Security & Compliance

Our infrastructure is safeguarded through multiple layers of security, including firewalls, intrusion detection and prevention systems (IDS/IPS), and strict access controls. We regularly conduct scans to identify and address vulnerabilities before they become issues, alongside routine penetration testing to ensure ongoing protection.

Customer data is securely stored and processed across our UK-based data centres. Access to systems and information is limited to specific, named individuals following “need to know” and zero-trust principles, with continuous monitoring and auditing to ensure compliance. All data in transit is encrypted, and customers can choose to encrypt their data at rest on top of our disk-level encryption. Our services are fully hosted, operated, and managed in-house, with all data centres independently audited to ISO 9001, ISO 27001, and Tier III+ standards.

To maintain the highest standards of information security, we adhere internally to ISO 27001 and ISO 9001 frameworks and engage reputable third-party auditors who review our security practices at least annually.

All data hosted with us, including backups, is stored on encrypted disk volumes. We believe this approach offers the right balance between confidentiality and availability.

We include DDoS protection with all our services at no extra cost, powered by the GTT Corero Smartwall platform, which offers extensive global filtering capacity. Unlike some providers, we don’t redirect traffic during an attack; instead, all incoming traffic is continuously filtered and automatically inspected 24/7/365. This allows us to mitigate attacks in under one second.

Additionally, our own cross-connects in the London Edge Data Centres and the absence of GRE tunnels guarantee consistent reliability and optimal performance with zero overhead.

For customers requiring enhanced security, we can fine-tune filtering sensitivity on a granular level whenever needed.

Since the beginning, we have collaborated closely with both internal teams and external partners to implement a stringent, multi-layered security model at all our data centre Points of Presence. Access is granted strictly on a “need-to-know” basis, ensuring that only authorised personnel can enter specific areas. Access permissions are highly restricted, with only a very limited number of individuals on pre-approved access lists for data centre campuses, buildings, plant rooms, data floors, and individual racks. All access authorisations are temporary, fully audited, and automatically expire after a short period.

Our physical security measures go beyond layered access controls. Our data centres are staffed by trained security professionals and are equipped with comprehensive video surveillance (CCTV), automatic number plate recognition (ANPR), secure perimeter fencing, biometrics, and granular access restrictions at every level.

Anyone authorised to access these facilities must go through strict security protocols, including anti-tailgating access corridors, multi-factor authentication with security badges, government-issued ID checks, clearance verification, biometric scans, and are always accompanied by authorised personnel when required.

As a valued customer, we ask that you and your system administrators follow strong security practices and maintain good cyber hygiene when managing access credentials for your services with us. This includes, but is not limited to, using strong passwords, implementing proper access controls, role-based access control (RBAC), and enforcing permissions and restrictions appropriately. If you become aware of any compromise to your systems, services, or account credentials, please notify our Security Operations Centre immediately by contacting our Abuse, Trust, and Safety Team.

Maintaining an up-to-date incident response plan is vital for every business and is a core part of our security and privacy management systems. Our incident response and management plan involves personnel from across the organisation, ensuring that resources are efficiently allocated and deployed when and where they are needed.

Our Incident Response & Management Policy outlines the steps for actions, escalations, mitigations, resolutions, and notifications related to any potential or actual incident that may impact the confidentiality, integrity, or availability of internal or customer information. After successfully resolving an incident, the response team conducts a lessons-learned review. For critical incidents, the incident commander may initiate a post-mortem analysis to examine the root causes, evaluate the effectiveness of the response, and identify areas for improvement.

International regulations place strong emphasis on understanding data processing, access controls, and security incident management. Our dedicated team of security and compliance professionals supports both internal and external customers in meeting their regulatory compliance and risk management obligations. We work closely with customers to understand their specific requirements and help address them effectively.

As new auditing standards emerge, our team evaluates the necessary controls, processes, and systems to maintain compliance while facilitating independent third-party audits and assessments. In some cases, we also permit customers to conduct their own audits to verify our security and compliance controls.

We adopt a strict "zero-trust" approach for all networks and devices connected to them. Access controls are rigorously enforced based on comprehensive factors including the network, device status, associated user or organisation, geographic location, and more. We treat all networks—whether internal or external—as inherently untrustworthy. This approach establishes a model of borderless compliance, where access levels are dynamically determined and enforced at the application layer. As a result, our security and compliance teams maintain consistent, robust protection and operational effectiveness, even during emergencies.

We maintain a rigorous asset management and disposal system. Utilizing various asset tags and barcodes, we meticulously track the location, status, and lifecycle of all company assets—whether located in our data centres, office spaces, or used by personnel. This tracking spans from acquisition and delivery through installation, usage, retirement, and final destruction.

Our strict chain of custody protocols ensure no equipment leaves authorised areas, such as data centres, without proper clearance. Any deviations or anomalies in this process are promptly investigated and resolved

For data-bearing equipment, such as disk drives, retired assets undergo secure data erasure following the Department of Defense (DoD 5220.22-M) standard, which includes

• Pass 1: Overwrite all addressable locations with binary zeroes
• Pass 2: Overwrite all addressable locations with binary ones
• Pass 3: Overwrite all addressable locations with a random bit pattern
• Final Pass: Confirmation of data deletion and drive wipe

After secure erasure, drives are either securely stored for potential reuse or acquisition, or irreversibly destroyed using certified destruction methods that guarantee no data recovery is possible. We retain certificates of destruction as proof of compliance.

We require all connections to our servers to use Transport Layer Security (TLS) and Secure Sockets Layer (SSL) encryption. This applies to all access methods, including webmail, services, and IMAP/POP/SMTP email clients. These protocols protect your communications by preventing eavesdropping, tampering, and message forgery between your device and our servers.

When you send messages to recipients outside our network, the data must travel across the open internet. Since our inception, we have ensured that all connections between our servers and receiving servers are fully encrypted whenever the receiving server supports it. This measure prevents passive eavesdropping, tampering, or forgery during message transmission.

Likewise, we have always accepted encrypted connections for mail delivery to our servers and strongly encourage all sending servers to do the same.

We include a Strict Transport Security (HSTS) header with all of our webpages. This instructs modern browsers to always connect to our site over a secure, encrypted connection—even if you access us via a bookmark, link, or by typing an unsecured URL.

Many security risks arise from leaving potential vulnerabilities open, such as database or SSH ports. To prevent this, we implement kernel-level firewalling that restricts connections exclusively to the services each server is intended to provide.