The less we can access, the better.

Passwords never sit in plain text; we don't share them unencrypted in emails, Slack or any other channel. Our client passwords live securely in our self-hosted password vault, encrypted end-to-end and only reachable from inside our network.

When data has to move between systems or out to a client, it goes over an encrypted channel. SFTP, SSH, HTTPS, or AES-256 7z archives where nothing else is available. Sensitive credentials are sent through our own, open-source one-time-password tool and are never pasted anywhere in plain text.

We're registered under the GDPR as both a Data Controller and a Data Processor in Guernsey and the UK. If you ever need to know what we hold on you, change it, or delete it, we'll act within a week, either responding ourselves or escalating the request to our client. We have to by law, but we'd do it anyway.

Encryption everywhere

Every workstation runs full-disk encryption. Servers we manage transfer data over encrypted connections only, and traffic to and from any site we host is forced over HTTPS. When hardware is decommissioned, it's either physically destroyed or wiped with multiple full-disk passes.

Multi-factor by default

Everything we create has built-in multi-factor authentication. TOTP, SMS or integration with MS365/Google SSO - in this day and age, a web application without MFA is not secure.

Trained, not assumed

Humans are by far the most common source of data breaches. Our team is trained on IT security and data protection at induction and refreshed annually at a minimum.