Data is encrypted over HTTPS using Transport Layer Security (TLS v1.2) protocols with minimum 128-bit keys and using SHA256 certificates, meaning that our users always have a secure connection from their browsers to our service.
We use the latest, strong ciphers for encryption, message authentication and key exchange mechanism. We explicitly disable known weak and vulnerable ciphers, with regular protocol reviews.
- Our networks are gated and screened by Intrusion Detection Systems (IDS) technologies.
- Distributed Denial of Service (DDoS) mitigation technologies are applied by our network provider. Meanwhile, we employ in-built application rate limiting and alerting, which includes protection against brute force login enumeration.
- User passwords are stored in our database via a one-way cryptographic hashing function with salt (random data). Passwords are not stored in plaintext and it’s not possible to reverse engineer the stored value equivalent. Customers can enable 2-Step Verification to make their accounts even more secure.
FreeAgent completes automated infrastructure vulnerability assessments which conform to PCI standards through an Approved Scanning Vendor technology.
Access to networks is controlled, logged and reviewed through an immutable, centralised audit trail with unique credentials and two-factor authentication mechanisms.
- We run a continual patching cycle to ensure operating systems, applications and network infrastructure are kept up to date. This mitigates any exposure to vulnerabilities.
- The application runs inside a secured and hardened architecture environment, engineered for security to help minimise vulnerabilities according to industry standard guidelines.
- The application is penetration tested at least once a year by an independent, external CHECK certified supplier. It is all tested regularly using automated scanning technologies.
- We employ additional automated protections within our infrastructure to identify and potentially block suspected and/or malicious behaviours.
FreeAgent does not sell, rent or share data with any third party unless previously agreed as part of any contractual arrangement (or any legal or regulatory requirement).
However, we do utilise some third parties that help provide our services. We ensure that the security measures in place at those third parties have, at the very least, the same high security standards that we employ ourselves.