Skip to content

Data Security

Below are a list of measures, processes and policies which we have in place to protect our platform and the sensitive information in contains.

Defined security management system

  • Defined roles and responsibilities for IT security and data privacy
  • Defined standards, documentation, and policies
  • Defined processes to ensure data privacy and data security ‘by design’
  • Defined data back-up and retention policies
  • Ongoing IT change control and audit processes
  • Role-based security settings based on minimum required access levels
  • ID and background checking for all staff
  • Comprehensive asset register, technical and configuration documentation.
  • Defined incident response plan
  • Defined business continuity plan covering all IT and data services.

Core network and key IT system protections

  • Windows Active Directory (Azure Active Directory)
  • Office365 Security & compliance tools
  • Two-factor authentication and strong password policies
  • Bit locker encryption for device encryption
  • End-point security (Web filtering, DNS protection, antivirus, antimalware)
  • Virtualised environment for all on-premise hosts (enabling backup and encryption)
  • Use of Exchange365 for corporate emails
  • Comprehensive logging, monitoring, and alerting
  • Systematic removal of unsecure encryption protocols (e.g. SSL and TLS 1.1 etc)
  • Annual Pen-testing programme (including regular vulnerability scans)

Expertise provided by External IT provider

  • Retained advice on IT security topics and best practices
  • Enforcement of IT change control and management processes
  • Investigation and audit of logging, monitoring, and alerting
  • Active device management including monitoring, end-point security and security patching

Duel, redundant internet connectivity and network security devices

  • Secure VPN technologies as gateway access to key on-premise and SaaS systems
  • Active subscriptions to vendor IDS / IPS / AV services
  • Secure SFTP facility supported by IP Whitelisting
  • Use of VLANs to segregate devices and services on corporate network

Security awareness and training programme for all staff and contractors

  • Ongoing (Automated) online security training programme (industry leading platform)
  • Ongoing (Automated) phishing simulation tests and remedial training (industry leading platform)

Comprehensive backup and data restoration capabilities

  • On-premise systems backed up both on and off-site in a verified and encrypted format
  • Multiple restore points maintained (daily, weekly, monthly, quarterly)
  • Extensive use of version control for SaaS and Cloud based systems (supporting point in time restore)

Physical access measures to on-premise infrastructure

  • Magnetic door locks with named door-access fobs and ID cards
  • Restricted access to building locations and working hours
  • External security measures and extensive CCTV coverage and monitoring

Use of segregated environments for development, test, and production

  • Prohibited use of personal data within test and development systems

Personal and sensitive data housed in the following locations

  • Office365 (UK and EU tenant)
  • On-premise at Fleet House (UK)
  • Google Cloud Platform (UK tenant)

Support and Escalation Processes

To provide assistance to customers and data controller we provide the following, in addition to our standard operating processes:

  • Defined query and escalation management process
  • Defined data security/privacy incident management process