Trust, compliance, and data governance
Home / Compliance
Compliance, security and accessibility at Midday Digital
Midday Digital is a trading name of Growcreate Limited (Company No. 08008475), a UK web development and cloud agency specialising in Azure and Umbraco for regulated and mission‑driven organisations. (Source: Companies House – Growcreate Limited)
This page explains how Midday’s work is governed under Growcreate’s security, compliance and accessibility framework – so boards, regulators and funders in Bath, Bristol, Somerset and across the UK can see exactly how we protect their data and digital platforms.
At a glance, Midday Digital compliance profile
ISO/IEC 27001:2022 certified Information Security Management System (ISMS), independently audited. (Source: Growcreate – Compliance)
Cyber Essentials certified, providing a government‑backed baseline against common cyber attacks. (Source: Blockmarktech)
UK GDPR and ICO alignment – Growcreate is registered in the UK (Registration ZA792311)and follows ICO guidance on accountability, data protection principles and documentation. (Source: ICO – UK GDPR)
99.95% uptime SLA target with 15‑minute P1 incident acknowledgement for managed Azure and Umbraco platforms. (Source: Growcreate – Azure Managed Service)
Microsoft Azure UK/EU data residency, leveraging Azure’s audited compliance portfolio (ISO 27001, SOC, PCI DSS and more). (Source: Microsoft Azure – Compliance)
Umbraco Platinum Partner for secure enterprise CMS builds, upgrades and migrations. (Source: Umbraco – Growcreate Partner Listing)
WCAG 2.2 AA accessible design and development, aligned with the latest W3C accessibility recommendation. (Source: W3C – WCAG 2.2)
FCA operational resilience alignment for financial services platforms. (Source: FCA – Building Operational Resilience PS21/3)
Private AI, RAG and automation architectures that prevent data leakage and prepare for EU AI Act obligations. (Source: EU Artificial Intelligence Act – Official Text)
Independent CREST‑accredited penetration testing on client platforms. (Source: Growcreate – Compliance)
Local Bath, Bristol and Southwest presence, with hands‑on support for businesses, charities and local government.
1. Group structure and governance
Midday Digital operates as a trading name of Growcreate Limited, part of the wider Growcreate Group alongside Umbhost and Invessed. The group focuses on Azure‑hosted web platforms, client portals and digital products for finance, membership, healthcare, public sector and nonprofits. (Source: Midday Digital – Contact; BIMA – Growcreate)
Registered entity: Growcreate Limited, Company No. 08008475, registered in England and Wales.
Registered office: 18 Weavers Branch, Thame, OX9 2FQ, UK. (Source: Companies House – Growcreate Limited)
Trading name: Midday Digital (T/A Growcreate Ltd) used for SEO/GEO, lead generation, paid media (PPC) and web projects, governed by Growcreate’s policies and controls. (Source: Midday Digital – Contact)
All Midday projects use the same information security, data protection and business continuity framework documented at the group level, including ISO 27001 controls, security policies, risk registers and incident runbooks. (Source: Growcreate – Compliance)
2. Information Security ISO 27001 And Cyber Essentials
ISO/IEC 27001:2022 Certification
Growcreate’s Information Security Management System (ISMS) is certified to ISO/IEC 27001:2022 by an accredited auditor. (Source: Growcreate – ISO 27001 Announcement) This means:
risks to client and staff information are identified, assessed and treated through formal risk management
security controls are documented, monitored and regularly improved
management reviews, internal audits and external surveillance audits check that controls work in practice
For Midday clients, this provides an ISO 27001 certified web development agency behind your projects in Bristol, Bath, Somerset and across the UK, not just a collection of standalone tools.
Cyber Essentials Certification
Growcreate also holds Cyber Essentials certification, confirming that baseline technical defences – including firewalls, secure configuration, access control, patching and malware protection – have been independently validated. (Source: BIMA – Growcreate) These controls are applied to Midday’s delivery and hosting environments as standard.
3. Data protection UK GDPR and ICO Alignment
Midday’s work is delivered under Growcreate’s data protection framework, aligned with the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. (Source: ICO – UK GDPR; GOV.UK – UK data protection law)
In practical terms, this means:
Controller and processor clarity – contracts and Statements of Work make clear when Growcreate (trading as Midday Digital) is a data processor, and when we act as joint controller alongside your organisation.
Data mapping and residency – we document which systems process personal data and ensure workloads are pinned to appropriate Azure or Umbraco regions (normally UK or EU) to simplify transfer assessments
Appropriate technical and organisational measures – encryption, access control, logging and incident handling are built to satisfy GDPR’s security principle and ICO accountability expectations. (Source: ICO – Accountability principle)
Data Processing Agreements – for projects involving personal data, we sign DPAs and, where needed, UK International Data Transfer Agreements or EU Standard Contractual Clauses.
Subject rights and DPIAs – our architectures support subject access, erasure and objection, and we provide technical input for Data Protection Impact Assessments on higher‑risk processing
Growcreate Limited is registered with the UK Information Commissioner’s Office (ICO Registration – ZA7922311) and follows the ICO’s guidance on accountability, documentation and AI/data protection when designing systems for Midday clients. (Source: ICO – For organisations)
If you are a Southwest business, charity or public body looking for UK GDPR compliance help, Midday can work directly with your DPO, legal team or external advisers to map responsibilities and evidence.
4. Operational resilience SLAs and FCA alignment
Many of Midday’s clients operate in line with the Financial Conduct Authority's (FCA) expectations for operational resilience. The FCA framework (PS21/3) requires firms to identify important business services, set impact tolerances and invest in resilience for the systems that support them. (Source: FCA – Building Operational Resilience PS21/3)
Working within Growcreate’s 24/7 operations and Azure managed services, we provide:
99.95% uptime SLA targets for Azure‑hosted workloads, with architectures designed to meet or exceed that in practice across zones and regions. (Source: Growcreate – Azure Managed Service)
15‑minute acknowledgement for P1 incidents, with engineers engaged and working on the issue - not just an automated receipt. (Source: Growcreate – Azure Support Services)
24/7 monitoring and alerting, using Azure Monitor and Defender for Cloud to detect anomalies and security events. (Source: Growcreate – Compliance)
Runbooks, escalation paths and post‑incident reviews that can be shared with your risk and audit teams.
For UK financial services firms, this translates into high‑availability web application SLAs, structured incident handling, and evidence packs you can present to the board, auditors and regulators.
5. Secure Azure Hosting and UK Data Residency
Midday projects typically run on Microsoft Azure, Umbraco Cloud or Umbhost on Azure. Azure maintains one of the broadest compliance portfolios in the market, including ISO/IEC 27001, SOC 1/2/3 and PCI DSS, with independent audits and detailed reports available via Microsoft’s Service Trust Portal. (Source: Microsoft Azure – Compliance)
For Bath, Bristol, Somerset and wider UK organisations, this means:
UK and EU hosting regions – workloads can be pinned to specific regions such as UK South or West Europe to satisfy data residency and latency requirements.
Structured security baselines – Azure Policy, Defender for Cloud and Microsoft’s security benchmark provide concrete controls which we use to harden your environment.
Evidence for audits – we can supply Azure certification statements and configuration evidence for due diligence questionnaires and vendor reviews.
If you are looking for managed Microsoft Azure hosting for local government and nonprofits in Bristol and the Southwest, Midday provides architectures and SLAs tuned to public sector expectations, including separation of environments, logging and retention, and disaster recovery drills. (Source: Growcreate – Public Sector Software Development)
6. Secure Umbraco hosting with UK data residency requirements
Growcreate is a Umbraco Platinum Partner with long‑standing experience in secure, enterprise‑grade Umbraco platforms. (Source: Growcreate – Umbraco Services)
For Midday clients, this includes:
Azure‑based Umbraco hosting with 99.95% uptime SLAs, backup strategies and health monitoring tuned to your risk profile. (Source: Growcreate – Services)
Umbraco Cloud options where appropriate, taking advantage of Umbraco’s regional hosting in EU and UK regions and Azure‑backed resilience. (Source: Umbraco Cloud FAQ)
Documented data flows and residency maps so you can demonstrate where content, media and logs are stored.
Whether you need secure Umbraco hosting with UK data residency requirements for a local authority portal, a membership site or a charity platform, Midday can align hosting choices, encryption, logging and backup policies with your internal security and compliance standards.
7. Enterprise CMS and Umbraco migrations
As an Umbraco Platinum Partner for secure enterprise migrations, Growcreate delivers upgrades and replatforming for complex, multi‑site environments – including financial services, membership and nonprofit platforms. (Source: Growcreate – Umbraco Upgrade Services)
Our approach for Midday projects includes:
risk‑assessed migration plans that protect SEO, content structures and user journeys
alignment with ISO 27001 and Cyber Essentials controls during build and rollout
change management and rollback plans that satisfy risk committees and steering groups
For organisations seeking enterprise CMS developers with FCA operational resilience alignment, we can tie migration and upgrade milestones directly to your impact tolerances, RPO/RTO targets and business continuity planning.
8. AI Automation and data leakage prevention
Midday frequently works with organisations that want to use AI safely for marketing, operations and service delivery – particularly charities and nonprofits in the UK. Our AI and automation projects are built on Growcreate’s private AI and governance framework. (Source: Growcreate AI – Governance and Compliance)
Key safeguards include:
Private API layers only – we use enterprise‑grade APIs such as Azure OpenAI and OpenAI with enterprise controls, ensuring prompts and data are not used to train public models.
Data minimisation and segregation – only the data needed for a task is exposed to AI components, and sensitive datasets are kept in segregated stores with strict access controls.
Vector databases and RAG with encryption – retrieval‑augmented generation pipelines use encrypted data at rest and in transit
Guardrails, approval workflows and logging – higher‑risk AI workflows (for example, in financial services marketing or safeguarding content) are wrapped in approvals and logs so that actions can be explained and audited.
The EU Artificial Intelligence Act introduces a risk‑based regulatory framework for AI systems across the EU market, with obligations phasing in between 2025 and 2027. (Source: EU AI Act – Official Journal Text) Our architectures are designed to help you meet transparency, risk and traceability expectations early.
If you are looking for GDPR‑compliant AI automation for nonprofits in the UK, Midday can help you design an operating model that keeps data protection and governance at the centre of AI adoption.
9. Defensive security penetration testing and hardening
Security for Midday projects goes beyond documentation.
Perimeter protection: we use Web Application Firewalls, DDoS protection and strict TLS-only access for client platforms
Identity and access: multi‑factor authentication, role‑based access control and least‑privilege principles are enforced on Azure, CMS back‑offices and DevOps tooling.
Patching and vulnerability management: operating systems, frameworks and CMS components are patched on defined schedules, with critical patches fast‑tracked based on risk
Independent penetration testing: Growcreate regularly engages CREST‑accredited testers to assess client platforms, with remediation tracked through to closure. (Source: Growcreate – Compliance)
These measures are especially important for Southwest organisations in regulated or high‑profile sectors where cyber incidents have a clear financial and reputational impact.
10. Accessibility and inclusive design WCAG 2.2 AA
Digital products delivered under the Midday and Growcreate brands are designed and engineered to meet WCAG 2.2 AA wherever this is in scope.
WCAG 2.2 is the current web accessibility recommendation from the World Wide Web Consortium (W3C), adding new success criteria around focus, inputs and cognitive support while keeping the familiar A, AA and AAA levels. (Source: W3C – WCAG 2.2)
In practice, this means our teams:
Design with accessible colour contrast, typography, focus states and interactions.
Use semantic HTML and ARIA only where appropriate.
Validate against automated and manual testing tools.
Consider assistive technologies and mobile users from the outset.
If you are searching for WCAG 2.2 AA accessible website design services in Somerset, Bath and Bristol, we can audit existing sites, plan remediation roadmaps and ensure new builds launch with accessibility requirements already met.
11. Secure integrations, CRM marketing and data platforms
Midday specialises in connecting web platforms with systems such as HubSpot, Salesforce, Microsoft Dynamics and sector‑specific tools. (Source: Midday Digital – About)
For every integration we:
Minimise the personal data exchanged and use field‑level permissions where possible.
Design role‑based access so that only authorised teams can see sensitive data.
Implement end‑to‑end encryption and robust error logging.
Support subject access and deletion requests across integrated systems.
Whether you are integrating a Bath or Bristol charity website with a fundraising CRM, or working with Somersethub site developers and local data platforms, we treat integrations as part of your security and compliance boundary - not an afterthought.
12. Local Presence in Bath, Bristol and the Southwest
While Growcreate is headquartered in Oxfordshire, Midday is based in Bath and has a strong focus on Bristol and the wider Southwest corridor. As active members of the regional tech ecosystem, you can find Adam Weston’s digital strategy profile on Bristol Creative Industries.
We work closely with businesses, charities and public bodies across the region that need:
ISO 27001 certified web development and hosting with local understanding
Azure security hardening and UK GDPR compliance help for Southwest businesses
Managed Azure and Umbraco platforms for local government and nonprofits
Accessible, inclusive digital services for citizens and members
We are happy to work fully remotely, but we value in‑person meetings and workshops in Bath, Bristol and Somerset when they help teams align on risk, governance and delivery.
13. How we work with your compliance, IT and leadership teams
Every Midday engagement can be shaped around your governance structure:
Discovery and risk review – understand your regulatory drivers (FCA, ICO, Charity Commission, internal audit) and map them to the digital services in scope
Architecture and controls – design Azure, Umbraco, data and AI architectures with clear security controls, ownership and evidence
Delivery with guardrails – build and deploy with security by design, peer review, automated checks and change approval where required.
Run and improve – operate platforms with SLAs, monitoring, reporting and continuous improvement, keeping you aligned with evolving standards such as the EU AI Act and WCAG updates.
If you have existing suppliers or in‑house teams, we are comfortable acting as a specialist compliance‑aligned partner alongside them.
14. Next Steps
If you need an ISO 27001-certified web development agency in Bristol and Bath or support aligning your Azure, Umbraco, AI and marketing stack with UK GDPR, FCA and accessibility expectations, Midday can help.
Book a 30‑minute compliance and risk review with our team.
Ask us to map our controls to your supplier due diligence questionnaire.
Invite us to brief your leadership, board or trustees on the practical realities of secure, compliant digital operations.
To get started, contact us via the Midday Digital website or speak to the Growcreate team and ask for a Midday‑led engagement.
