Security is essential to everything we do. We've built security into our products from the ground up to make them secure by design. Below, we outline how we protect customers' data.
If you have specific questions or concerns regarding security, please contact us at info@swiftaid.co.uk
Our solution is currently outside the scope of PCI compliance requirements. We currently self-certify to Cyber Essentials. We are certified to the top international standard for Information Security (ISO 27001) and Business Continuity (ISO 22301).
All data is held within the UK and EU within Microsoft Azure, AWS and Google. Data is encrypted at rest and in transit. We use the principle of least privilege to determine access to data. Deployment is fully automated, and we use Application Insights to monitor deployments.
We follow a strict data classification policy that categorises data based on its sensitivity and importance. This helps us implement appropriate access control measures, ensuring that only authorised personnel have access to specific data according to their roles and responsibilities.
Our organisation adheres to documented data handling and storage procedures, which dictate how data should be collected, processed, stored, and disposed of. These procedures are designed to maintain the confidentiality, integrity, and availability of the data, ensuring it is used solely for its intended purpose.
We conduct regular internal and external audits to verify our compliance with ISO27001 and ISO22301 standards.
Our employees receive regular training and awareness sessions on best practices for information security and business continuity.
We have a robust incident management and response plan in place to address any potential security breaches or incidents. This includes predefined procedures to identify, assess, respond to, and learn from any incidents should they arise.
Access to shared facilities is facilitated through secure and encrypted connections to our cloud infrastructure, ensuring that only authorised personnel have access to data and applications. This is managed in accordance with our data handling policies and access control procedures.
Backup and storage of data are also managed within the EU region of our cloud service providers (Microsoft Azure, Google Cloud Platform, and AWS). This ensures that data redundancy and recovery capabilities are in place to maintain business continuity and compliance with data protection regulations. Additionally, we implement a comprehensive data backup and recovery plan, which includes regular snapshots and off-site storage to ensure data durability and recoverability in the event of an incident.
Our personnel access data locally for pre-checking and processing purposes. This access is facilitated through secure connections, with data encrypted during transit and at rest. Moreover, we follow strict policies and procedures to ensure data confidentiality and integrity while allowing local access for our staff.
Swiftaid does not subcontract provided services but we do use third party providers for cloud and SaaS (Software as a Service) services. Third parties are not authorised to access any information but are involved in the transfer, storage and processing of customer data.
We perform background checks on all our employees and they are not provided access to our systems until this check is complete and they sign the contract which includes a confidentiality clause.
We utilise secure data collection methods, such as secure APIs and encrypted forms, to ensure the confidentiality and integrity of data from the point of entry. We adhere to the principle of data minimisation, collecting only the necessary information needed to fulfil the intended purpose, reducing the risk of exposure.
Our data processing activities are guided by documented policies and procedures that ensure data is handled in a secure and compliant manner. Access to data during processing is restricted to authorised personnel only, based on their roles and responsibilities. We use encryption and other security measures to protect data during processing, ensuring its confidentiality and integrity.
To protect data in transit, we employ industry-standard encryption technologies such as SSL/TLS for communication over public networks. Data transmitted within our organisation is also encrypted and transmitted via secure channels to minimise the risk of unauthorised access or interception.
We store data on secure servers located within controlled access facilities, which are monitored and protected by physical and environmental security measures. Data at rest is encrypted using strong encryption algorithms to protect from unauthorised access. We implement access controls and monitoring to track and limit access to data storage systems, ensuring that only authorised personnel can access stored data.
Access to our service is provided through secure and encrypted connections, ensuring data confidentiality and integrity during transmission. We employ a combination of username/password and two-factor authentication (2FA) to provide a secure and reliable authentication mechanism.
Access to our service is granted based on the principle of least privilege, ensuring that users have the minimum level of access required to perform their tasks. Access requests are reviewed and approved by designated personnel, such as team leads or managers, who are responsible for ensuring that access is granted in line with established policies and procedures.
Our service utilises role-based access controls to manage user permissions based on their roles and responsibilities within the organisation. This approach enables us to define granular access rights and permissions, ensuring that users have the appropriate level of access to resources and data.
We enforce strong password policies that require users to create complex and unique passwords. These policies mandate a minimum length, recommend the use of password management software and that passwords are generated through the software or using the 'three-word' process as suggested by NCSC. Two-Factor Authentication (2FA) is used to authenticate our internal services.
Admins and SuperUsers are subject to stringent access controls and monitoring to ensure the security of our service. Their activities are regularly reviewed and audited to detect any potential misuse or security concerns. Access to sensitive operations and data is limited to only those individuals who require it to perform their duties, and such access is closely monitored and logged.
Ensuring the reliability and availability of our service is a top priority for our organisation as demonstrated through our ISO22301 certification. We have robust incident response plans and comprehensive business continuity and disaster recovery arrangements, including clearly defined recovery time objectives and recovery point objectives. We review and monitor our own security measures and those of our suppliers on a regular basis. All of these processes are tested as part of our BCP exercises.