As a cybersecurity company, we take the protection of our platform and any customer data on it very seriously. Below is an overview of how we are addressing our responsibilities.


Security is best implemented through a mixture of people, process and technology controls in many layers of our service. Below is a list of the main points, but there’s lots going on behind the scenes too;

  • We perform regular risk reviews to identify ways in which we can improve the security of, taking steps to find and mitigate risks to address any areas that we believe can be improved upon and further secured.
  • Our hosting is with industry-leading AWS. You can view their security page here.
  • Access to customer data or our application and infrastructure is provided strictly on a need-to-know basis, enforcing ‘Least Privilege Access’ principles. We conduct reviews of our roles and access controls regularly to ensure this principle hasn’t slipped.
  • We take full daily backups of our service and the data within it to ensure any impact from a disaster is minimised in terms of recovery point and recovery time (we can get back up and running really quickly, and without losing much data).
  • We employ 256-bit Advanced Encryption Standard (AES) for all storage and transfer of data, to reduce risks of eavesdropping or data theft.
  • All system administrator access makes use of Two Factor Authentication so that account misuse threats are minimized
  • We operate regular vulnerability scanning across our applications and infrastructure to ensure rapid identification and remediation of vulnerabilities.
  • We operate a program of responsible disclosure (for our WWW site only, please do not test against our live APP site) and undertake penetration testing and active red-team testing to find and mitigate common attacks.
  • We build security into our development and operations (DevOps) processes, to run a secure development lifecycle with secure-by-design principles adopted from the earliest stages in all activities.
  • We use different environments for development, testing and live operations of our services. These environments are separated both logically and physically from each other and no customer data is used in testing or development.
  • Comprehensive audit logs are kept for changes made by administrators. They provide records including type, action, performer and timestamp that it was executed.
  • Our full service is monitored 24/7 for security incidents, with response plans in place and tested for common scenarios.
  • Billing security is handed off to our payment partners; we do not store any payment card information