Enterprise-grade security
Find out more about our approach to information security
ISO 27001 UKAS-accredited certification
ISO 27001 is the most widely used international standard that specifies requirements for an Information Security Management System (ISMS). We are proud of our ISMS and use auditors certified by the United Kingdom Accreditation Service (UKAS).
Regular grey-box penetration testing
We work with CREST-certified cybersecurity specialists who regularly undertake grey-box penetration testing of our systems, through us disclosing our entire public facing attack surface. Our most recent report praised our “very strong security posture”.
General Data Protection Regulation
We are fully compliant with the GDPR and are registered with the Information Commissioners Office (ICO), number ZB406049. We have a Data Protection Officer (DPO) responsible for ensuring that data processing meets both current and evolving standards.
Cloud native infrastructure
We are fully cloud-based, using the latest technologies and best practices (subject to third party reviews). We use Amazon Web Services (AWS) to ensure that our infrastructure is highly available and resilient, completely segregating production from software development lifecycle environments.
Data encryption standards
We enforce the use of Transport Layer Security (TLS) 1.2 or higher for all connections to our services. We also encrypt all data at rest using the Advanced Encryption Standard (AES) 256-bit encryption algorithm. We utilise AWS managed data storage services.
DevSecOps culture
We are proud of our DevSecOps culture and practices, with security embedded into our software development lifecycle. We use automated tools to scan our code and dependencies for vulnerabilities and misconfigurations.
Enterprise in-app security
With easy to configure, granular user permissions controls and detailed access and event logging of every action, we make our customers’ own information security requirements easy to meet and integrate into their existing stack.
Best in class authentication
We leverage Auth0/Okta for Identity Provision, enabling us to offer enterprise-grade Single Sign On, strong password enforcement, Multifactor Authentication (Timed One-Time Password), bot protection, clickjack protection, domain whitelisting and much more.
Internal InfoSec controls
We undertake background checks on all our staff and sign Non-Disclosure Agreements at onboarding to protect customer data. We monitor all company devices using Mobile Device Management software with CrowdStrike Falcon next-generation antivirus installed on every machine.
Best-in-class security tooling
100+ security controls
Organisation
☑️ Policies for information security
☑️ Review of the policies for information security
☑️ Information security roles and responsibilities
Access management
☑️ Access control policy
☑️ Access to networks and network services
☑️ User registration and de-registration
Technical measures
☑️ Documented operating procedures
☑️ Change management
☑️ Capacity management
Supplier management
☑️ Information security policy for supplier relationships
☑️ Addressing security within supplier agreements
☑️ Information and communication technology supply chain
Incident and continuity
☑️ Responsibilities and procedures
☑️ Reporting information security events
☑️ Reporting information security weaknesses