Security and privacy

We take the security of our Digital Platform seriously. These are some of practises we use to keep your information safe.

We are committed to protecting the data of our customers, which is why we have put in place a range of governance procedures to secure information across our technology delivery lifecycles.

DevSecOps

We use a variety of techniques and tools to secure applications and systems created from source code. These include:

  1. Source control

    We use Source Control systems to preserve a main single copy of application code alongside complete change history.

  2. Documented processes

    We follow defined processes for creation of new code features. These are first defined as requirements and later created in “branches”, segregated from the main application code and merged once ready for inclusion in the target application.

  3. Behaviour verification

    We leverage a range of testing automation tools to ensure that we can verify the expected behaviour of application features, including unit tests, integration tests, and mock frameworks. We leverage manual exploratory testing to catch issues that our Quality Assurance processes might not.

  4. Static analysis

    We integrate source code analysis tools early in our development lifecycle, ensuring that all code follows best-practises and/or defined conventions. This makes the code of our applications comprehensible and easy to review by any member of our development teams.

    Many of these tools also detect use of potentially insecure language or framework features, and will fail build processes when detected.

  5. Documentation standards

    We ensure documentation is created to an internal standard as part of our build processes. The expected functionality of all code is properly described, and forced to follow standard documentation conventions. Where possible we force build failures where these standards are not met.

  6. Code reviews

    We hold team meetings to review source code, encouraging open and honest feedback. This helps develop DevSecOps awareness across our delivery teams.

  7. Build and packaging automation

    We create software artefacts for deployment using automated build, test, and packaging processes. This ensures repeatability, agility, and results in test-verified, centralised artefacts ready for deployment. This is a key part of an end-to-end deployment toolchain that has no user interventions which could interfere with the deployed artefacts.

  8. Deployment automation

    We deploy applications and services from trusted artefacts using automated processes. This minimises user access to target environments.

    Automated deployment processes deploy applications through a sequential set of environments as part of Quality Assurance activities. Different types of testing are carried out in these different environments.

    Where our testing processes are highly mature we practise continuous deployment.

  9. Active monitoring

    We monitor our applications through a range of tools to better understand user behaviour, detect failure, and optimise performance. Logs are reviewed daily, with alerts configured for events which may require additional investigation.

  10. Security reviews

    We conduct regular security reviews to detect new vulnerabilities either in our applications or the middleware and operating systems which support them.

  11. Updates and patches

    Systems are regularly maintained and patched, either by virtue of using cloud technologies (Platform- or Functions-as-a-Service) or using vendor update mechanisms.

The principles described above are applied to our use of third-party systems and tooling as appropriate.

Data

Residency

Our Digital Platform is hosted in UK data centers (both compute capability and storage systems).

Encryption

Data stored by the Digital Platform is encrypted both at rest and in transit.

Privacy

Please refer to our published Terms and Conditions or specific contract provisions for further details of how we protect your data.