Last updated: March 2026 • Reviewed by Compare The Networks
At Compare The Networks, protecting your data is a core part of how we operate. We maintain an internal cyber security standard aligned with the NCSC Cyber Essentials framework — covering the five key technical controls that defend against the most common cyber threats.
This page explains exactly what we do to keep your information safe, and how our security practices are reviewed and maintained.
Our Five Security Controls
Our internal standard covers the same five controls recommended by the NCSC for all UK organisations. Each control is reviewed quarterly by our team.
1. Firewalls & Internet Gateways
Every device and system at CTN is protected by properly configured firewalls.
- Cloudflare WAF protects all web traffic
- Host-based firewalls enabled on every staff device
- Default router/firewall passwords changed on all equipment
- Only necessary network services are exposed
- Inbound rules reviewed monthly
2. Secure Configuration
All systems are hardened and unnecessary features are removed or disabled.
- Default accounts and passwords changed on all systems
- Unnecessary software and services removed
- Auto-run and autoplay disabled across all devices
- Minimum 12-character passwords with MFA enforced
- Screen lock after 5 minutes of inactivity
3. User Access Control
Staff only have access to the systems and data they need for their role.
- Principle of least privilege applied to all accounts
- Admin accounts used only for admin tasks
- Multi-factor authentication (MFA) on all accounts
- Access removed immediately when someone leaves
- Quarterly access reviews conducted
4. Malware Protection
Active protection against malware, ransomware and phishing on all devices.
- Anti-malware software installed and auto-updating on all devices
- Email filtering with anti-phishing protection
- Staff prohibited from installing unapproved software
- Regular security awareness training for all team members
- USB and removable media restricted
5. Patch Management
All software and operating systems are kept up to date with the latest security patches.
- OS security patches applied within 14 days of release
- Application updates applied within 14 days
- No end-of-life or unsupported software in use
- Automatic updates enabled where available
- Monthly audit of all software versions
How We Protect Your Data
Data in Transit
All data transmitted between your browser and our systems is encrypted using TLS 1.3 (the latest encryption standard). Our entire website and all APIs enforce HTTPS with no exceptions. We use Cloudflare for edge security, DDoS protection and web application firewall (WAF) rules.
Data at Rest
Customer data stored in our systems is encrypted at rest using AES-256 encryption. Database backups are encrypted and stored securely. We only retain personal data for as long as necessary to provide our services, in accordance with our privacy policy and GDPR requirements.
Third-Party Services
We carefully vet all third-party services and tools we use. Our infrastructure runs on Cloudflare (edge computing and security), Supabase (database with row-level security), and other enterprise-grade platforms. Each provider maintains their own rigorous security certifications including SOC 2 and ISO 27001.
Your Data, Your Rights
Under GDPR and UK data protection law, you have the right to access, correct, delete or port your personal data at any time.
Read Our Privacy PolicyOur Security Review Process
Quarterly Self-Assessment
Every quarter, we review all five security controls against NCSC Cyber Essentials guidelines. Any gaps are documented and remediated within 30 days.
Monthly Patch Audit
A monthly check ensures all operating systems, applications, and plugins are up to date and no end-of-life software is in use across any device.
Continuous Monitoring
Cloudflare WAF, bot management and DDoS protection run 24/7 on all our web properties. Suspicious activity triggers automatic alerts.
Staff Training
All team members complete cyber security awareness training, covering phishing recognition, password hygiene, data handling and incident reporting.
Annual Policy Review
Our security policies, data processing agreements, and incident response plan are reviewed and updated annually to reflect changes in threats and regulations.
Incident Response
In the unlikely event of a security incident, we follow a documented incident response plan:
- Identify — Detect and classify the incident
- Contain — Isolate affected systems to prevent spread
- Eradicate — Remove the threat and patch the vulnerability
- Recover — Restore systems and verify integrity
- Notify — Inform the ICO within 72 hours if personal data is affected (as required by GDPR), and notify affected customers
- Review — Conduct a post-incident review and update our controls
What is the CTN Cyber Security Standard?
It is our internal security framework aligned with the NCSC Cyber Essentials guidelines. We assess ourselves against the same five technical controls — firewalls, secure configuration, access control, malware protection and patch management — and maintain continuous compliance. This is an internal standard, not an externally accredited certification.
Is Compare The Networks GDPR compliant?
Yes. We are registered with the ICO (reference ZA235766), maintain a lawful basis for all personal data processing, honour data subject rights, and conduct regular data protection impact assessments. Full details are in our privacy policy.
How is my data protected when I request a quote?
Your quote request is transmitted over TLS 1.3 encryption, stored in an encrypted database with role-based access controls, and only shared with the network provider you choose. We never sell your data to third parties.
Who can I contact about data protection?
For any data protection queries, security concerns, or to exercise your GDPR rights, contact us or email us directly. We aim to respond to all data protection requests within 48 hours.
Do you plan to get official Cyber Essentials certification?
We are committed to continually improving our security posture and are evaluating official NCSC Cyber Essentials certification as part of our ongoing security roadmap.