Customer Security Statement

Customer Security Statement

Technical Security Measures

We host our applications in Microsoft Azure, using multiple resilient UK datacentres.  These sites are operated to exacting physical security standards, ensuring that only authorised personnel can gain access to the premises, with access logged and monitored 24x7x365.

We have designed our platform using modern failover and redundancy techniques, coupled with robust Backup and Disaster Recovery technology, to ensure high availability at all times.

All personal data is encrypted at rest, and encrypted in transit in and out of our platform to minimum TLS 1.2 or above standard.

To ensure we deploy the highest quality of security embedded into our applications, we train our engineering team in secure coding practices such as OWASP industry recommendations, as well as testing throughout the software delivery lifecycle for any security risks.  We also regularly use independent penetration test partners to identify any security risks.

To ensure no unauthorised access is obtained to the platform, we operate strong firewalling, continuous intrusion detection and prevention (IDP) monitoring, and strict role-based access controls (RBAC) on the basis of least privilege.

Our operational and security teams work around the clock every day of the year to monitor and respond to the most critical alerts and issues.

We offer an availability service level agreement (ASLA) of 99.90%, and commit to responding to all priority 1 incidents within 60 minutes of contact.

Our service management process underpins all that we do, and ensures that we deliver best-in class processes and people to manage incidents and deliver changes safely and successfully.

Security Policy and Governance

We minimise staff access to the platform based on role and least privilege access.  All staff that work on our platform are subject to rigorous background checks, are party to confidentiality agreements and undergo annual security training.

Our information security management system (ISMS) policies ensure that the company operates with an end-to-end security mindset. This includes the secure storage, deletion and disposal of customer data, as well as physical security and access controls. 

The suppliers we work with to help deliver service on the platform have been carefully selected, and undergo careful screening and review via our third party risk management process.  For the list of suppliers who process, store or transmit messaging data, or provide services within environments where customer messaging data is processed, please see our sub processors page.

We also pride ourselves on our anti-fraud processes, which aim to prevent and detect any potential misuse of our platform, and deliver a high level of assurance for both our customers and suppliers with our customers and suppliers.

Accreditations and Standards

Our service has been designed in compliance with international security standards including ISO 27001 and Cyber Essentials, as well as adhering to all relevant regulatory requirements such as GDPR.

We do not process payments on our platform on behalf of our customers, but use a trusted partner who is accredited to PCI DSS Level 1 standards to protect sensitive financial data.

Support

You can contact us via phone, email and chat between 08:30 and 17:30, Monday to Friday excluding UK Public Holidays.

Last Updated February 2025