Security Centre
Creating a better credit information system for now and the future.
Building a bureau of customer data requires trust in depth and breadth and Infact have focused on this foundational element of the businesses requirements from Day 1 in delivering for our clients and their customers.
Security Foundations
This security statement is intended to provide a high-level overview of Infact’s security practices. If you have additional questions, please email us at security@infact.io
General Company Information
- Registered name: Infact Systems Limited (trading as "Infact")
- Registered office address: 2-7 Clerkenwell Green, London, United Kingdom, EC1R 0DE
- Company number: 14032664 (companies house: found here)
- Website: https://infact.io
- VAT number: 434190119
- Registered company in England and Wales
Regulatory Compliance
FCA: Infact is Authorised and Regulated by the Financial Conduct Authority, (FRN: 978629). Our FCA Register page can be found here.
ICO: We are also registered with the Information Commissioner's Office, reference ZB325160, with our certificate available here.
Other: We comply with all relevant local legislation and regulatory requirements, often over-complying on aspects we deem necessary, such as cyber and anti-money laundering. The firm also complies with all aspects of the General Data Protection Regulation (GDPR) which is particularly relevant with the Data Subjects maintaining all the usual rights.
Our ISO Certifications
ISO 27001:2022: Infact is ISO 27001:2022 certified, with certificates available upon request through our trust centre.
This is the gold standard for certifying the effectiveness of our policies, procedures, and mechanisms for systems and data security. This demonstrates our commitment to achieving the highest level of information security and that the right systems are in place to always protect partner and consumer data.
Data Protection and Privacy
At Infact, we are registered with the ICO. We adhere to a detailed Record Retention Schedule, and our Privacy Policy is maintained in line with business change.
All customer data is collected and stored within the UK and EU region. Services and data are hosted within the UK (London), with replication to the EU (Dublin, Ireland) to support high availability and disaster recovery.
DPIAs (Data Protection Impact Assessments) for core services are available through our trust centre and by request, or where deemed necessary for extending the core offerings.
You can contact our Data Protection Officer in writing to our registered address (listed above), or by email at dpo@infact.io
Data classifications can be found in our Privacy Policy.
Information Security Management
As an ISO 27001 certified company Infact operates an Information Security Management System (ISMS). We conduct regular reviews and audits of our security aspects, overseen by our Information Security Committee. Our Data Protection Officer and Chief Technology Officer are directly involved in this oversight.
Cloud Security and Resilience
Our systems are deployed to AWS across at least 3 availability zones for high availability. We maintain full point-in-time backups and deploy our infrastructure as "code" for quick reconstruction in case of disasters. We utilize AWS managed services for best-in-class availability, operation excellence, and security and adhere to the AWS Well Architected Framework taking advantage of AWS architects to partner review our architecture choices.
API Security
Infact's RESTful APIs are protected by the OAuth 2.0 standard for authorisation using the client credentials flow, with all communication and data transferred over HTTPS. We use an AWS Web Application Firewall configured to protect against common exploits, and implement robust authorisation, authentication, rate limiting, and throttling measures.
Operational Processes
Our change management process is centred on Atlassian Jira and GitHub, and we use GitHub Actions for frequent zero-downtime deployments. Security and data protection considerations are a key part of our delivery processes, from design process, through to development, delivery, and operation.
Risk Management
Infact maintains a comprehensive Risk Register, Risk Management Framework and Risk Statement. We conduct regular reviews of our Information Security Objectives to ensure ongoing risk mitigation and management.
Business Continuity
We have a robust Business Continuity Planning (BCP) process in place. BCP and Disaster Recovery (DR) scenarios are reviewed and tested annually, with new scenarios being tested throughout the year in accordance with the Risk Management Framework. The responses and mitigations for the scenarios are documented in operational "runbooks" to ensure preparedness and swift recovery in case of any disruptions.
Security Scanning
Infact services are routinely penetration tested using CREST & OSCP cyber security consultants. We use a broad range of vulnerability scanning tools to monitor for vulnerabilities and threats through the full lifecycle including Sonarcloud, GitHub's Dependabot, Trivy, Grype, GoSec, GoVulnCheck, golangci-lint, AWS Inspector, and AWS GuardDuty. This approach to scanning, along with the use of Chainguard Wolfi distroless machine images give a high degree of protection from CVEs and modern supply-chain attacks.
Employee Security Training
All employees are taken through background checks prior to joining the company. This includes interviews with at least two senior managers, a criminal record search as well as Identity, Right to Work, Reference, and Adverse financial checks. Once they have joined, they will do the role-based onboarding as well as regulatory training with a trusted third-party provider and continually undergo role-based training in line with a learning and development plan. This includes information security, cyber awareness, and data protection training. In-depth technical security training and cloud certification is also required for engineering teams.
Secure Development Practices
Infact follows a Secure Systems & Development Aspects Directive. This process includes code review by security-trained developers, automated security scans and quality gates within the CI/CD pipeline, comprehensive unit and integration testing with high code coverage, and the use of secure programming languages and frameworks.
Client Data Protection
We enforce encryption both at rest and in transit to protect client data. Personal data is processed only in secure, isolated cloud environments with "defence in depth" security mechanisms.
Network Security
Networks are protected from DDoS attacks with AWS Shield and from common exploits with AWS Web Application Firewall, AWS Gateway, and AWS Network Load Balancer.
Access Control and Authentication
Infact uses Single Sign-On (SSO) and Multi-Factor Authentication (MFA), backed by Microsoft Entra ID, for access to all operational systems and environments. We use Role-Based Access Control (RBAC) and conduct regular reviews of employee permissions and access rights. AWS Cognito is used for Customer Identity Access Management (CIAM) and for issuing OAuth 2.0 tokens for API access.
Trust centre
Documentation can be requested through our Trust Centre (https://trust.infact.io/)
.svg){kind=small}
.svg){kind=small}
%201.svg){kind=small}
Follow us on LinkedIn