Security and Privacy

Protecting your data is the very fabric of our business which is why we have comprehensive security and compliance processes in place.

Our dedicated security & privacy team delivers a security framework that incorporates and aligns to industry best practices such as ISO 27001, NIST and OWASP Top 10 and is constantly evolving with updated guidance and new industry best practices. 

Our approach to security is underpinned by Secure by Default & Defense in Depth principles ensuring that security controls are embedded, frictionless and proportionate in their application.

We’re committed to being transparent about our security practices and helping you understand our approach. 

We seek regular external validation on the effectiveness of our security controls and is ISO 27001 and Cyber Essentials certified.
The scope of our certification encompasses all employees, listed office locations, our owned technology and data assets, and business processes that deliver our associated products and services.

bmtrada

ISO accreditation

Certified plus

Cyber Essentials Plus certification

  • A peer review & approval process is in place to ensure the integrity of application code. 
  • Application security is regularly assessed throughout the development lifecycle. Vulnerability scanning and penetration testing is performed 
  • against the application regularly. 
  • The application does not leak information through verbose error messages.
  • The application sanitises input and encodes output in order to mitigate against injection attacks. 
  • Data at rest is encrypted at AES-256. Data in transit is encrypted using TLSv1.2 and suitably strong cipher suites.
  • All cryptographic keys are managed and stored in AWS KMS.
  • AWS Certificate Manager is used to manage PKI.
  • Incoming encrypted data is terminated on WAF / load balancer. 
  • All production networks are in AWS. Resources run in a dedicated VPC.
  • Security group rules only allow inbound traffic on required ports. 
  • Inbound / outbound rules are regularly reviewed.
  • Access to the internal network is restricted by the Infrastructure team.
  • All access to production systems is administered by the Infrastructure team. 
  • Access is provisioned in adherence with the “least privileges” principle.
  • Access is reviewed regularly to ensure its appropriateness.
  • Permissions templates are used to define a base level of access.
  • Critical systems scale horizontally to handle demand. 
  • Critical systems are deployed in a multi-AZ distribution to ensure geographical redundancy. 
  • Regular backups are performed and data integrity tested. 
  • A disaster recovery plan, business continuity plan and an incident management process is in place. 
  • Access to the cloud environment is delegated through AWS SSO.
  • Infrastructure is managed by terraform, any changes are subject to peer review and approval before being deployed. 
  • Infrastructure is monitored for potential disruption, and the infrastructure team is alerted of this. 
  • AWS Inspector is used to scan production assets for vulnerabilities.
  • An internal Vulnerability Management process is followed to assess vulnerability issues, and report these to relevant teams for remediation.
  • SLOs are defined for vulnerability findings, depending on the CVSS score and other contextual information. 
  • All staff are undergo DBS and background checks 
  • All staff complete Data Protection and Information Security training at least annually 
  • Additional training is provided to all staff that may directly handle data
  • We are ISO 27001 certified, and maintain an Information Security Management System
  • We hold valid Cyber Essentials and Cyber Essentials+ certifications

Useful documents

You can be assured Evouchers will keep your data safe and meet your
compliance requirements.

Security & Vulnerability Disclosure

Maintaining the security of our network and the data we hold is important to us. We actively endorse and support working with the research and security practitioner community to improve our online security.

We welcome investigative work into security vulnerabilities, carried out by well-intentioned and ethical security researchers.

If you believe you have found a security issue, please send your report to us using [email protected] Initial reports should include a brief description of the type of vulnerability and the system or service this has been found in (e.g. the website address or application name).

Researchers may submit reports anonymously. We may contact you to request clarification on reported security issues, or other technical details to aid in the accurate identification and/or remediation.

We are committed to prompt correction of vulnerabilities. We ask that you refrain from sharing or publishing information about any discovered vulnerabilities for 90 calendar days from receipt of acknowledgment of your report. We reserve the right to request further time before you make any published disclosure.

Regrettably, we can’t offer a paid bug bounty programme. We will, however, make efforts to show our appreciation on our website to security researchers who take the time and effort to improve the security posture of our services.

Privacy

Our privacy programme was created because we recognise the importance of keeping you informed and in control of any information relating to you as an individual. 

Our privacy team are committed to being as transparent as possible  to help you understand our approach to managing your data.

You can find our Privacy FAQs and DPIA Support sheets below or for further support please contact our DPO on: [email protected]

Woman working on laptop

Contact us

If you have a DPO / general data query, please get in touch.

Furlong House, 2 King’s Court

Newmarket CB7 8SG

Send us a message