afternoon

For transparency with our customers and partners we’ve documented and are sharing how we protect, manage, and responsibly use data. It includes information about our security practices, compliance commitments, privacy policies and responsible AI governance.

How to get in touch

Email support@afternoon.co.uk

Security & infrastructure

The Afternoon platform is hosted on AWS with enterprise-grade security, automated scaling, and high availability.
Frontend: Amazon CloudFront + S3; API Layer: AWS Fargate.
Backend: AWS Lambda, SQS, Step Functions.
All data is encrypted while it moves between systems, using the same security standard used by major banks (TLS 1.2+)
Role-based access controls (RBAC), ensures only authorised staff can access specific systems, with all administrative actions logged and subject to audit.
Monitoring via AWS CloudWatch, New Relic, Sentry, and Mixpanel.

Compliance & certifications

Information Security Management – aligned to ISO 27001:2022, which underpins FCA operational resilience approach.
Privacy Information Management -aligned to ISO 27701, which operationalises UK GDPR and ICO expectations.
AI Management System – aligned to ISO/IEC 42001:2023.
Leveraging AWS compliance framework including SOC 2, GDPR, and FCA-relevant controls.

Insurances

Comprehensive cover in place.

Type	Coverage scope	Notes
Professional indemnity	£500,000, in line with contract values	FCA required
Directors & officers (D&O)	Covers claims for errors in services	Governance & compliance
Key man insurance	Cover of loss of executive director(s)	Business continuity

IT security policy

This is a summary of our IT security policy and is available to share, if required.

Purpose: defines IT security principles ensuring confidentiality, integrity, and availability of data.
Scope: applies to all staff and contractors; covers cloud infra, AI tools, apps, APIs.
Principles: data minimisation, least privilege, defense-in-depth, secure by design, regulatory compliance.
Technical controls: TLS 1.3, AES-256, RBAC, MFA, firewalls, segmentation, MDM, vulnerability scanning.
AI governance: model transparency, bias monitoring, audit trails, human oversight
Vendor risk: data processing agreements required; regular reviews and due diligence.

Privacy & data handling

Privacy-first commitment:

Data used solely for delivering and improving services.
UK-based data residency (AWS London – eu-west-2).
Data retention and secure deletion policies in place.
Comply with UK GDPR requirements.

UK GDPR & data protection

Afternoon complies with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 and is registered with the UK Information Commissioners’s Office (ICO). All processing of adviser and client personal data by Afternoon is in compliance with these regulations.

Our Privacy Information Management framework, aligned to ISO 27701, operationalises GDPR requirements including:

Privacy by design and default in all systems and processes
Clear legal bases for processing
Data subject rights (access, rectification, erasure, portability, objection)
Defined retention and secure deletion policies
Breach reporting procedures that ensure ICO notification within 72 hours if required

This ensures that adviser and client data is processed lawfully, transparently, and securely, in line with client expectations and FCA requirements

Customer data breach procedure

This is a summary and the procedure documentation is available to share if required.

Detection: breaches detected via systems, staff reports, or third parties – log in Trello.
Containment: isolate systems, revoke access, preserve evidence.
Investigation: root cause analysis, impact assessment, evidence preservation.
Notification: notify ICO within 72 hours if risk to individuals’ rights; inform customers if high risk.
Remediation: address vulnerabilities, retrain staff, conduct post-breach audit.
Recordkeeping: update Data Breach Register; retain records for 6 years.

Customer data rights

This is a summary and our ‘customer data rights’ is available to share, if required.

Rights: access, rectification, erasure, restrict processing, portability, object.
Access requests: submit via dedicated email; verify identity; respond in 30 days.
Right to erasure: assess eligibility; delete/anonymise data from all systems and third parties.
Documentation: maintain a secure register of requests for 3 years.
Compliance: aligned and compliant with UK GDPR; provide reasons for denied requests and inform customers of ICO rights.

AI governance & responsible use

We are aligned to ISO/IEC 42001, the new international standard for responsible AI management. Afternoon principles include ensuring AI is ethical, explainable, and compliant. Our AI management policy is available to share, if required.

Aligned with ISO/IEC 42001:2023 for ethical and transparent AI use.
AI models run in secure, sandboxed environments.
Data anonymisation wherever possible.
Regular risk assessments and bias testing.
Compliance with emerging regulations including EU AI Act

Reliability and business continuity

99.9% uptime target with redundancy via AWS multi-AZ deployments.
Daily backups with tested restore processes (RTO < 4 hours).
Business continuity reviewed every 6 months.
Disaster recovery procedures regularly tested.

Incident response plan

This is a summary and the procedure documentation is available to share, if required.

Purpose: structured approach for detecting, responding to and recovering from cybersecurity and operational incidents.
Scope: covers all Afternoon’s systems, devices, third-party integrations, and PII. Incident classification: low, medium, high – with defined response times and SLAs.
Response lifecycle: preparation, identification, containment, eradication, recovery, lessons learned.
Communication: notify ICO within 72 hours for reportable breaches; proactive client communication.
Review: quarterly and post-major incident; tabletop tests every 6 months, penetration tests annually.

Protecting your interests – full