Accessing controls for customer data
Role-based access controls are enforced at each layer of infrastructure. Multi-factor authentication is required for access to Swiftaid infrastructure. All application and user access logs are stored centrally and monitored.
What information security standards do Streeva/Swiftaid follow/align to/certify with?
Our solution is currently outside the scope of PCI compliance requirements. We currently self-certify to Cyber Essentials. We are regulated by the Financial Conduct Authority which requires a large amount of governance and cybersecurity requirements. We are in the process of adopting ISO27001.
Where are the PII data held (geolocation and data environment) and how they’re protected?
All data is held within the EU (Currently Ireland and England) within Microsoft Azure. Data is encrypted at rest and in transit. We use the principle of least privilege to determine access to data. Deployment is fully automated and we use Application Insights to monitor deployments.
Who has access to the platform(s) which hold the PII secured (if not covered above?)
Access to production data limited to just CEO and Head of Engineering with 2FA. We have access to data through the support dashboard that allows access to support staff. This is secured using https and also requires access to email (which also has enforced 2FA) for code to log in.
If you have specific questions or concerns regarding security please contact us at firstname.lastname@example.org