Enterprise-Grade Security

Data Encryption

Encryption at Rest

All customer data stored in our databases and file systems is encrypted using AES-256 encryption, the industry standard for data at rest. Encryption keys are managed through a secure key management service with automatic rotation and strict access controls.

Encryption in Transit

All data transmitted between your devices and our servers is protected using TLS 1.3 (Transport Layer Security). We enforce HTTPS across all connections and have achieved an A+ rating on SSL Labs testing.

Database Encryption

• Encrypted database volumes with enterprise-grade encryption
• Encrypted automated backups and snapshots
• Column-level encryption for sensitive personal data (salaries, payment details)
• Encrypted connection strings and credentials in transit

Infrastructure Security

Cloud Hosting

Jigsol is hosted on Rackspace Technology in UK/EU data centres. AWS provides:

• Enterprise-grade cloud infrastructure with comprehensive security controls
• Continuous backups with point-in-time recovery
• Geographic redundancy across multiple data centres
• Physical security with biometric access controls
• 24/7 monitoring and surveillance
• Redundant power, cooling, and network connectivity

Network Security

• Virtual Private Cloud (VPC): Isolated network environment with private subnets
• Web Application Firewall (WAF): Protection against OWASP Top 10 vulnerabilities
• DDoS Protection: CloudFlare for distributed denial-of-service mitigation
• Intrusion Detection: Real-time monitoring for suspicious network activity
• IP Whitelisting: Available for enterprise customers requiring restricted access

Application Security

• Secure software development lifecycle (SDLC)
• Regular dependency scanning and vulnerability assessments
• Automated security testing in CI/CD pipelines
• Code reviews with security checklists
• Regular penetration testing by third-party security firms

Access Control & Authentication

Multi-Factor Authentication (MFA)

MFA is required for all user accounts and can be configured using:

• Authenticator apps (Google Authenticator, Authy, Microsoft Authenticator)
• SMS verification (backup method)
• Hardware security keys (FIDO2/WebAuthn compatible)

Role-Based Access Control (RBAC)

Granular permissions ensure users only access data relevant to their role:

• Pre-defined roles (Admin, Manager, User, Read-Only)
• Custom role creation with specific permissions
• Department and team-based access segregation
• Approval workflows for sensitive actions

Session Management

• Automatic session timeout after 30 minutes of inactivity
• Secure session tokens with HTTPOnly and Secure flags
• Device fingerprinting to detect suspicious logins
• Forced logout across all devices when password is changed

Password Requirements

• Minimum 12 characters with complexity requirements
• bcrypt hashing with unique salts per user
• Prevention of password reuse (last 5 passwords)
• Breach detection using HaveIBeenPwned database

Data Protection & Privacy

Data Residency

Customer data is stored in UK and EU data centres to ensure compliance with UK GDPR and data sovereignty requirements. Data does not leave the UK/EU unless explicitly authorized by the customer.

Data Backups

• Continuous Backups: Automated backups of all live data running continuously
• Point-in-Time Recovery: Ability to restore data to any point in time
• Geo-Redundant Storage: Backups replicated across multiple UK/EU data centres
• Encrypted Backups: All backups encrypted using AES-256
• Disaster Recovery: Tested recovery procedures with defined RTOs and RPOs

Data Deletion

Upon account termination or customer request:

• 30-day grace period for data export and recovery
• Secure deletion using DoD 5220.22-M standards
• Backup purging within 90 days
• Deletion confirmation provided upon request

Monitoring & Incident Response

24/7 Security Monitoring

• Real-time log aggregation and analysis
• Automated alerting for security anomalies
• Failed login attempt monitoring and account lockout
• Unusual access pattern detection
• Regular security audits and compliance reviews

Incident Response Plan

We maintain a comprehensive incident response plan including:

• Detection: Automated monitoring and threat intelligence
• Containment: Immediate isolation of affected systems
• Investigation: Forensic analysis to determine root cause
• Remediation: Patches, configuration changes, access revocation
• Notification: Customer communication within 72 hours (GDPR requirement)
• Post-Incident Review: Lessons learned and security improvements

Vulnerability Management

• Monthly vulnerability scanning using automated tools
• Regular penetration testing by certified security professionals
• Bug bounty program (coming soon)
• Responsible disclosure policy for security researchers

Compliance & Certifications

Current Compliance

• UK GDPR: Full compliance with UK data protection regulations
• ICO Registered: Data Protection Act 2018 registration

In Progress

• Cyber Essentials (Q1 2026): UK government-backed scheme demonstrating fundamental cybersecurity controls including firewalls, secure configuration, user access control, malware protection, and security update management
• Cyber Essentials Plus (Q1 2026): Enhanced certification with hands-on technical verification through vulnerability scanning and configuration reviews by an independent certification body
• ISO 27001 (Q4 2026): International standard for Information Security Management Systems (ISMS), demonstrating systematic approach to managing sensitive company and customer information

Industry Standards

We follow security best practices from:

• OWASP (Open Web Application Security Project)
• NIST Cybersecurity Framework
• CIS (Center for Internet Security) Controls
• NCSC (National Cyber Security Centre) guidance

Employee Access & Training

Internal Security

• Background checks for all employees with data access
• Mandatory security awareness training (quarterly)
• Confidentiality and non-disclosure agreements
• Principle of least privilege for internal systems
• Audit logging of all administrative actions

Customer Data Access

Employee access to customer data is:

• Limited to support and engineering teams with legitimate need
• Subject to approval workflows and logging
• Time-limited and automatically revoked after use
• Monitored and audited for compliance

Third-Party Security

Vendor Risk Management

All third-party service providers are vetted for security compliance. Key vendors include:

• Rackspace Technology: Cloud infrastructure and hosting
• Stripe: Payment processing (PCI DSS Level 1)
• GoCardless: Open Banking and Direct Debit payments (FCA Authorised)
• Cloudflare: CDN and DDoS protection

Data Processing Agreements

We maintain Data Processing Agreements (DPAs) with all sub-processors handling customer data, ensuring GDPR compliance throughout the supply chain.

Reporting Security Issues

If you discover a security vulnerability, please report it responsibly to:

We commit to:

• Acknowledging receipt within 24 hours
• Providing regular updates on remediation progress
• Crediting researchers in security advisories (with permission)
• Not pursuing legal action against good-faith security researchers