Skip to main content

Data Security

An overview of our data security practices, including infrastructure, encryption, access controls, compliance, and incident response.

Jim Backwell avatar
Written by Jim Backwell
Updated over a month ago

We take the security and privacy of your data seriously. Below is an overview of the systems, practices, and policies we have in place to protect customer information.

Audit & Compliance

  • We undergo an independent security audit and annual penetration testing

  • Regular security training is provided to staff to ensure ongoing compliance with best practices.

Infrastructure & Hosting

  • Our platform is hosted entirely on AWS (EU-West-1 region, Dublin), with no on-premise infrastructure.

  • AWS data centres are ISO27001 and SOC 1, 2 & 3 certified.

  • Infrastructure is managed using Hashicorp Terraform.

  • Customer data and backups are stored across multiple availability zones within the EU.

  • Data is encrypted both in transit and at rest using AWS Key Management Service (KMS).

IT Security Practices

  • We follow the CIS AWS Benchmark for secure cloud configurations.

  • Monitoring is in place to detect anomalous activity.

  • We use a multi-account AWS architecture for separating environments (test, staging, production).

  • MFA is enforced across all systems.

  • Passwords are managed securely with strict access policies.

  • Code is version controlled with peer review, automated testing, vulnerability scanning, and linting.

  • Regular cyber security awareness training is provided to all employees.

Access Controls

  • Access to customer data is limited based on job role and the principle of least privilege.

  • Role-based access control and MFA are enforced across all systems.

  • Employee access is granted only for specific tasks and resets after one day.

  • An audit trail is maintained for all access to customer data.

Data Privacy

  • We store limited personal data including email addresses, physical addresses, and names.

  • All company devices are managed via MDM and use encrypted hard drives.

  • Regular assessments are conducted to ensure compliance with GDPR and relevant data protection laws.

Data Retention & Disposal

  • Customer data is retained as long as the relevant connectors are active.

  • When data is no longer needed or a connector is removed, all versions of the data are permanently deleted.

Incident Response

  • We follow incident response methodologies inspired by Google's Site Reliability Engineering (SRE) practices.

  • In the event of a confirmed data breach, customers are notified within 24 hours.

  • We have not experienced any data breaches to date.

Redundancy & Reliability

  • Systems are built with redundancy across multiple availability zones.

  • We maintain 24/7 on-call support and track key operational metrics (e.g., DORA) to ensure high availability.

  • Our infrastructure is elastic and can accommodate sudden increases in demand.

Physical Security

  • Keycard access is used for office facilities.

  • MDM is enforced on all company-issued devices.

Employee Training

  • Staff receive regular training and internal sessions on topics such as phishing and password hygiene.

  • Reference checks and criminal record inquiries are conducted during hiring.

  • Internal phishing simulations help prevent social engineering attacks.

Remote Work Security

  • Company devices are encrypted and managed remotely.

  • Customer data access is time-limited and monitored through audit logs.

  • A secure remote access policy is in place and available upon request.

Vendor Management

  • We use third-party services such as AWS.

  • Vendors are assessed annually to ensure they meet our security requirements.

  • A vendor management policy is in place (available on request).

Cybersecurity Insurance

  • We maintain cybersecurity insurance that covers incidents such as data breaches.

Did this answer your question?