Your data is in safe hands We keep your data in a nuclear bunker. No, really.

Here's the nitty gritty about security:

Physical Security

  • ISO 27001 Certified - The data centres we use are ISO 27001 certified and are some of the most secure facilities in the UK. Locations are geographically separated and protected from physical and logical attack as well as from natural disaster.
  • 7x24x365 Security - The data centres that host our services are manned seven days a week, 24 hours a day, each and every day of the year.
  • Video Monitoring - Each data centre is monitored 7x24x365 using High Definition CCTV with imagery retained for a minimum of 6 months.
  • Controlled Entrance - Access to the data centres is tightly restricted to a small group of pre-authorised individuals.
  • Two-Factor Authentication - Two forms of authentication must be used together at the same time to enter one of our data centres.
  • Dedicated - All equipment is housed in dedicated, locked racks and solely used by FreeAgent for the purpose of providing our solution. We own and manage the physical equipment ourselves.

Operational Security

  • Secure Communication - All data transmitted to FreeAgent services is encrypted over HTTPS using TLS protocols with minimum 128-bit keys and using SHA256 certificates ensuring that our users have a secure connection from their browsers to our service. We use the latest, strong ciphers for encryption, message authentication and key exchange mechanism. Known weak and vulnerable ciphers are explicitly disabled with regular protocol reviews.
  • IDS - Our network is gated and screened by industry standard Intrusion Detection Systems technologies.
  • DDoS - Distributed Denial of Service mitigation technologies are applied by our network provider, while we employ in-built application rate limiting and alerting, which includes protection against brute force login enumeration.
  • Access Control and Audit - All access to FreeAgent networks and data is controlled, logged and reviewed through the use of an immutable, centralised audit trail. Unique credentials and two-factor authentication mechanisms are enabled.
  • Passwords - User passwords are stored in our database via a one-way cryptographic hashing function with salt. This means that passwords are not stored in plaintext and it is infeasible to reverse engineer the stored value equivalent. Customers can enable 2-Step Verification to make their accounts even more secure.
  • Secured / Hardened - The application runs inside a secured and hardened architecture environment engineered for security to help minimise vulnerabilities according to industry standard guidelines.
  • Virus Scanning - Traffic coming into the FreeAgent network is automatically scanned for harmful viruses using state of the art virus scanning protocols which are updated on a daily basis.
  • Penetration Testing - The application is penetration tested, at least annually, by an independent, external CHECK certified supplier and daily using automated scanning technologies.
  • Infrastructure Vulnerability Assessment - We perform daily automated infrastructure vulnerability assessments, conformant to PCI standards, through an Approved Scanning Vendor technology.
  • Patch Management - We run a continual patching cycle to ensure that all operating systems, applications and network infrastructure are kept up to date, within agreed timeframes, to mitigate exposure to vulnerabilities.
  • Vendor Selection - FreeAgent do not sell, rent or share data with any third party unless previously agreed as part of any contractual arrangement (or any legal or regulatory requirement). However, we do utilise some third party services to help provide our services, in which case we ensure that the security measures in place at those third parties meet, at the very least, the same high security standards we employ ourselves.

People Processes

  • Information Security Policy - we maintain a suite of internal information security policies, procedures and guidelines, including incident response plans, which all staff, contractors and third parties must follow. We review these at least annually.
  • Employee Screening - All FreeAgent staff are vetted prior to employment by our internal PeopleOps department. Checks currently undertaken include Proof of Identity; Proof of Right to Work; Proof of Residency; Proof of Activity.
  • Select Employees - Only employees with the necessary rights and roles have pre-authorised access to our data centre facilities and underlying data. Employee access is unique, logged and uses strong password policies managed through an enterprise password manager, coupled with two-factor authentication, where appropriate.
  • As-Needed Basis - Accessing customer data is done on an as-needed only basis, and only when approved by the customer (i.e. as part of a support incident), or by operational staff to provide necessary support and maintenance.
  • Access Review Audit - Regular audits are performed and the whole process is reviewed by management to ensure only the right people have the right access to necessary data and systems on an ongoing basis.
  • Privacy, Security & Awareness - All employees must sign confidentiality agreements as part of employment contracts, attest to following FreeAgent policies and guidelines and follow an online, monthly Security Training and Awareness program.
  • Coding Practices - all our developers are versed in the OWASP Top Ten critical web application security risks. All code must first be peer-reviewed and pass Continuous Integration automated testing, quality and security control gates before being merged and deployed through a Continuous Delivery process mechanism.


  • Equipment Redundancy - FreeAgent utilises ZFS to protect against data corruption on disk, while all system components are configured for high/continuous availability as a core requirement. Additionally, a fully available disaster recovery environment is online at all times to cover the potential risk of a total loss of the primary facility.
  • Data Replication - Data is replicated in real-time to a separate geographic location for Disaster Recovery and Business Continuity purposes. Our DR process is fully tested on a quarterly basis with a full switch from our primary to secondary data processing facility.
  • Data Protection & Backup - Data is backed-up, encrypted and held offsite according to defined retention policies, helping further protect data in the event of hardware failure, disaster, loss or corruption.
  • Power Redundancy - FreeAgent configures its servers for power redundancy – from power supply to power delivery. Power is supplied in a 2N configuration with in-line UPS.
  • Internet Redundancy - Internet connectivity is provided through multiple Tier-1 ISPs. So if one fails or experiences a delay, you can still reliably get to your application and information.
  • Redundant Network Devices - FreeAgent runs on redundant network devices (switches, routers, security gateways) to avoid any single point of failure at any level on the internal network.
  • Redundant Cooling and Temperature - Computing resources generate a lot of heat, and thus need to be cooled to guarantee a smooth operation. FreeAgent servers are backed by N+1 redundant HVAC systems and temperature control systems.
  • Fire Prevention - The FreeAgent data centres are guarded by industry-standard fire prevention and control systems.

Try FreeAgent for free with our 30-day trial

No credit card required

Try FreeAgent for free


FreeAgent is completely web-based - there's absolutely nothing to install.

Find out more →


Use FreeAgent on the go with our mobile app - available for iPhone and Android.

Find out more →


We encrypt all transactions between you and us with 256-bit SSL technology.

Find out more →

Loves accountants

Give your accountant access to FreeAgent and work together in real time

Find an accountant →