Here's the nitty gritty about security

FreeAgent is fully committed to protecting your personal and financial data, using multiple layers of security. When you trust us with your information, it’s held safely by some of the most secure data centres in the UK. Manned 24/7, they are geographically separated and protected from physical and logical attack - as well as natural disaster!

Cyber Essentials Plus logo

FreeAgent strongly encrypts your information to give you peace of mind.

We continuously monitor for malicious activity; proactively finding and eliminating security risks.

Certified to the Cyber Essentials standard, we have an extra level of external, independent assurance that we’re doing the right things to help protect our systems and services. We also take a lot of care to ensure our employees are vetted and have a deep understanding of how to protect your data.

And that’s just scratching the surface - for deeper insight on how we keep your data safe, please read on below!

Physical security

Our secure data centres are located in the UK and ISO 27001 certified.

We also use secure certified providers during any equipment decommission.

The data centres are manned seven days a week, 24 hours a day, 365 days a year and include HD CCTV with imagery retained for a minimum of six months. Access to the data centres is restricted to a small group of pre-authorised individuals who need two forms of authentication to enter. Physical equipment (owned and managed by us) is housed in dedicated, locked racks for our sole use.

Operational security

Strong encryption

Data is encrypted over HTTPS using Transport Layer Security (TLS v1.2) protocols with minimum 128-bit keys and using SHA256 certificates, meaning that our users always have a secure connection from their browsers to our service.

We use the latest, strong ciphers for encryption, message authentication and key exchange mechanism. We explicitly disable known weak and vulnerable ciphers, with regular protocol reviews.

In addition:

  • Our networks are gated and screened by Intrusion Detection Systems (IDS) technologies.
  • Distributed Denial of Service (DDoS) mitigation technologies are applied by our network provider. Meanwhile, we employ in-built application rate limiting and alerting, which includes protection against brute force login enumeration.
  • User passwords are stored in our database via a one-way cryptographic hashing function with salt (random data). Passwords are not stored in plaintext and it’s not possible to reverse engineer the stored value equivalent. Customers can enable 2-Step Verification to make their accounts even more secure.

Preventing vulnerabilities

FreeAgent completes automated infrastructure vulnerability assessments which conform to PCI standards through an Approved Scanning Vendor technology.

Access to networks is controlled, logged and reviewed through an immutable, centralised audit trail with unique credentials and two-factor authentication mechanisms.

In addition:

  • We run a continual patching cycle to ensure operating systems, applications and network infrastructure are kept up to date. This mitigates any exposure to vulnerabilities.
  • The application runs inside a secured and hardened architecture environment, engineered for security to help minimise vulnerabilities according to industry standard guidelines.
  • Application penetration testing is carried out at least once a year by an external, independent CHECK or CREST certified supplier, as well as being subject to regular automated scanning.
  • We employ additional automated protection technologies within our infrastructure to identify and potentially block suspected and/or malicious and/or fraudulent behaviours.
  • FreeAgent operates a Responsible Disclosure program and actively encourages ethical security researchers to submit any vulnerabilities identified within our infrastructure, application and business logic for triage and resolution.


FreeAgent does not sell, rent or share data with any third party unless previously agreed as part of any contractual arrangement (or any legal or regulatory requirement).

However, we do utilise some third parties that help provide our services. We ensure that the security measures in place at those third parties have, at the very least, the same high security standards that we employ ourselves.

People processes

Our staff are vetted prior to employment by our internal People Operations department. Checks include Proof of Identity, Proof of Right to Work, Proof of Residency and Proof of Activity.

We also maintain a suite of internal information security policies, procedures and guidelines, including incident response plans, which all staff, contractors and third parties must follow. These are reviewed at least annually.

In addition:

  • Only employees with the necessary rights and roles have pre-authorised access to our data centre facilities and underlying data. Access is unique, logged and uses strong password policies managed through an enterprise password manager, coupled with two-factor authentication, where appropriate.
  • Customer data is accessed on an as-needed only basis, and only when approved by the customer (i.e. as part of a support incident), or by operational staff to provide necessary support and maintenance.
  • Regular audits are performed and the whole process is reviewed by management to ensure only the right people have access to the necessary data and systems on an ongoing basis.
  • All employees must sign confidentiality agreements, attest to following FreeAgent policies and guidelines and follow an online monthly Security Training and Awareness program.
  • Our developers are versed in the OWASP Top Ten critical web application security risks. All code must first be peer-reviewed and pass Continuous Integration automated testing, quality and security control gates before being merged and deployed through a Continuous Delivery process mechanism.


FreeAgent utilises ZFS to protect against data corruption on disk. All system components are configured for high/continuous availability as a core requirement.

A fully available disaster recovery environment is online at all times to cover the potential risk of a total loss of the primary facility.

In addition:

  • Data is replicated in real time to a separate geographic location for Disaster Recovery (DR) and Business Continuity purposes. Our DR process is fully tested on a quarterly basis with a full switch from our primary to secondary data processing facility.
  • Data is backed up, encrypted and held off-site according to defined retention policies, helping to further protect data in the event of hardware failure, disaster, loss or corruption.
  • FreeAgent configures its servers for power redundancy – from power supply to power delivery. Power is supplied in a 2N configuration with in-line UPS.
  • Internet connectivity is provided through multiple Tier-1 ISPs. If one fails or experiences a delay, you can still reliably get to your application and information.
  • FreeAgent runs on redundant network devices (e.g. switches, routers, security gateways) to avoid any single point of failure at any level on the internal network.
  • Computing resources generate a lot of heat and thus need to be cooled to guarantee a smooth operation. FreeAgent servers are backed by N+1 redundant HVAC systems and temperature control systems.
  • The FreeAgent data centres are guarded by industry-standard fire prevention and control systems.