Security Overview
Last updated: July 2026 (v23.0)
Infrastructure and data
Swiip is hosted on Amazon Web Services in the EU (London) region, inheriting AWS physical and environmental controls. Customer data is encrypted in transit (TLS 1.2+) and at rest, with logical separation between tenants and between production and non-production environments.
Access and people
Access is least-privilege and role-based, protected by multi-factor authentication, reviewed on joiner-mover-leaver events and periodically. Staff and contractors are under confidentiality obligations, vetted proportionately to role, and complete security and privacy training.
Development and operations
Changes flow through a secure development lifecycle: code review, automated tests, dependency and vulnerability scanning in CI/CD, and controlled deployment. Systems are hardened and patched on a defined cadence; independent penetration testing is performed periodically on a defined schedule.
Resilience
Automated backups run continuously or daily by data class, with periodic restore testing; disaster-recovery arrangements define recovery time and point objectives per service tier. Availability commitments are in the SLA.
Detection and response
Centralised logging, monitoring and alerting cover infrastructure and application layers. A documented incident-response process defines roles, severity, escalation and communications; personal-data breaches are notified per the DPA (without undue delay and within 72 hours of awareness to affected controllers).
Compliance posture
We are working towards Cyber Essentials certification (this is in progress) and align our programme to the principles of ISO/IEC 27001. We do not currently hold any security certification, and we will list one here only once it has been achieved. Our full internal programme is summarised in the Information and Cyber Security Policy. Vulnerability reports: see the Vulnerability Disclosure Policy and /.well-known/security.txt. Security questionnaires: [email protected].