Keeping Ahead of Regulations

Security, Compliance & Resilience

Leisure operators trust us with their members' data and their daily operations. That's a responsibility we take seriously and one we back with recognised standards, independent audits and continuous regulatory monitoring.

Technology regulation doesn't stand still.
Neither do we.

The regulatory environment for digital services is evolving, from the UK Cyber Security and Resilience Bill to AI governance and payment security standards. For leisure operators managing sensitive member data across multiple sites, knowing your technology partner is ahead of these changes matters.

Our platform is built with security, resilience and compliance at its core. We monitor legislative developments, assess their impact on our products and services, and adapt our controls so you can remain confident in your technology partner.

Trusted by more than 400 leisure operators, including local authorities, leisure trusts and universities, to manage millions of member interactions securely, every day.

Visit our Trust Centre →

Last reviewed: July 2026

Regulatory landscape

Regulations we're tracking

  Regulation

  Gladstone Status
 UK Cyber Security and Resilience Bill   Monitoring and assessing readiness
 NIS Regulations 2018   Compliant 
UK GDPR and Data Protection Act 2018   Compliant
PCI DSS 4.0.1  Certified
 EU AI Act   AI governance programme underway
 WCAG 2.1 Accessibility   AA compliance targeted across consumer platform
Digital Markets, Competition and Consumers Act 2024 (DMCCA)   Subscription regime: monitoring (expected Spring 2027) 

 

  Regulation

Applies to   Gladstone Status
  DMCCA (Subscription Contracts)  Our Customers    Platform updates planned for confirmed requirements 

 

We continually monitor regulatory developments, including the Digital Markets, Competition and Consumers Act. 

What this means for our customers

We operate a structured approach to regulatory change:

Standards and certifications

 

 Standard / Control  Detail
 ISO 27001:2022  Information security management (externally audited annually)
 ISO 9001:2015  Quality management
 Cyber Essentials Plus  UK Government-backed cyber security certification
 PCI DSS 4.0.1  Payment card data security
 Penetration Testing  Continuous testing programme (beyond annual fixed schedule)
 Business Continuity Tested every six months with a 6 hour RTO and 6 minute RPO.

 

Platform and Infrastructure:
Hosted on Microsoft Azure UK South. Data encrypted at rest and in transit. 99.9% uptime SLA. Three availability zones for resilience. We provide a publicly accessible Service Status page so customers can view the current status of our cloud services, planned maintenance and incident updates.

Frequently Asked Questions

How does the DMCCA affect leisure memberships?

The Digital Markets, Competition and Consumers Act 2024 introduces new rules for subscription contracts, expected to take effect from Spring 2027. This includes requirements around renewal reminders, cancellation processes, and pre-contract information. We are monitoring the secondary legislation and will update our platform to help operators meet these obligations as requirements are confirmed. 

Does Gladstone help us meet our own regulatory obligations?

Yes. Where legislation affects how you manage memberships, payments, or communications, we assess the impact on our platform and plan updates so you can meet your obligations through the tools you already use.

Can Gladstone complete supplier assurance questionnaires?

Yes. Our team regularly supports procurement and assurance exercises. If you have received a request related to the Cyber Security and Resilience Bill or NIS Regulations, we can help.

Where can I find your certifications and security documentation?

Visit our Trust Centre. For access to detailed policies, architecture summaries and audit reports, you can request elevated access directly through the Trust Centre.

How quickly will Gladstone notify us of a security incident?

Within 24 hours of a confirmed incident affecting customer data, in line with our ISO 27001 incident management process. We are already aligned with the anticipated 24 hour initial notification and 72 hour follow up reporting framework outlined in the Cyber Security and Resilience Bill.

Where is our data stored?

All customer data is hosted in Azure UK South (London), within UK data centres. Data is logically separated per customer, encrypted at rest and in transit, and backed up every 6 minutes.

How does Gladstone manage its own supply chain?

We assess, monitor and contractually bind our critical third-party providers. Supply chain assurance is embedded within our ISO 27001 framework and reviewed as part of our ongoing risk management programme.

Will Gladstone tell us if regulations affect our service?

Yes. We monitor legislative developments and communicate material changes proactively. We communicate material changes proactively.

What is your uptime commitment?

99.9% over a rolling 90-day period, publicly monitored via our status page.

Back to top

Looking for technical detail?

Our Trust Centre contains security documentation, certifications, operational policies, penetration test summaries and service architecture information for customers and procurement teams.

Visit our Trust Centre →

Rest Assured

Need to run a supplier assurance exercise?

We know procurement and IT security teams are increasingly asking suppliers about regulatory readiness. If you need a formal response, our team can support you directly.

Contact our compliance team