All information that passes between FreeAgent and your computer (“data in use/transit”) is securely encrypted over HTTPS using TLS v1.2, according to industry standard best practice. The strongest encryption algorithms (SHA 256) afforded by your browser are prioritised.
We encrypt all information we store on your behalf (“data at rest”). This includes data in our database and any files that you upload. We enforce 256-bit AES encryption as standard.
- We utilise state-of-the-art systems to monitor, record and alert on anomalous activity within our operational environment.
- Distributed Denial of Service (DDoS) mitigation is automatically applied by our hosting provider. Meanwhile, we employ in-built application rate limiting and alerting, which includes protection against brute force login enumeration.
- User passwords are stored in our database via a one-way cryptographic hashing function with salt (random data). Passwords are not stored in plaintext and it’s not possible to reverse engineer the stored value equivalent. Customers can enable 2-Step Verification to provide a further level of protection.
We perform continuous, automated assessment of FreeAgent’s systems to ensure that we adhere to industry-standard security best practice at all times.
All access to FreeAgent’s underlying systems and data is protected through the use of unique credentials with two-factor authentication. Everything is logged and reviewed through an immutable, centralised audit trail.
- We run a continual patching cycle to ensure operating systems, applications and network infrastructure are kept up to date. This mitigates any exposure to vulnerabilities.
- The application runs inside a secured and hardened environment which is engineered for security to help minimise vulnerabilities according to industry-standard guidelines.
- Application penetration testing is carried out at least once a year by an external, independent CHECK/CREST certified supplier and is subject to regular automated scanning.
- We employ additional automated protection technologies within our infrastructure to identify and potentially block suspected and/or malicious and/or fraudulent behaviours.
- We operate a Responsible Disclosure program and actively encourage ethical security researchers to submit any vulnerabilities identified within FreeAgent’s infrastructure, application and business logic for triage and resolution.
We are bound by the UK’s Data Protection Act 2018 (DPA 2018) and the UK General Data Protection Regulation (UK GDPR) and fully respect the rights of individuals in compliance with the EU GDPR. FreeAgent does not sell, rent or share data with any third party unless previously agreed as part of any contractual arrangement (or any legal or regulatory requirement).
However, we do utilise some third parties that help provide our services. We ensure that the security measures in place at those third parties have, at the very least, the same high security standards that we employ.