Wagestream Trust Centre
At Wagestream we take the security, privacy and welfare of your data incredibly seriously. Our Trust Centre is designed to give you an overview of the controls and measures we have in place to safeguard your data.
- We are ISO27001 certified by BSI Group.
SOC2 Type 1 (SOC2 Type 2 Due Q4)
- We are registered with the ICO under the UK Data Protection Act (ZA421647).
- We are Cyber Essentials Plus certified (IASME-CEP-001478).
- All staff complete tailored GDPR and cyber awareness training, refreshed on an annual basis.
- DBS checks, and adverse financial checks are performed.
- Annual application network and penetration tests performed by an independent third party service that is CREST approved.
- Automated Threat Detection within our network is enabled (Guard Duty).
- Web Application Firewall and DDoS protection available.
- Disaster recovery plan for our core services tested annually.
Security Best Practices
- All user passwords are salted and hashed with the script key derivation function.
- All sensitive banking data (i.e., bank account) is further encrypted via AES-256.
- 2FA is active, and SSO is used to cascade access across multiple services where possible.
Transfer of Data
- Using Bank-Grade encryption, all data is encrypted-in-transit and transferred to us protected by HTTPS (TLS >= 1.2) or SFTP with 2048-bit RSA key pairs, up to 4096-bit.
Storage of Data
- We use industry standard encryption to store data, encrypted at rest, using AES-256.
- UK & EU customer data is stored within the AWS London (eu-west-2) data centre.
- US customer is stored within the AWS North Virginia (us-west-1) data centre.
- Our hosting is readily compliant with ISO2001, SOC-1,2,3 PCI-DSS L1 and more.
- Backup retention is 35 days.
- Physical and electronic material is destroyed using a company that is a member of i-SIGMA (International Secure Information Governance & Management Association).
- Devices managed by Microsoft Intune.
- Endpoint security, next generation antivirus and malware protection via Crowdstrike Complete on all devices.
- Multiple DLP strategies via CrowdStrike and Google Vault.
- Active monitoring for outflow of data via USB~ peripherals.
- Any access to customer data for support reasons is limited to a need-to-know basis, only via VPN, access is fully auditable.
- Wagestream utilises one of the top 10 Enterprise Mobility Management (EMM) tools to ensures that patching of our operating systems and 3rd party software is automated.
- Autorun is disabled on Windows devices.
- We have an up-to-date asset register.
- Automatic o/s and 3rd party updates enabled.