Customer Security Statement

Customer Security Statement

Customer Security Statement (UK, IRE, AUS)

Technical Security Measures

We host our applications in Microsoft Azure, using multiple resilient datacentres across regional instances.  These sites are operated to exacting physical security standards, ensuring that only authorised personnel can gain access to the premises, with access logged and monitored 24x7x365.

We have designed our platform using modern failover and redundancy techniques, coupled with robust Backup and Disaster Recovery technology, to ensure high availability at all times.

All personal data is encrypted at rest, and encrypted in transit in and out of our platform to minimum TLS 1.2 or above standard.

To ensure we deploy the highest quality of security embedded into our applications, we train our engineering team in secure coding practices such as OWASP industry recommendations, as well as testing throughout the software delivery lifecycle for any security risks.  We also regularly use independent penetration test partners to identify any security risks.

To ensure no unauthorised access is obtained to the platform, we operate strong firewalling, continuous intrusion detection and prevention (IDP) monitoring, and strict role-based access controls (RBAC) on the basis of least privilege.

Our operational and security teams work around the clock every day of the year to monitor and respond to the most critical alerts and issues.

We offer an availability service level agreement (ASLA) of 99.90%, and commit to responding to all priority 1 incidents within 60 minutes of contact.

Our service management process underpins all that we do, and ensures that we deliver best-in class processes and people to manage incidents and deliver changes safely and successfully.

Security Policy and Governance

We minimise staff access to the platform based on role and least privilege access.  All staff that work on our platform are subject to rigorous background checks, are party to confidentiality agreements and undergo annual security training.

Our information security management system (ISMS) policies ensure that the company operates with an end-to-end security mindset. This includes the secure storage, deletion and disposal of customer data, as well as physical security and access controls. 

The suppliers we work with to help deliver service on the platform have been carefully selected, and undergo careful screening and review via our third party risk management process.  For the list of suppliers who process, store or transmit messaging data, or provide services within environments where customer messaging data is processed, please see our subprocessors page.

We also pride ourselves on our anti-fraud processes, which aim to prevent and detect any potential misuse of our platform, and deliver a high level of assurance for both our customers and suppliers with our customers and suppliers.

Hosting and Processing Locations

To enable us to provide data sovereignty capabilities for our customers, we will process and host your messaging data in regional instances of Connect .

  • If you are a customer located in the UK, your data will be processed and stored in Connect in the UK.
  • If you are a customer located in the EU, your data will be processed and stored in Connect in the EU.
  • If you are a customer located in Ireland, your data will be processed and stored in the EU
  • If you are a customer located in Australia, your data will be processed and stored in Connect in the UK.

For further information on which legal entity you are contracting with, please see the Terms of Service.

Messaging Data Retention

To ensure our messaging services remain high-performing and reliable, the Connect platform processes end-user personal data (contact numbers and message content) across two distinct database layers with specific retention cycles:

  • Operational Processing: To facilitate message routing, status updates from mobile networks, and troubleshooting, data is first processed in a write-optimised database. This data is strictly for system operations and is not visible to the user. Message content is purged from this layer after 5 days, and contact numbers are purged after 40 days.
  • Customer Records: Your visible message history is maintained in a central core database. By default, this data is retained for 180 days, though you may configure this period between 0 and 730 days depending on your region and requirements.
  • Please note that while setting a retention period of fewer than 40 days will remove data from your visibility, the underlying contact number will persist in the operational layer for the full 40-day technical cycle, and the message content will persist for 5 days, to ensure delivery completion.
  • In some regions we may be required to set the retention period for message history in line with regulatory and legal requirements which may not be altered by customers. For example, in Australia, regulatory requirements mean that message history will be retained for 2 years. 

Accreditations and Standards

Our service has been designed in compliance with international security standards including ISO 27001 as well as adhering to all relevant regulatory requirements such as GDPR.

In the UK, the Connect platform is also certified to Cyber Essentials and NHS DSPT. Also for our UK customers, whilst we do not process payments directly on your behalf, on behalf of our customers, we use a trusted partner who is accredited to PCI DSS Level 1 standards to protect sensitive financial data.

Support

You can contact us via phone, email and chat between 08:30 and 17:30, Monday to Friday excluding UK Public Holidays.

Last Updated February 2026