Compliance & Certifications
Independently audited and certified to the highest industry standards.
SOC 2 Type II
Annually audited by independent third party. Full report available on request.
GDPR Compliant
Full GDPR compliance. EU data residency available. DPA provided as standard.
PCI DSS Level 1
Highest level PCI compliance for payment data handling and storage.
ISO 27001
Information security management certified. Annual penetration testing included.
Platform Security
Multiple layers of protection at every level of the platform.
Data Protection
- AES-256 encryption at rest
- TLS 1.3 encryption in transit
- Field-level encryption for payment data
- Encrypted database backups with 90-day retention
- Zero-knowledge architecture for sensitive fields
- Automated data deletion on account termination
Access Control
- Role-based access control (RBAC)
- Single sign-on (SSO) — SAML 2.0, Google, Microsoft
- Multi-factor authentication (TOTP, hardware keys)
- Session management with configurable timeouts
- IP allowlisting for sensitive operations
- Full audit trail for all admin actions
Infrastructure
- Hosted on AWS in UK/EU regions
- Multi-region failover with 99.9% uptime SLA
- Automated vulnerability scanning (daily)
- Web Application Firewall (WAF) on all endpoints
- DDoS protection via Cloudflare
- Private VPC with no public database exposure
Monitoring & Response
- 24/7 security monitoring and alerting
- Intrusion detection and prevention systems
- Anomaly detection for unusual account activity
- Incident response plan with <1hr SLA (Enterprise)
- Bug bounty programme for responsible disclosure
- Annual third-party penetration testing
Found a Security Issue?
We take all security reports seriously. If you've discovered a vulnerability in our platform, please report it responsibly via our secure disclosure channel. We aim to acknowledge all reports within 24 hours and resolve critical issues within 48 hours. Researchers who report valid issues are recognised in our Hall of Fame.