Following the tenets of security by design: robust data security and privacy best practice are at the heart of how Trustopia builds its digital services, secures your data and provides the highest possible resiliency.
We therefore have a top-down governance and security approach at Trustopia which forms part of our DNA allowing us to continuously evolve and strengthen our security posture. That way, we align to the changing business and technology landscape and provide the maximum level of protection for customer data.
Trustopia holds Cyber Essentials, Cyber Essentials Plus, IASME Governance and Professional Background Screening Association certifications:
Best practice design
Our services are designed in accordance with guidance and best practices from the UK National Cyber Security Centre (NCSC) and the US National Institute of Standards and Technology (NIST) to ensure that the confidentiality, integrity and availability of our systems and data is appropriately maintained, always.
Our hosting partner is Amazon Web Services (AWS). Using AWS infrastructure puts strong safeguards in place to help protect customer privacy in highly secure data centers. More information on the inherent security within AWS and their compliance programs can be found within the AWS Cloud Security webpages.
Our zero trust perimeter security includes multiple layers of firewalls and DDOS protection services to protect our infrastructure and web applications.
Virtual private cloud (VPC)
Our web services are hosted in dedicated VPCs – in non-promiscuous mode – that are further segmented for increased separation and security.
Role-based access control enforces segregation of duties, multi-factor authentication and end-to-end audit trails ensuring access is in accordance with Trustopia internal policy and best practice, which is always based on least privilege.
AES-256 bit encryption is utilised for data at rest and FIPS 140-2 compliant TLS encryption for all data in transit.
Commercial grade malware and endpoint protection is maintained based on latest threat signatures and supports real-time scanning and security protection.
Highly resilient architecture
All components are deployed in an ‘n+1’ architecture across multiple availability zones configured in active mode behind a load balancing service.
Platform load balancing
Application traffic is automatically distributed across multiple availability zones that supports high availability, auto scaling and robust security.
Near real-time backups are taken across multiple availability zones in encrypted and access controlled storage.
Secure product build
Product road mapping
The product road-map is defined and reviewed periodically by the product owner. Security fixes are prioritised and are bundled in the earliest possible sprint.
Continuous code review
All changes are tested by the quality assurance team and criteria are established for performing code reviews, web vulnerability assessments and advanced security tests.
Builds are put through stringent functionality tests, performance tests, stability tests, and UX tests before they are certified “good to go”.
Segregation of duties
Access to production environments containing live personal data is restricted to a very limited set of users based on job roles and is tightly controlled and monitored.
Monitoring & audit
Performance & availability
The performance and availability of our infrastructure and services is monitored to ensure maximum up-time and correct operation of all components.
Data sources availability
We provide enterprise clients with live feed access to all Trustopia data sources and service availability.
The security posture of our infrastructure and web services are monitored for threats in real time in accordance with industry best practices.
Our infrastructure and web services undergo regular independent penetration tests, including grey box and black box tests to ensure that our security defences are robust and can withstand the latest threats.
We retain real-time audit logs of all data processing activities performed by administrators, customers, employees, data subjects and our automated systems.