Our security policies

In this day and age, information security is on the forefront of everyone's minds and no more so than on ours. While there is no magic bullet for 100% security, we have taken every step we can to make sure that your data is secure as possible on our platforms. This page outlines some of the measures we have in place to keep your information as safe as possible.

Physical Security

  • We store all data within secure data centres in the United Kingdom.
  • Data centres implement two factor authentication and biometric access controls for entry into the data centre building itself.
  • Full CCTV coverage covering access to the data halls with 24-hour video recording.
  • Fire detection, fire suppression & water ingress detection systems installed and tested.
  • Fully alarmed floors covering entrances and emergency exits.
  • Our offices are alarmed & monitored and have an access control system to only allow access to authorised current staff members with a need for access.

Server & data access

  • Physical access to servers is limited to core administrators.
  • Staff access to data is limited to those who have a legitimate need to access the data in question in order to perform their job.
  • All staff access to data is restricted to authorized networks and authenticated with two factor authentication. It is only accessed using encrypted transport mechanisms.
  • All servers are securely firewalled with configuration managed and monitored centrally with a change process for any changes to rules.
  • Our staff are trained in practising good security hygiene.
  • We have a detailed internal security policy that covers, in detail, how our systems must be operated. Staff are required to read, understand and review this on a regular basis.

Encryption & hashing

  • Our services only allow access over HTTPS and implement HSTS headers to ensure browsers only send data to secure endpoints.
  • Our APIs are not supported over HTTP and will either return a 301 redirect to HTTP or return a bad request error.
  • Sensitive data, where appropriate, is encrypted in our databases.
  • All passwords used to login to our services are hashed and salted using industry standard hashing techniques.

Provided security tools

  • Two factor authentication.
  • IP & network restrictions.
  • Admin-level two factor enforcement & monitoring.
  • Security notifications on logins from unrecognised browsers.
  • Automatic blocking when too many login attempts are detected.
  • All logins & sessions are logged.

Monitoring, logging & scanning

  • We monitor thousands of metrics across all our server infrastructure and are alerted to any potential issues 24/7.
  • Any server logs are aggregated and are stored for a minimum period of 6 months.
  • We run weekly security scans against our whole network to monitor any potential vulnerabilites.

Backups & redundancy

  • All data is stored on redundant disk arrays to minimise the possibility of data unavailability.
  • Many servers are deployed on replicated pairs to allow for easy failover.
  • Data is encrypted before being backed up at least every 3 hours to a secure server at a separate physical location (located in the United Kingdom).

Social engineering

  • We train our team in practicing good security practices to avoid the potential effects of social engineering.