Security

Find out more about our approach to information security

ISO 27001 UKAS-accredited certification

ISO 27001 is the most widely used international standard that specifies requirements for an Information Security Management System (ISMS). We are proud of our ISMS and use auditors certified by the United Kingdom Accreditation Service (UKAS).

Regular grey-box penetration testing

We work with CREST-certified cybersecurity specialists who regularly undertake grey-box penetration testing of our systems, through us disclosing our entire public facing attack surface. Our most recent report praised our “very strong security posture”.

General Data Protection Regulation

We are fully compliant with the GDPR and are registered with the Information Commissioners Office (ICO), number ZB406049. We have a Data Protection Officer (DPO) responsible for ensuring that data processing meets both current and evolving standards.

Cloud native infrastructure

We are fully cloud-based, using the latest technologies and best practices. We use Amazon Web Services (AWS) to ensure that our infrastructure is highly available and resilient, completely segregating production from software development lifecycle environments.

Data encryption standards

We enforce the use of Transport Layer Security (TLS) 1.2 or higher for all connections to our services. We also encrypt all data at rest using the Advanced Encryption Standard (AES) 256-bit encryption algorithm. We utilise AWS managed data storage services.

DevSecOps culture

We are proud of our DevSecOps culture and practices, with security embedded into our software development lifecycle. We use automated tools to scan our code and dependencies for vulnerabilities and misconfigurations.

Enterprise in-app security

With easy to configure, granular user permissions controls and detailed access and event logging of every action, we make our customers’ own information security requirements easy to meet and integrate into their existing stack.

Best in class authentication

We leverage Auth0/Okta for Identity Provision, enabling us to offer enterprise-grade Single Sign On, strong password enforcement, Multifactor Authentication (Timed One-Time Password), bot protection, clickjack protection, domain whitelisting and much more.

Internal InfoSec controls

We undertake background checks on all our staff and sign Non-Disclosure Agreements at onboarding to protect customer data. We monitor all devices using Mobile Device Management software with CrowdStrike Falcon next-generation antivirus installed on every machine.