Here’s the nitty gritty about security
FreeAgent is committed to protecting your personal and financial data using multiple layers of security. The following is a brief overview of some of the great things we do to help ensure this protection.
Staying ahead of the curve on data security
We continuously monitor for malicious activity, proactively identifying and mitigating security risks, while working hard to stay ahead of the latest threats.
Being Cyber Essentials Plus certified, we have an extra level of external, independent assurance that we’re doing the right things to help protect our systems and services. We also take a lot of care to ensure our employees are vetted and have a deep understanding of how to protect your data.
And that’s just scratching the surface. For a deeper insight on how we keep your data safe, please read on below.
Physical security
Our customers’ information is held securely in data centres located in Ireland across multiple availability zones to guard against localised, physical failure. These data centres meet the strictest security standards, including ISO 27001, 27017 and 27018 certification, and comply with the EU General Data Protection Regulation (GDPR).
Operational security
Strong encryption
All information that passes between FreeAgent and your computer (“data in use/transit”) is securely encrypted over HTTPS using TLS v1.2, according to industry standard best practice. The strongest encryption algorithms (SHA 256) afforded by your browser are prioritised.
We encrypt all information we store on your behalf (“data at rest”). This includes data in our database and any files that you upload. We enforce 256-bit AES encryption as standard.
In addition:
- We utilise state-of-the-art systems to monitor, record and alert on anomalous activity within our operational environment.
- Distributed Denial of Service (DDoS) mitigation is automatically applied by our hosting provider. Meanwhile, we employ in-built application rate limiting and alerting, which includes protection against brute force login enumeration.
- User passwords are stored in our database via a one-way cryptographic hashing function with salt (random data). Passwords are not stored in plaintext and it’s not possible to reverse engineer the stored value equivalent. Customers can enable 2-Step Verification to provide a further level of protection.
Preventing vulnerabilities
We perform continuous, automated assessment of FreeAgent’s systems to ensure that we adhere to industry-standard security best practice at all times.
All access to FreeAgent’s underlying systems and data is protected through the use of unique credentials with two-factor authentication. Everything is logged and reviewed through an immutable, centralised audit trail.
In addition:
- We run a continual patching cycle to ensure operating systems, applications and network infrastructure are kept up to date. This mitigates any exposure to vulnerabilities.
- The application runs inside a secured and hardened environment which is engineered for security to help minimise vulnerabilities according to industry-standard guidelines.
- Application penetration testing is carried out at least once a year by an external, independent CHECK/CREST certified supplier and is subject to regular automated scanning.
- We employ additional automated protection technologies within our infrastructure to identify and potentially block suspected and/or malicious and/or fraudulent behaviours.
- We operate a Responsible Disclosure program and actively encourage ethical security researchers to submit any vulnerabilities identified within FreeAgent’s infrastructure, application and business logic for triage and resolution.
Privacy
We are bound by the UK’s Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR) and fully respect the rights of individuals in compliance with the EU GDPR. FreeAgent does not sell, rent or share data with any third party unless previously agreed as part of any contractual arrangement (or any legal or regulatory requirement).
However, we do utilise some third parties that help provide our services. We ensure that the security measures in place at those third parties have, at the very least, the same high security standards that we employ.
People processes
Our staff are vetted prior to employment by our internal People Operations department. Checks include proof of identity, proof of right to work, proof of residency and proof of activity.
We also maintain a suite of internal information security policies, procedures and guidelines, including incident response plans, which all staff, contractors and third parties must follow. These are reviewed at least annually.
In addition:
- Customer data is accessed by FreeAgent staff on an as-needed only basis, and only when approved by the customer (i.e. as part of a support incident), or by operational staff to provide necessary support and maintenance.
- Regular audits are performed and the whole process is reviewed by management to ensure only staff with an explicit business need have access to the necessary data and systems on an ongoing basis.
- All employees must sign confidentiality agreements, attest to following FreeAgent policies and guidelines and follow an online monthly security training and awareness programme.
- Our developers are versed in the OWASP Top Ten critical web application security risks. All code must be peer reviewed and must then pass Continuous Integration automated testing, quality and security control gates before being merged and deployed through a Continuous Delivery process mechanism.
Resilience
We go to great lengths to make sure your business data is stored safely.
As well as having a highly available, fault-tolerant database underpinning the application, FreeAgent also has point-in-time recovery. Additional secured, offline daily snapshots of data are available should they ever be required.
These technical and organisational measures help ensure the confidentiality, integrity and availability of our systems and your data at all times.