Trust Centre

The company follows a Secure Software Development Lifecycle (SDLC), embedding security from initial design through deployment and maintenance.

The company performs annual third-party penetration tests to simulate cyber attacks and uncover system vulnerabilities.

All software and infrastructure modifications undergo formal review and approval before deployment to production environments.

Comprehensive vulnerability scanning procedures assess the security posture of all systems on a regular basis.

A documented secure product architecture defines the structure and components of the platform with security at every layer.

Production environments are separated from development and staging to prevent unauthorised access and data leakage.

Intrusion detection systems continuously monitor network activity to identify and respond to suspicious behaviour.

RBAC is enforced via a central identity provider, ensuring system access aligns strictly with job responsibilities.

MFA is required for all sensitive access, including production systems, administrative consoles, and cloud services.

Scheduled user access reviews are conducted on production systems, databases, and applications to ensure appropriate access levels.

A comprehensive password policy defines required password strength and complexity across all systems.

Only authorised users have access to the production environment, with access strictly controlled and monitored.

Privileged access to critical systems is granted only to authorised personnel following the principle of least privilege.

Documented access control policies outline how user access is provisioned, reviewed, and revoked across all systems.

Access to production databases is restricted to authorised personnel only, with production data protected from unauthorised access.

A formal access request and approval process ensures access is granted based on job requirements with appropriate authorisation.

BCP and DR plans secure operational resilience amid disruptions, with documented procedures for all critical systems.

BC/DR plans are validated with annual testing to ensure effectiveness and identify areas for improvement.

The Incident Response Plan is tested at least annually through tabletop exercises or similar simulations.

Regular backups of production data are performed, stored separately from production, and tested for restoration reliability.

Multiple availability zones ensure redundancy and high availability across the production environment.

Comprehensive monitoring across the production environment tracks system performance, availability, and security events.

Audit logging records key events across application and infrastructure layers for security analysis and compliance reporting.

Data at rest is secured using industry-accepted encryption standards such as AES-256 across all storage systems.

All data in transit is encrypted using TLS 1.2 or newer, with no support for deprecated cryptographic protocols.

Encryption key management restricts access to authorised personnel with defined rotation and storage procedures.

Firewalls are configured to limit unnecessary ports and protocols, with network segmentation enforced across environments.

An annual company-wide risk assessment and quarterly follow-ups identify, evaluate, and treat security risks.

All new vendors are assessed according to the Vendor Risk Management Policy before engagement and on an ongoing basis.

An inventory of physical and virtual assets is maintained, governed by a Configuration and Asset Management Policy.

A Security Awareness Training programme covers key information security topics for all employees on a regular basis.

SDLC training is conducted for all software engineers, covering secure coding practices and vulnerability awareness.

Roles and responsibilities for information security, availability, and confidentiality are clearly documented and assigned.

A Service Level Agreement committing to 99.9% service availability is maintained with defined monitoring and reporting.

Screening checks for new hires and internal transfers verify qualifications, references, and background suitability.

All employees acknowledge and sign a confidentiality agreement during onboarding, with annual reaffirmation.

EDR continuously monitors and responds to threats on all endpoints, providing real-time visibility into security events.

Disk encryption is enforced on all organisational devices to protect sensitive data from physical compromise.

Advanced threat and malware protection is enforced across all systems using industry-leading security tools.

Endpoint Management policies enforce strong passwords, anti-virus protection, and automatic updates on all devices.