We take security seriously

We apply Enterprise grade security practices throughout our technology infrastructure and business processes.

Learn more

SSSL / TLS 1.3

ISO 279001

SOC2 attestation

Cyber Essentials+

GDPR Compliant

Secure data encryption

We use 256-bit encryption for all data in transit. All connections are protected using TLS 1.3 with a AES 256-bit symmetric encryption and 2048-bit authenticated key agreement.

Data is also encrypted at rest in the same way and we rotate volume keys on a regular basis using a key management system, meaning your data is never available in plain text.

We regularly test our network and verify our supported cipher suites with external audits, the results of which are publically available.

Secure data encryption
Access control

Access control

We allow clients to control access to their workflow with advanced user role-based permissions.

Clients are able to match permissions to job functions based on the Principle of Least Privilege (PoLP), ensuring best practice for high value data and assets.

All user passwords are also masked with a separate salt and encrypted with bcrypt, along with have enforced minimums for length and complexity.

Industry leading certification

We only use AWS data centres, which are ISO 27001 Certified and offer Service Organization Control (SOC) Reports 2, and multiple other industry standard certifications.

AWS security measures include data segmentation, firewalls, intrusion detection, electronic key cards, pin codes, biometric hand scans, and on-site security officers 24 hours a day, 365 days a year.

All our systems, processes, and controls have Cyber Essentials Certification, backed by the National Cyber Security Centre.

Industry leading certification
GDPR compliance

GDPR compliance

All our systems and processes are GDPR compliant, in accordance with our privacy agreement.

We also offer best in class data processing agreements for all clients, and have back to back DPAs with all our suppliers ensuring complete compliance with both UK and EU MAR across the supply chain.

Application Security

InsiderList is designed with security first. We employ a comprehensive Information Security Management System (ISMS) ensuring first class industry standards

Development best practice

All the code produced for our core services adheres to OWASP guidelines and recommendations, preventing common security issues such as cross site scripting (XSS) or SQL injections.

Change management

Every code change is signed, tracked in a versioning system and covered by a change management policy, which requires code review by a maintainer. Similarly, publishing rights are limited to a small group of maintainers.

Vulnerability Scanning

We scan for vulnerabilities and actively monitor for new threats. We use static code analyser tools and software dependency scanners to detect issues and vulnerabilities.

Logging and Monitoring

All of our services are actively monitored and logged. An intrusion detection system (IDS) is used to detect and notify us of unauthorized server access. We review alerts from these systems as well as application logs on a regular basis to look for unusual or suspicious activity.

Business Continuity and Disaster Recovery

InsiderList was created with the goal of disaster recovery in mind. Our infrastructure and data are distributed across multiple availability zones and will continue to function if any of those data centres fails.

Incident Response

We have a procedure in place for dealing with information security incidents that includes escalation procedures, rapid mitigation, and communication.

Organisational security

We are dedicated to improving our security through continuous review.

Penetration testing

We perform an independent third-party penetration test annually to ensure that the security of our services is uncompromised.

24/7 monitoring

We continuously monitor our security and compliance status to ensure there are no lapses.

Roles & responsibilities

We provision all roles and responsibilities on a principal of least privilege, ensuring individuals are only given access required to complete specific tasks.

Information security

Our information security program is a core part of our operations and follows criteria set forth by ISO 27001 and SOC 2.

Security awareness training

Our team members are required to go through employee security awareness training covering industry standard practices and information security topics such as phishing and password management.

Third-party audits

Our organization undergoes independent third-party assessments to test our security controls, which are available on request.

Responsible disclosure policy

We continuously monitor our systems to improve performance and security. If you have found a vulnerability in our systems or service, we want to hear from you.

Report an issue

Download our Security Whitepaper

Please download our security documentation if you want more information about our security or want to share it with others.

Download
Security whitepaper