Security & Compliance
Infuzest Ltd recognises that trust is fundamental when operating software systems connected to regulated services and financial data providers. Security and privacy considerations are embedded into both our organisational processes and our technical architecture.
Our Commitment to Security
Security is not a feature that is added to our platforms at the end of development — it is a design requirement that shapes how systems are architected, how infrastructure is provisioned, and how data flows are structured throughout the full software lifecycle. Every integration we build with external providers is subject to a security review, and every data flow is documented and governed by formal policies.
We operate under the principle that our platforms will be subject to scrutiny — by financial regulators, open banking providers, enterprise partners, and our own clients. Our technical and organisational security measures are therefore designed to withstand external review and to support the due diligence processes of the institutions we work with.
Where our platforms handle personal data, we apply the technical and organisational measures required under the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018. This includes data minimisation at the architectural level, purpose limitation in data processing, and controls that restrict access to personal data to those with a documented operational need.
We recognise that the security posture of a technology company is demonstrated not only through its technical controls, but through its organisational processes, its willingness to be transparent about its practices, and its response when issues arise. Our responsible disclosure process reflects this understanding.
Security Contact
For security-related enquiries, vulnerability reports, or compliance questions, please contact the appropriate team directly.
Data Protection Principles
Infuzest processes personal and organisational data in accordance with the principles established under UK GDPR. These principles are operationalised in our system architecture, our data handling policies, and our vendor management processes.
Data Minimisation
Our platforms collect only the personal data that is strictly necessary for the stated purpose. Data collection is scoped at the architectural level, not managed as a post-hoc configuration. We do not collect data for speculative future purposes.
Purpose Limitation
Data collected for a specified purpose is not repurposed or used for secondary processing without a lawful basis. Our data flows are documented and any expansion of processing scope is subject to formal review and, where required, updated privacy disclosures.
Secure Processing
Personal data is processed on infrastructure that meets appropriate security standards. Access to personal data is restricted to authorised personnel and systems with documented operational justification. Processing operations are logged for audit purposes.
Controlled Access
Access to systems and data is governed by role-based controls, enforcing the principle of least privilege. Access permissions are reviewed regularly and revoked promptly when no longer required by personnel changes or system modifications.
Encryption in Transit
All data transmitted between our platforms and external services is encrypted using current industry-standard protocols. We do not permit unencrypted data transmission for personal or sensitive organisational data, including in API integrations with third-party providers.
Encryption at Rest
Sensitive data stored within our infrastructure is encrypted at rest using managed encryption services provided by our cloud infrastructure provider. Encryption key management follows the practices recommended by the relevant cloud provider's security framework.
Infrastructure Security
Our platforms are hosted on cloud infrastructure operated by major cloud providers with established security certifications and audit frameworks. This provides a baseline of physical and environmental security controls that are maintained and audited by the cloud provider, against which we configure our application-level security controls.
Network access to our infrastructure is restricted by security group controls. Public-facing access is limited to authorised service endpoints, and administrative access to infrastructure components is not available through public network routes. Infrastructure configuration is managed through code-reviewed processes to reduce the risk of manual configuration errors.
Logging and monitoring is implemented across our production environments. System events, authentication events, and anomalous activity patterns are captured and reviewed. Our monitoring configuration is designed to provide early detection of security incidents and operational anomalies.
Third-party integrations — including connections to open banking providers, HMRC APIs, and payment systems — are implemented using the authorisation frameworks specified by those providers. We maintain the credentials, tokens, and authorisation records required to operate within these ecosystems in accordance with the providers' security requirements.
Infrastructure Controls
- Cloud-hosted environments with established security certifications
- Network access controls restricting exposure of infrastructure
- Administrative access restricted to secure, audited access paths
- Infrastructure-as-code to reduce configuration risk
- Secure API integration with authorised third-party providers
- Authentication token protection and management
- Monitoring and logging across production environments
- Regular review of access permissions and credentials
Regulatory and Legal Compliance
Infuzest operates under United Kingdom law and is subject to the data protection framework established by the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
As a data controller for personal data processed through our corporate operations and, where applicable, as a data processor operating on behalf of our clients, we maintain the records, policies, and technical measures required under the UK GDPR. This includes maintaining records of processing activities, conducting data protection impact assessments where required, and ensuring that our contractual arrangements with sub-processors meet the standard required by data protection law.
Our platforms that integrate with financial data providers operate within the regulatory frameworks established for those integrations. Where our platforms are connected to open banking APIs, we operate under the specific authorisation and certification requirements imposed by those providers, which include obligations relating to data handling, security controls, and regular compliance attestation.
Infuzest monitors changes to the regulatory landscape relevant to its platforms, including updates to HMRC Making Tax Digital technical standards, FCA guidance relevant to software providers operating in the financial services sector, and developments in UK data protection law. We incorporate regulatory changes into our platform development roadmap as a priority, rather than as a reactive compliance measure.
Where our platforms require clients or end users to provide consent for data processing, our consent mechanisms are implemented in accordance with the requirements of UK GDPR, ensuring that consent is freely given, specific, informed, and unambiguous. We maintain records of consent where we rely on it as a lawful basis for processing.
Responsible Disclosure
Infuzest Ltd operates a responsible disclosure process for the reporting of potential security vulnerabilities identified in our platforms or infrastructure. We recognise that independent security research contributes to the overall security of the systems we operate, and we welcome good-faith reports from researchers who identify issues.
If you believe you have identified a security vulnerability in any Infuzest system, please report it to our security team by email before making any public disclosure. We request that reporters provide sufficient detail to allow us to reproduce and investigate the issue, and that they do not access, modify, or exfiltrate data beyond what is necessary to demonstrate the vulnerability.
We commit to acknowledging receipt of vulnerability reports within three business days, investigating reports promptly, and communicating our assessment and remediation timeline to the reporter. We will not take legal action against researchers who report vulnerabilities in good faith and in accordance with this process.
Report a Vulnerability
To report a potential security vulnerability, please contact our security team directly. Include a description of the issue, the systems affected, and steps to reproduce where possible.
Please allow up to three business days for an initial response. We investigate all reports submitted in good faith.