Notify customers | Inform affected nurseries if their data involved | Within 72 hours |
| 6. Eradicate | Remove malware, patch vulnerability, rotate credentials | Within 24 hours of containment |
| 7. Recover | Restore from backup if needed, verify integrity | As required |
| 8. Review | Post-incident report, update policy if needed | Within 7 days |
Report security incidents to security@ournurserygrid.com
ICO breach reporting: ico.org.uk/report-a-breach
ICO breach reporting: ico.org.uk/report-a-breach
11 Backup Policy
Automated daily backup runs at 02:00 BST to Cloudflare R2 (geographically separate from VPS host).
| Item | Frequency | Retention | Location |
|---|---|---|---|
| All MySQL databases | Daily 02:00 | 7 days | Cloudflare R2 |
| All PostgreSQL databases | Daily 02:00 | 7 days | Cloudflare R2 |
| All application files | Daily 02:00 | 7 days | Cloudflare R2 |
| Server config (Apache, cron, PM2) | Daily 02:00 | 7 days | Cloudflare R2 |
| Local backup copy | Daily 02:00 | 7 days | Local backup directory on VPS |
| SSL certificates | Auto-renewed by certbot | Continuous | Server certificate store |
Last successful backup: 12 May 2026 02:00 — 303MB — Cloudflare R2
12 Review & Audit Schedule
| Activity | Frequency |
|---|---|
| Full policy review | Annually (next: May 2027) |
| Firewall rule review | Annually or on change |
| User account audit | Monthly |
| npm dependency audit | Monthly |
| Penetration test | Annually (first: Q3 2026) |
| Cyber Essentials renewal | Annually |