Service Policy Statement

Last updated: January 10, 2024

PromoNow™ offers a secure single place of record for all aspects of promotional related activity. Campaigns are initiated, customized, monitored, fulfilled and evaluated all within the PromoNow™ enterprise cloud eco-system. Consumer data is securely segregated, need-to-know restricted and fully auditable for GDPR. Datacentres are ISO27001 / SOC2 certified, PCI-compliant with enterprise and government grade security capability. Firewall protection and web application firewall as standard. Threat monitoring and vulnerability scanning with real-person experts to keep your data safe. Super-fast top tier hosting network guarantees 99.95% uptime backed by a 24/7/365 support level agreement.

Collaborate and serve in real-time.

Roles and privileges are defined, assigned and secured to each specific group; whether client side, agency or fulfilment partner - facilitating privacy by design whilst benefiting users to focus in on straightforward dashboard views and task actions in real-time. Campaign Managers configure promotions transparently for Campaign Clients who assess and chart performance on demand. Step-by-step screens guide Fulfilment & Handling Users to efficiently validate, dispatch, query, reject and communicate case-by-case or by-select-group functions increasing service standards and efficiency.

Dedicated cluster team

Each PromoNow™ instance is supported by a tri-team; named Technical Director, named Client Director and a named Service Delivery Manager. Personnel are HR Security Standard Policy vetted. All staff complete security awareness training and hold certificates in Information Security Awareness - ISO 27001:2013 (updated March2020). Data centre staff are DBS checked. Comprehensive access logs are readily auditable. 24/7/365 Duty Manager Support comes as standard.

GDPR privacy by design

The seven key principles of GDPR are fundamental to PromoNow™:

  • Lawfulness, fairness, transparency – privacy policy content, opt-in auditing.
  • Purpose limitation – defined at setup, links privacy policy version to each PII record.
  • Data minimisation – cross-check mechanic vs fields, (eg no postal = no address needed). Utilises IDs in data transfer.
  • Accuracy – updateable consumer records via rectification.
  • Storage limitation – retention defined at setup, defaults as latest date +6months to data-purge, right of erasure.
  • Integrity & confidentiality – ‘need to know’ settings restrict PII data views, secure logins, database records zoned and protected to each campaign, Sql injection defences, captcha barriers, cross-site scripting protection, anti-abuse widget, tokenized unique user identifiers, multiple entry controls, IP whitelisted access restrictions, HTTPS SHA-256 TLS (Transport Layer Security). Encryption at rest of PII data. Web application firewall.
  • Accountability – Auditable record of compliance, named DPO.
Special Category Data / Client Scoped Privacy Data Policy:
Sorry, we do not work on projects requiring the capture of special category personally identifiable information such as; health, race religion, sexual orientation, criminal records and trade union membership.

FMIT pioneers

Fast moving information technology (FMIT) practices are brand reputation critical, and an essential component of successful promotional campaigns. Change requests, from copy to mechanic configuration are tasked, actioned and completed with auditable dashboard ticketing. Continual end-to-end testing techniques throughout the development stage ensure defects are resolved early and timely. Development side tools, test browser compatibility and the UX (user experience) for device and screen resolution variants – all deployments are responsive as standard on PromoNow™.

PromoNow™ is hosted at leading cloud data centers (Microsoft Azure, AWS, ANS, Google Cloud), with 99.95% uptime with Redundancy N+1 - including UPS and standby diesel generators to make sure your service is always online. Purpose built environments protect PromoNow™ users to exceptional levels of both physical and virtual security at all times. PCI Compliance - commitment to safe and secure card payments and to protect you from credit card fraud, hacking. Regularly tested and constantly monitored, and to maintain a strong information security policy to protect your data.

100% Carbon Neutral Hosting Infrastructure– PromoNow™ believes in taking responsibility for our environmental impact. PAS 2060 – as a power-hungry industry.

24/7 Automated Threat Monitoring – monitoring and defending against network threats.

24/7 Dedicated Linux Support – Real person monitoring and defending against network threats.

24/7 Managed Server – Systematic and immediate patching and application updates.

Service Level Agreement (SLA) Agreement for PromoNow's Cloud Infrastructure Services

24 Hour Emergency Telephone Support

We guarantee that our level-three qualified technical support team is available 24/7/365 for emergency telephone support. Whatever the time of day, we are at the end of the phone to help resolve any issues. Out of hours Duty Director on 07976 835173.


PromoNow is committed to providing a reliable and robust cloud infrastructure service backed by Microsoft Azure, ensuring exceptional uptime and responsiveness for our clients. Our Service Level Agreement (SLA) reflects our dedication to maintaining the highest standards of service and support.

Service Availability:

PromoNow's cloud infrastructure guarantees a 99.95% uptime SLA, leveraging Microsoft Azure's robust technology and uptime guarantee.

  • Our infrastructure operates across three synchronised availability zones, eliminating any single points of failure.
  • Clients benefit from 24/7/365 support, ensuring immediate assistance when needed.

Operational Recovery:

In the unlikely event of manual engineer support being required, PromoNow pledges to initiate operational recovery within the following timeframes:

  • Consumer-facing business-critical applications (websites, databases, servers): 6 hours.
  • Non-consumer-facing applications (e.g., business information reporting tools): 2 working days.

Claims for Losses and Compensation:

Any claims for losses and compensation arising from service disruptions are limited to 5 times the fees stated in the Statement of Works schedule.

Exclusions: The SLA covers services within PromoNow's control. However, client-controlled or third-party services, such as third-party APIs, fall outside the scope of this SLA.

Review and Reporting:

Regular SLA performance reviews will be conducted to ensure compliance and identify opportunities for improvement.

Client Responsibilities:

Clients are responsible for providing accurate and timely information to facilitate efficient issue resolution. It is the client's responsibility to manage and monitor third-party services and APIs not covered by this SLA.

Communication and Escalation:

Clients can reach our support team 24/7 through designated channels for prompt issue resolution. An escalation process is in place to address and resolve any prolonged or critical issues.

Force Majeure:

In the event of force majeure or circumstances beyond our control, PromoNow will make all reasonable efforts to minimize service disruptions and communicate effectively with clients.

Amendments and Updates:

PromoNow reserves the right to update and amend this SLA. Clients will be notified in advance of any changes.


PromoNow is dedicated to providing a reliable, high-performance cloud infrastructure service with a robust SLA, ensuring our clients receive the utmost in service quality and support. We appreciate your trust in our services and remain committed to exceeding your expectations.

PromoNow Security Operations Center (SOC)

Threat Monitoring and Intrusion Detection System

Built to meet high compliance standards, Threat Monitoring detects all activity across your solution, including servers, VMs and applications, providing you with an overview of any threats and vulnerabilities that put your business at risk. Cloudflare ZeroTrust takes actions to tackle threats 24/7. By combining host-based intrusion detection, file integrity monitoring, intelligent blacklisting and vulnerability scanning and remediation from our in-house team, we improve the security of your infrastructure to mitigate the impact of a devastating cyber-attack.

Anti-DDoS Hosting & Protection

Every year, 17 million businesses are compromised by a Distributed Denial of Service (DDoS)attack, with 91% of those targeted experiencing downtime as a result. Included as standard, Cloudflare ZeroTrust protection - investigates attacks and generates a unique fingerprint for each attack, identifying and redirecting this traffic away from your webserver, keeping your business online and functional. PromoNow DDoS protection specialists analyse behaviour to predict DDoS attack patterns using algorithms to ensure we defeat the latest and most sophisticated attacks.

What does DDoS protection do?
  • Maintained uptime, even during a DDoS attack
  • An accelerated website, web application and more with our global CDN
  • Create new DDoS rules, decreasing the likelihood of another attack
  • Increased defence for your data and web applications

Web Application Firewall

A Web Application Firewall (WAF) is designed to protect data from hackers as they try to exploit weaknesses in application code. These targeted attacks are disguised as genuine requests made to forms on websites - to a traditional firewall or Intrusion Detection System/Intrusion Prevention System they will appear authentic and so allow them to proceed; making them either unable to guard against these attacks or unable to offer comprehensive protection. Once these requests get through to your application, the hacker can send a special request through your website form that will in turn release sensitive data stored on your database. WAFs are designed to proactively protect the application layer against attempted fraud or data theft; blocking any suspicious activity. Inspecting every web request for cross-site scripting, SQL injection, path traversal and 400+ other types of attack, this protective layer aims to keep your data secure. By combining host-based intrusion detection, file integrity monitoring, intelligent blacklisting and vulnerability scanning and remediation from our in-house team, we improve the security of your infrastructure to mitigate the impact of a devastating cyber-attack.

Safeguard from all inbound and outbound traffic, for all web applications, by examining traffic from both directions to ensure that your database doesn't release any information that it shouldn't.

Inbound traffic monitoring and report production, illustrating the level of suspicious traffic targeting your site.

Reduced financial and reputational risk, ensuring that your business offers the highest level of security for your clients.

A specialised team of security experts overseeing your WAF and continually identifying new rules to better protect your application.

24/7/365 UK-based support from a dedicated team of experts.

Sitting directly on the application layer your WAF examines every HTTP request/conversation that comes through to your database server - and applies a set of bespoke rules set to filter out illegitimate traffic. Custom rule sets are managed by security experts and exist for a wide range of applications. New rules can continually be applied to keep pace with new and emerging threats. Our WAF also proactively observes your genuine traffic, creating bespoke rules to ensure that any legitimate traffic is not blocked. With no changes to your existing set up and an additional layer or protection, WAFs ensure that your site provides the upmost protection for your clients and also allows you to comply with PCI 6.6.Our high performance WAF solution is designed to safeguard against a number of vulnerabilities, including:

  • Cross-site scripting (XSS)
  • Injection flaws (SQL injection)
  • Malicious file execution
  • Insecure direct object reference
  • Cross-site request forgery (CSRF)
  • OS command injections
  • Information leakage
  • Improper error handling
  • Application denial of service
  • Broken authentication
  • Session management
  • Insecure cryptographic storage
  • Insecure communications
  • Failure to restrict URL access

Risk Assessment of Problems, Privacy and Security (RAPPS) Traffic Lighting

Our unique RAPPS traffic light system provides a recognizable framework to work through known risks and discover new ones. A simple and easily understandable traffic light signal is applied from inception.

Secure Software Development Lifecycle (SDLC)

To meet the demands of FMIT we adopt an agile approach to development from inception to decommission. The project timeline allocates resource, time and quality assurance through each phase:1. Planning & Requirements + RAPPS2. Architecture & Design + RAPPS3. Test Concept Planning + RAPPS4. Coding + RAPPS5. User Testing, Security Testing & Results + RAPPS6. Release & Maintenance + RAPPS7. Close & Data Purge8. Decommissioning

Our RAPPS (Risk Assessment of Problems, Privacy and Security) overlay is an ever-present traffic light signal throughout each stage. At stage 5 testing each deployment is subjected to Indusface vulnerability scanning and other third party assessment tools.

100% Connectivity Guarantee

We know how essential uptime is to your business, which is why we offer you a 100% connectivity guarantee.

Because each circuit in every regional POP (internet access point) is connected to a different router, we guarantee continuous service, even in the event of a total loss of a router and/or circuit.

Each POP has a redundant UPS (uninterruptable power supply) system, so should either UPS fail or be taken out of service for maintenance, your connection remains unaffected.

Fair scope

We understand quotes are often required prior to supply of complete visuals, in ‘quoting blind’ we promise to make our best efforts to meet and interpret visuals to industry best practice, and within the constraints of the shifting sands involved in mobile responsiveness web design. Designs should contain consistent headers and footers across the page templates. For effective responsiveness to mobile first, key elements work best centralized and with the flex in the design for them to be ‘stacked’ in portrait views.

Supplying artwork?

We work with Adobe Photoshop, XD, Figma, and Illustrator. Files must contain all layers, with assets and elements cleanly cut and isolated. For online production we recommend pages are based upon a typical width of 1920pixels, with a screen height / fold / scroll guide of1080px. Where possible save and downsize assets accordingly, particularly if using artboards. We will optimize assets if necessary to ensure online speed usability, but as a rule of thumb a we are talking KBs, not MBs and certainly not GBs. We’re happy to work with whatever your preference for file transfers, please prefix filenames with a version control number; WeTransfer, YouSendIt, DropBox. GoogleDrive, etc. If your design includes custom / proprietary fonts these need to be packaged, licensed and supplied to us appropriately with a full webfonts kits (all browser file types are required: .ttf, .otf, .woff, .woff2, .eot). We are licensed for Adobe Fonts, and of course any Google Fonts. We know there will be final copy changes and edits, no problem we’re happy to do those, working with a copy-deck is a great idea and please label and prefix the file with a Version control number, eg V2 – XXXX – approved copy terms. If your scope includes email templates, as a general rule we are happy to design and develop these based upon the web design assets. If you are designing them width is all important, we recommend a vertical layout, with a width between 500 to 650 pixels. With the key message high up the design, and text copy areas to explain the content if the user has chosen not to download and view images within the email. Many email client browsers are very old, as such fonts used must be web-safe standard fonts Arial, Arial Black, Arial Narrow, Comic Sans, Courier New, Georgia, Impact, Tahoma, Times New Roman, and Verdana. Play it safe with a body copy font size of 14 pixels and 22 pixels for title.

*By supplying any assets, imagery, photography and video you are expressly indemnifying us against any copyright infringements and/or liability.*Agreed timelines to LIVE deployment are based upon production commencing upon receipt of all approved deigns and layouts.*Any custom/proprietary fonts required but not supplied will be re-charged at cost + admin fee per font.