Our Security Commitments
Information Security Program
We have an Information Security Program in place, that is developed continuously and is communicated throughout the organisation. Our Information Security Program follows criteria set forth by the SOC 2 Framework. SOC 2 is a widely known and accepted information security auditing procedure that is created by the American Institute of Certified Public Accountants.
Third-Party Audits
We undergo independent third-party audits in line with SOC 2 to test our security and compliance controls.
Penetration Tests
We arrange for third-party penetration tests annually to ensure our security posture is maintained.
Roles and Responsibilities
Roles and Responsibilities related to our Information Security Program are defined and documented. All employees, contractors and subcontractors are required to review and accept all our security policies.
Security Awareness Training
Security Awareness Training is provided to all new hires at the start of their employment covering topics such as phishing, Working From Home, and password management among others. Further training is provided throughout the year, every year. Participation is mandatory and is monitored to ensure the training is completed by all employees.
Confidentiality
All new hires are required to sign our confidentiality agreement before their employment commences.
Background Checks
All new hires undergo background checks in accordance with local law.
Cloud Security
We use various cloud solutions to provide our service. All solutions used are required to meet our security standards. The following are the cloud solutions used, and a link to their security and compliance page:
Microsoft Azure Microsoft Trust Center Overview | Microsoft Trust Center
Microsoft 365 Microsoft Trust Center Overview | Microsoft Trust Center
Egnyte Compliance Standards for Data Security | Egnyte
Thirdwave Analytics LockBox Privacy Policy – Third Wave Analytics
Zoho Compliance at Zoho
Data residency
Most data is housed in UK based data centres. Where this is not the case, the data is housed in US based data centres. The UK has made an “adequacy decision” with respect to the data protection laws of the USA. Transfers to the USA will be protected by appropriate safeguards, namely the use of standard data protection clauses adopted or approved by the UK, and only made to companies registered on the US Department of Commerce’s Data Privacy Framework Program (Data Privacy Framework).
Data encryption
All cloud hosted data is encrypted in transit and at rest.
Vulnerability Scanning
We actively monitor our systems for threats and vulnerabilities, and implement mitigations where required.
Logging and Monitoring
For all cloud services we monitor logs and employ alerts where available.
Business Continuity and Disaster Recovery
We maintain a Business Continuity Plan and have developed a Disaster Recovery Plan to reduce the risk of data loss in the event of hardware failure, or malware infection.
Incident Response
We have a Security Incident Response Plan, and a defined team to respond to incidents. The plan is tested annually.
Permissions and Authentication
Access to any system is limited to authorised personnel who require it for their role.
All cloud services require MFA, and where available SSO is employed. Strict password policies are enforced on all systems.
Principle of Least Privilege
With respect to identity and access management we follow the principle of “least privilege”, assigning only the permissions required for the role
Vendor and Risk Management
All vendors are subject to risk assessments and are reviewed for security commitments before they are authorised.
All systems undergo a risk assessment annually to identify threats, including considerations for fraud.