Dashly Trust Centre
At Dashly we take the security, privacy, and welfare of yours and your clients’ data incredibly seriously. Our Trust Centre is designed to give you an overview of the controls and measures we have in place to safeguard all data within the Dashly Universe.
Platform and Network Security
We perform regular and rigorous security testing on our Platform including, but not limited to:
Third-party application and network penetration tests, performed by an Independent Security Firm against our entire product suite with fully certified penetration testers.
Regular vulnerability scans against our application and network.
We have Automated Threat Detection, Web Application Firewalls and DDoS protection in place across our platform.
We use Google Cloud Platform to automatically update and patch our infrastructure.
We use a VPC network with all managed services and Virtual Machines inside running on private IPs, not being directly accessible from the outside world. For Web Application Firewalls (WAFs), we're using Cloud Armor to secure our loadbalancer, with additional security rules and restrictions via GCE Ingress Controller, plus application-layer security on top. All layers are set up using the "positive rules" approach, ie. all access is disabled by default, unless explicitly allowed by defined rules
Data Storage
All of our data is encrypted at rest using AES-256 symmetric keys, with the encryption keys themselves encrypted by a key stored in a KMS and regularly rotated. This applies to SQL databases, shared/network storage as well as VM disks.
All Data is stored in the Google Cloud Platform “EU-WEST-2” data centre.
Backup retention is 30 days, some data retained for longer under Money Laundering, Data Protection and FCA regulations.
All Data is stored within Google Cloud Platform and no Data is retained or stored on physical devices such as USB memory sticks or computer local drives.
Corporate IT
We have an active asset register for both information and physical assets.
We use ESET Endpoint Security for endpoint security, antivirus and malware protection.
We leverage multiple DLP strategies using Google Vault.
All internal access to customer data is limited and provided on a need-to-know basis. Data is only shared via encrypted links and is fully auditable.
We use Blackwater Maldon to handle patching of our operating systems and 3rd party software.
We are CyberEssentials certified via IASME Consortium and our Certificate Number is IASME-CE-042704.
Data Transfer
All data transfer, both internally within our Data Team and externally with our Partners is handled using the Egnyte platform, which is performed over an FTP (File Transfer Protocol over implicit TLS/SSL) 256-bit AES protocol.
Security Best Practices
All user passwords are salted and hashed with the scrypt algorithm.
All sensitive banking data (i.e. bank account), is further encrypted via AES-256.
Multi-factor authentication is active, and Single Sign-on (SSO) is used to cascade access across multiple services where possible for all staf
Compliance & Governance
All data centres are readily compliant with ISO27001, SOC-1,2,3 PCI-DSS L1 and more.
We are registered with the FCA, as a Mortgage Intermediary (Firm Reference Number: 810720).
We are registered with the ICO under the UK Data Protection Act (ICO Registration Number: ZB467686).
All staff complete bi-annual cyber and information security awareness training.
All staff are Identity & Verification (ID&V) and Disclosure & Barring Service (DBS) checked, key staff are run through additional security checks.