CPD Accredited Webinar: Expert Strategies for Surviving Your Accounts Payable Audit - Thursday 25th April - 2:00 PM (GMT) l 9:00 AM (ET)

Security and Compliance

We protect your spend, and your data.

We protect your spend, and your data.

FISCAL Technologies was built to protect our customers, and risk management and security is at the heart of our company. From day-to-day activities, to the development and delivery of our products, we are committed to security at every level of our operations.

To ensure the protection of our customers’ data, we follow industry-standard security compliance certifications and regulations.

Table of Contents

Compliance and Regulations

ISO/IEC 27001:2022 Certified

ISO/IEC 27001 is an internationally recognised information security standard. It defines the requirements that an information security management system (ISMS) must meet to securely manage information assets and data. It provides a robust approach for managing risk and assets such as customer and employee details, intellectual property, financial information, and third-party data.

FISCAL Technologies is accredited by a UKAS certified agency which is audited by a regulated body.

More information on ISO can be found here.

Cyber Essentials Certified

Cyber Essentials is a scheme backed by the UK Government to help protect organisations against cyber security attacks. The certification defines a focused set of controls which provide clear guidance on basic cyber security for organisations of all sizes. It offers a sound foundation of cyber security measures.

More information on Cyber Essentials can be found here.

GDPR/UK Data Protection Act Compliant

FISCAL Technologies complies with the General Data Protection Regulation and UK Data Protection Act regarding processing of personal data of people in the European Union.

ICO Registered

FISCAL Technologies is ICO registered. FISCAL’s privacy policy can be found here.

Registration Number: ZA115827

Frameworks and Methodologies

FISCAL utilises well-known frameworks to support our security and compliance efforts:

OWASP:

The Open Web Application Security Project (OWASP) is a non-profit foundation that provides guidance on how to develop, purchase and maintain trustworthy and secure software applications. More information here.

Microsoft Azure Well-Architected Framework:

The Azure Well-Architected Framework (WAF) is a set of quality-driven tenets, architectural decision points, and review tools intended to help solution architects build a technical foundation for their workloads, to build reliable, secure, and performant workloads. More information here.

CIS (Center for Internet Security):

The Center for Internet Security provides a set of controls and benchmarks to support a set of best practices that can strengthen cyber security posture.

Agile Software Development Principles:

The Agile methodology is a project management approach that involves breaking the project into phases and emphasizes collaboration, adaptability, and customer feedback throughout the project’s life cycle.

Extensive People Security

All FISCAL employees are subject to comprehensive background and security checks prior to employment. All employees complete mandatory security awareness and privacy training upon hire and supplemental training though out employment. FISCAL conducts simulated phishing and social engineering tests on a frequent basis at least once a month. 

All FISCAL employees and contractors sign confidentiality and non-disclosure agreements upon hire and before access to company or customer data.

Thorough Access and Authentication Controls

Access to customer and confidential data is restricted based on the principle of least privilege, and only designated FISCAL employees are allowed access based on role. FISCAL requires strong and complex passwords in line with current recommended practices and enforces multi-factor authentication and compliance checks for access to data and systems wherever possible.

Product Access Controls

FISCAL’s default password policy follows the “Strong” complexity requirements provided by Azure B2C. FISCAL also offers an SSO integration for customers with their own SSO solution. This option allows customers to enforce their own access control requirements and policies.

Access to customer data is restricted. It is only accessible to FISCAL employees required to investigate specific customer issues upon customers raising a request via the FISCAL customer helpdesk. Engineers do not have access to data by default and we utilise Privileged Identity Management tools requiring peer review and secondary authorisation to elevate privilege prior to access being granted.

The FISCAL platform provides the ability for customers to manage their own users and restrict which areas of the solution those users can access via the Access Permissions feature.

Data Handling and Privacy

FISCAL Technologies complies with the data protection laws and regulations in the regions it operates, complying with the European Union’s General Data Protection Regulation (GDPR) and UK Data Protection Act. We have policies and procedures in place to comply with any applicable data privacy laws. Customer data is not available to Microsoft Azure or Cloudflare as it is encrypted and not visible during transit and at rest.

Robust Data Encryption

All customer data transmitted to our services over public networks are protected using strong encryption protocols. We mandate all connections to our servers use Transport Layer Security (TLS 1.2/1.3) encryption, for all connections including web access, API access, and email client access. This ensures a secure connection by allowing the authentication of both parties involved in the connection, and by encrypting data to be transferred.

FISCAL leverages Azures Key Management Services to encrypt all data at rest across our products and Transparent Data Encryption (TDE) to encrypt any databases, using AES256 encryption. More information can be found here.

Data Residency

FISCAL Technologies operates its services within Microsoft Azure. Upon onboarding to the FISCAL platform, customers can select their region based on their data localisation requirements. Currently, we operate services in the United Kingdom, Europe, and United States. All customer data is held within the selected region, with the exception of customer administration data that resides in the Europe region.

Please note that we use ancillary services for certain functions, these services may store data in other locations which are described in the Sub-Processors section below.

Data Transfer

During the proof of concept and data validation phases of onboarding, all customers are provided with a secure file transfer workspace to ensure data is transferred securely. All data is encrypted in transit utilising at least TLS 1.2 and encrypted at rest using AES256 encryption.

For our customers, FISCAL provides upload mechanisms to allow upload of data directly into the service.

Data Backups and Retention

FISCAL holds the data in your sites for as long as you choose to use our services. Once you terminate your agreement, your data will be deleted in line with the agreed terms of your contract.

During use, FISCAL will maintain backups of customer databases to allow recovery in event of error or disaster. Backups are stored in Microsoft Azure on a separate site within the same geographical region as the customer’s site.

For more information on Azure’s data destruction processes please click here.

Disaster Recovery and Business Continuity

The FISCAL platform is designed to be resilient and regional. In event of a disaster, the environment is recreated by an automated deployment process, and customer data is restored from backups.

FISCAL tests the platform annually. We simulate regional recovery tests regularly as part of recreating our testing environments.

Development and Code Security

FISCAL Technologies software development is carried out by permanent employees located in the United Kingdom releasing product updates every week.

Employee duties are split between the development and infrastructure support functions. However, due to the nature and size of FISCAL Technologies there can be overlap between these roles. To mitigate these risks, access is restricted to least privilege and any escalation of privilege requires peer review and authorization, as described above in Product Access Controls.

FISCAL operates separated Development, Test, Performance and Production environments. FISCAL leverages Continuous Integration / Continuous Delivery (CI/CD) pipelines for managing secure code deployments. Code changes are peer reviewed, approved by separate employees, and tested in Test and Performance environments before they are promoted into production.

FISCAL leverages Azure Defender, code review tools, and vulnerability management tools. They review all code and releases both prior to deployment and whilst in production, to reduce risk of vulnerability.  The FISCAL platform is developed using the latest technologies to take advantage of built-in protections against several common vulnerabilities.

Logging and Monitoring

FISCAL Technologies collects audit and application logs, encrypting and holding them centrally. Logs are retained for a minimum of 90 days before deletion.

Vulnerability Management

FISCAL Technologies use a variety of vulnerability management tools to minimise the risk of security vulnerabilities. Scans are run against FISCAL’s platform on a weekly basis and software is evaluated prior to each product release. When issues are identified they are evaluated, and resolutions are scheduled based on severity. Identified issues are resolved as part of the development lifecycle and released with product updates. For Critical or High-risk vulnerabilities, all vulnerabilities are remediated within 14 days of a remediation becoming available.

FISCAL leverages Microsoft Defender for the Cloud to provide security recommendations based on our environment and compliance requirements.

Penetration Testing

The FISCAL Technologies platform is subject to an annual penetration test performed by an external CREST accredited agency.

This is an external test performed against a test account created on the production environment. This test does not include a source code review, but the external testers are granted access to a user account.

Sub-Processors

FISCAL Technologies assesses the risk of any suppliers prior to selection and engagement, validating for security, financial, and ethical requirements to ensure they meet the needs of our business and customers.

We utilise the following sub-processors to provide infrastructure or services for FISCAL’s SaaS solutions.

Microsoft Azure

Data Storage Location

Privacy and Security Controls

Purpose

References

United Kingdom, United States, Europe

CIS, CSA-STAR, ISO 20000-1:2011, ISO 22301, ISO 27001, ISO 27017, ISO 27018, ISO 27701, ISO 9001, SOC 1, SOC 2, SOC 3, GDPR

FISCAL utilises Microsoft’s Azure’s SaaS, PaaS and IaaS offerings to host our SaaS solutions and customer data.

https://learn.microsoft.com/en-us/compliance/regulatory/offering-home

Cloudflare

Data Storage Location

Privacy and Security Controls

Purpose

References

Worldwide

ISO 27001:2013, ISO 27701:2019, ISO 27018:2019, FedRAMP Moderate, SOC 2 Type II, PCI DSS 3.2.1, WCAG 2.1 AA and Section 508, C5 20:20, EU Cloud Code of Conduct, 1.1.1.1 Public DNS Resolver Privacy Examination, BSI Qualification

Providing DNS and DDoS protections for FISCAL’s SaaS solutions.

https://www.cloudflare.com/trust-hub/compliance-resources/

Auth0

Data Storage Location

Privacy and Security Controls

Purpose

References

AWS EU region, Primary data center in Frankfurt (Germany) with a failover data center in Dublin (Republic of Ireland).

FAPI, GDPR, HIPAA and HITECH, CSA STAR, ISO 27001, ISO27018, PCI DSS, PSD2, SOC2

Log on authentication for users.

https://auth0.com/docs/secure/data-privacy-and-compliance

Sinch Mailgun

Data Storage Location

Privacy and Security Controls

Purpose

References

Europe and United States

SSAE-16, SOC1, SOC2, HIPAA, ISO27001 and GDPR 

Sending, tracking, and receiving emails for FISCAL’s services. 

https://www.mailgun.com/security/ 

Customer data is not available to Microsoft Azure or Cloudflare as it is encrypted and not visible during transit and at rest.

Want to know more about FISCAL Technologies?

We’d love to show you our solutions in action!