Platform and Network Security
We perform rigorous security testing including, but not limited to:
- Third-party application and network penetration tests, performed by Cobalt.io against our entire product suite with GIAC, OSCP, CEH, and CISSP certified testers.
- Nightly vulnerability scans against our application and network by Qualys.
- We have Automated Threat Detection (AWS Guard Duty), Web Application Firewalls (AWS WaF), and DDoS protection in place (AWS Shield).
- We use Amazon Systems Manager to automatically update and patch our infrastructure.
Storage of Data
- Data is stored, encrypted at rest using a minimum of a 256 bit key via AWS KMS.
- UK & EU customer data is stored within the AWS London (eu-west-2) data centre.
- US customer is stored within the AWS North Virginia (us-west-1) data centre.
- Backup retention is 35 days, some data retained for longer under Money Laundering regulations.
- Physical and electronic material is destroyed using ADISA certified 3rd parties.
- We have an active asset register.
- We use an MDM and fleet management solution (Microsoft Intune) to manage all our devices.
- We use CrowdStrike.com for endpoint security, next generation antivirus and malware protection.
- We leverage multiple DLP strategies using CrowdStrike, Google Vault and more.
- All access to customer data is limited to a need-to-know basis, only via encrypted links, VPNs. Access is fully auditable.
- We use Automox.com to handle patching of our operating systems and 3rd party software.
- We are CyberEssentials certified (IASME-A-013774).
- All transfer of data is performed over either HTTPS (TLS >= 1.2) or Secure FTP with no less than a 2048 bit using public key authentication.
Security Best Practices
- All user passwords are salted and hashed with the scrypt algorithm
- All sensitive banking data (i.e. bank account), is further encrypted via AES256.
- Multi-factor authentication is active, and Single Sign-on (SSO) is used to cascade access across multiple services where possible.
Compliance & Governance
- All data centres are readily compliant with ISO27001, SOC-1,2,3 PCI-DSS L1 and more.
- We are registered with the FCA, as an EMD Agent (902046)
- We are registered with the ICO under the UK Data Protection Act (ZA421647).
- All staff complete the NCSC cyber awareness training
- All staff are ID&V and DBS checked, key staff are additional run through an adverse credit check facility.