Security FAQs

All data at rest is encrypted with AES-256. All system passwords and access keys are rotated regularly. Data in transit utilises TLS internally and externally.

FYLD complies with all relevent privacy legislation. Technical compliance is maintained via automated reporting in cloud platforms and adhering to software development best practices. Organisation complaince is delivered via regular training / testing.

FYLD utilises AWS Cognito services to handle user authentication and to integrate with 3rd party identity providers such as OKTA. Depending on customer’s configuration, users can be authenticated via one-time use login links or via username and password authentication. In case of the latter, the enforced password rules are:

• minimum 8 characters
• must include numbers
• must include special character
• must include uppercase letters

SRP protocol based authentication is also enabled for password based authentication.

FYLD is fully GDPR compliant and ISO 27001 and Cyber Essentials certified.

Where an information security event has occurred, this will be immediately reported to the Directors / Engineering Team depending on whether it is an internal security incident or an App Security Incident. The Directors / Engineering Team will log incident records on internal systems. An assessment will be made as to the nature of the breach if any and then notifications will begin. If the data breach is determined to be low risk, then the victim of the data breach will be notified in writing within 20 working days. If the data breach is determined to be high risk, then the victim and the ICO will both be notified within 72 hours of the data breach.

Backups are carried out daily, FYLD also stores all error logs for review and audit purposes. FYLD utilises AWS-S3 for storage of backup files and other media allowing restoration and recovery.

Automated tools and processes help identify security threats and vulnerabilities across FYLD’s infrastructure and application layers.

This includes but is not limited to tools such as AWS Guard Duty and AWS Shield.

Yes, FYLD is capable of integrating directly with SAML-2 SSO systems such as Microsoft Azure and OKTA.

Automated tools and processes help identify security threats and vulnerabilities across FYLD’s infrastructure and application layers.

This includes but is not limited to tools such as AWS Guard Duty and AWS Shield.

Security engineering principles are applied across the full software development lifecycle within FYLD. All changes to the system run through multiple steps of QA in separated environments and only once all tests are passing then the changes get promoted to production.

All code is stored in Github (including IaC), all changes are made via peer reviewed PR and also scanned by automated tools.

FYLD data centres are hosted on AWS (Region specific based on customer location) and therefore the security of the cloud and data centres is managed by AWS according to the Shared Responsibility Model.

Security patches are applied within 30 days inline with FYLD’s ISO 27001 compliance. Patch identification is raised automatically by 3rd party tools and services used to constantly monitor FYLD application and infrastructure codebase.

Immediate patch releases can be put together for high priority vulnerabilities.

FYLD carries out infrastructure patching, at least on a monthly basis, without causing service outage. FYLD aims to provide 99.99% availability with it’s services. All application layer patching occurs as part of the SDLC process.

FYLD currently maintains a 99.99% availability and manages scalable fault tolerance via automatic failover, continuous automated monitoring and alert systems. Backend APIs are deployed in ECS across multiple AWS availability zones within each region and autoscale based on load.

All data stored in FYLD is to be retained for the duration set out in the contract post contract termination. Thereafter it will be securely erased.

Yes, FYLD does utilise 3rd party services in development and support capacities.
All FYLD staff, contractors/3rd party affiliates are trained on cyber security and vetted accordingly.

All suppliers are subject to company vetting procedures which includes cyber security accreditation checks ensuring they are compliant with FYLD’s ISO27001 standards.

In cases where a supplier is not directly accreddited with ISO27001 or SOC2, additional internal audits are carried out with the addition of further security training where required and NDA signatures accounting for all individuals with FYLD access.

Yes, FYLD has a fully revised BCP and documented ISMS that details the precautions and processes in the event of a security incident.