Security, Compliance & Resilience
Leisure operators trust us with their members' data and their daily operations. That's a responsibility we take seriously and one we back with recognised standards, independent audits and continuous regulatory monitoring.
Technology regulation doesn't stand still.
Neither do we.
The regulatory environment for digital services is evolving, from the UK Cyber Security and Resilience Bill to AI governance and payment security standards. For leisure operators managing sensitive member data across multiple sites, knowing your technology partner is ahead of these changes matters.
Our platform is built with security, resilience and compliance at its core. We monitor legislative developments, assess their impact on our products and services, and adapt our controls so you can remain confident in your technology partner.
Trusted by more than 400 leisure operators, including local authorities, leisure trusts and universities, to manage millions of member interactions securely, every day.
Last reviewed: July 2026
Regulatory landscape
Regulations we're tracking
|
Regulation |
Gladstone Status |
|---|---|
| UK Cyber Security and Resilience Bill | Monitoring and assessing readiness |
| NIS Regulations 2018 | Compliant |
| UK GDPR and Data Protection Act 2018 | Compliant |
| PCI DSS 4.0.1 | Certified |
| EU AI Act | AI governance programme underway |
| WCAG 2.1 Accessibility | AA compliance targeted across consumer platform |
| Digital Markets, Competition and Consumers Act 2024 (DMCCA) | Subscription regime: monitoring (expected Spring 2027) |
|
Regulation |
Applies to | Gladstone Status |
|---|---|---|
| DMCCA (Subscription Contracts) | Our Customers | Platform updates planned for confirmed requirements |
We continually monitor regulatory developments, including the Digital Markets, Competition and Consumers Act.
What this means for our customers
We operate a structured approach to regulatory change:
Monitor
We track regulatory developments relevant to leisure technology and data services.
Assess
We evaluate any impact on our platform, infrastructure and customer data.
Act
We update our controls, configurations and processes where required.
Communicate
We inform customers of material changes through appropriate channels.
Evidence
Support
We respond directly to supplier security and procurement questionnaires.
Standards and certifications
| Standard / Control | Detail |
|---|---|
| ISO 27001:2022 | Information security management (externally audited annually) |
| ISO 9001:2015 | Quality management |
| Cyber Essentials Plus | UK Government-backed cyber security certification |
| PCI DSS 4.0.1 | Payment card data security |
| Penetration Testing | Continuous testing programme (beyond annual fixed schedule) |
| Business Continuity | Tested every six months with a 6 hour RTO and 6 minute RPO. |
|
Platform and Infrastructure: |
Frequently Asked Questions
The Digital Markets, Competition and Consumers Act 2024 introduces new rules for subscription contracts, expected to take effect from Spring 2027. This includes requirements around renewal reminders, cancellation processes, and pre-contract information. We are monitoring the secondary legislation and will update our platform to help operators meet these obligations as requirements are confirmed.
Yes. Where legislation affects how you manage memberships, payments, or communications, we assess the impact on our platform and plan updates so you can meet your obligations through the tools you already use.
Yes. Our team regularly supports procurement and assurance exercises. If you have received a request related to the Cyber Security and Resilience Bill or NIS Regulations, we can help.
Visit our Trust Centre. For access to detailed policies, architecture summaries and audit reports, you can request elevated access directly through the Trust Centre.
Within 24 hours of a confirmed incident affecting customer data, in line with our ISO 27001 incident management process. We are already aligned with the anticipated 24 hour initial notification and 72 hour follow up reporting framework outlined in the Cyber Security and Resilience Bill.
All customer data is hosted in Azure UK South (London), within UK data centres. Data is logically separated per customer, encrypted at rest and in transit, and backed up every 6 minutes.
We assess, monitor and contractually bind our critical third-party providers. Supply chain assurance is embedded within our ISO 27001 framework and reviewed as part of our ongoing risk management programme.
Yes. We monitor legislative developments and communicate material changes proactively. We communicate material changes proactively.
99.9% over a rolling 90-day period, publicly monitored via our status page.
Looking for technical detail?
Our Trust Centre contains security documentation, certifications, operational policies, penetration test summaries and service architecture information for customers and procurement teams.
Need to run a supplier assurance exercise?
We know procurement and IT security teams are increasingly asking suppliers about regulatory readiness. If you need a formal response, our team can support you directly.
