We’re pleased to share that we have successfully transitioned to the ISO/IEC 27001:2022 standard! This is a major milestone for us as a SaaS provider and reflects our commitment to maintaining the highest standards of security, confidentiality, and operational excellence.
| Question | Funds-Axis Response |
|---|---|
| Legal Name | Funds-Axis Limited |
| Tax and Registration Number | 05400848 GB 874534987 |
| Legal Entity Identifier (LEI) | 9845007J8C4E61FAA335 |
| Country of Headquarters | UK |
| Industry Classification | 62012 - Business and domestic software development 63120 - Web portals 66190 - Activities auxiliary to financial intermediation not elsewhere classified Cloud Computing Policy Issue 2.1 Page 5 of 16 74909 - Other professional, scientific and technical activities not elsewhere classified |
| Identification Code and Code Type | 62012 - Business and domestic software development 63120 - Web portals 66190 - Activities auxiliary to financial intermediation not elsewhere classified 74909 - Other professional, scientific and technical activities not elsewhere classified |
| Registered Address | 60 Cannon Street, London, United Kingdom, EC4N 6NP |
| Postal Address | 4A Weavers Court, Belfast BT12 5GH |
| Website | https://funds-axis.com/ |
| Does your organisation have professional indemnity insurance? | Funds-Axis holds professional indemnity insurance with a coverage limit of £5,000,000. |
| Does your organisation have employers' liability insurance? | Funds-Axis holds employers' liability insurance with a coverage limit of £5,000,000. |
| Does your organisation have cyber insurance? | Funds-Axis holds cyber insurance with a coverage limit of £1,000,000. |
| Please identify the relevant regulatory bodies to which you are subject to regulation and supervision? | We are not a regulated entity. However, we are ISO certified. We are also contractually obliged to adhere to a range of regulatory requirements, including in respect of data protection, Cloud Computing and DORA. |
| Please provide details of any industry associations or forums that you belong to? | We are a member of the UK Investment Association. We will look to join several other industry bodies in other jurisdictions as we move forward. |
| How many Clients do you currently support? | 80+ clients giving exposure to c. 300 underlying IM, 500+ data files from over 20 admins. |
| Please provide a brief corporate structure of your firm including principal lines of business and group wide strategy specific to the service being provided? | We are focused solely on providing technology to the investment management sector in relation to post-NAV investment compliance, risk and regulatory reporting. Our goal is to be the leading provider in this space. Organisationally, we have separate teams for each of Investment Compliance, Risk and Reg Reporting. We also structured ourselves between the following core teams: (i) Technology (development and infrastructure management) (ii) Platform Management - stability / roadmaps (iii) Projects (new client onboarding as well as support for new fund launches etc) (iv) Helpdesk - bugs and issues support (v) BAU Managed Services - providing clients with operational support (vi) Corporate - Finance, HR, Op Risk, Sales & Relationship Management etc. |
| Provide a brief history of your firm’s involvement in the financial services industry. | Funds-Axis has provided services to the global investment management industry since 2005. Initially, our focus was on consulting and training on Regulatory Investment Compliance, Risk and Regulatory Reporting. Since 2013, we have operated as a RegTech technology solution provider. We launched Galaxy in 2022 to replace our earlier solution. Galaxy is our proprietary next generation multi-modular cloud platform. It will be our strategic platform for the next decade. We have migrated all our existing clients to Galaxy and we have started our next chapter with market outreach for new clients acquisitions. Our Solution Our platform was first launched for Investment Compliance solution in 2013, followed by other modules including, AIFMD Annex IV Reporting, Liquidity Monitoring and Shareholder Disclosures. More recently this has extended into additional regulatory jurisdictions and has extended to Investor Document Production (KIIDS, SRRI, performance etc.) Our Team Our team has a wealth of collective knowledge as regards investment management and as regards investment compliance, including that several of our senior teams have several decades of experience with leading investment management firms / investment management technology firms. |
| Question | Funds-Axis Response |
|---|---|
| What is the name of the service and its modules? | Galaxy – a cloud-based RegTech platform with modules for Investment Compliance, Regulatory Reporting, Shareholder Disclosures, Investor Communications, Risk Monitoring, Sanctions & ESG Monitoring, and NAV Oversight. |
| Is the solution cloud-based or locally hosted? | AWS Cloud. |
| Is the service offered as technology-only, managed, or both? | Both options are available. |
| Does the service include data feed validation? | Yes. Validation occurs at file level, during upload, and within the system using data quality rules and reports. |
| When are monitoring results typically available? | Typically within 2 hours, depending on data delivery timing. Results can be near-instantaneous. |
| Are users notified when monitoring results are ready? If so, how? | Yes – via automated emails, in-system alerts, and managed service team notifications. |
| How many regulatory rules are included in the rules engine/library? | ~3,000 rules across jurisdictions, including ~1,500 prospectus rules. Coverage includes UCITS (UK, Ireland, Lux, Malta), RIAIF, QIAIF, IA sector rules, and others (e.g., US 1940 Act, HK, Singapore, Canada). |
| What regulatory frameworks form the basis of the rules library? | Based on UCITS, COLL, NURS, QIS, FAIF, LTAF, and other regulatory frameworks. UK-specific nuances are included. |
| What types of logic and conditions can the rules engine support? | Supports rules at all operational levels, asset types, and groupings. Handles eligibility, diversification, ownership, borrowing, and various calculation methods (MV, notional, etc.). |
| Are regulatory rule updates included as part of the service? | Yes. Regulatory libraries are actively maintained. |
| How are regulatory rule changes implemented? | Regulatory team monitors changes, assesses impact, and updates rules via a structured process: coding, testing, documentation, sandbox release, client sign-off, and live deployment via Rule Groups. |
| Does the rules engine support warning and breach thresholds? | Yes. |
| Is there a limit to the number of rules per portfolio? | No. |
| Does the service include a monitoring/reporting dashboard? | Yes. Multiple dashboards are available and customisable. |
| What key metrics or components are shown on the dashboard? | Typical metrics include portfolio count, SLA status, data upload issues, new/open breaches, NAV/exposure movements, and liquidity metrics. |
| Can dashboards be customized? | Yes. |
| Is there workflow functionality for managing warnings and breaches? | Yes. Includes exception tracking, commentary, severity, ownership, attachments, and more. |
| Can warnings or breaches be overridden or suppressed? | Yes. Includes “set to sleep,” erroneous cause filtering, and reprocessing options. |
| Does the workflow maintain an audit trail of actions and notes? | Yes. All actions and comments are logged, including system processes like data uploads and rule processing. |
| Does the Service workflow allow for actions to be allocated to specific users? | As standard the functionality includes: - restricting review and approval rights to certain users - enabling the assignment of the exception workflow to specified users. There is then a separate functionality that allows the assignment of actions to different users in respect of the exceptions. This can also be templated. This is available but not generally used in conjunction with investment compliance. |
| Does the Service workflow have a target date option for the completion of actions? | As above, there is a separate functionality that allows the assignment of actions to different user in respect of the exceptions. This can also be templated. This enables the specification of target dates. Note, there are also reports that show how long exceptions have been open for and who they are assigned to. |
| Please provide an overview of reporting and MI capabilities of the Service | There are extensive reporting capabilities available. This includes: (i) pre-built reports and MI (ii) extensive ability to download everything into excel (iii) there is a comprehensive library of reports available which covers the widest range of MI and detailed reports for all system data. Additional reports can be easily developed and published. This also includes some functionality for scheduling distribution of reports. |
| What is the reporting date range available from the Service? | A full history is maintained in the system, subject to your archive policy (e.g. 7 years history). This includes of all holdings, all calculations, all results etc. This is all available for reporting. |
| Is there the ability to download reports in Excel? | Yes. There is extensive ability to download everything into excel. |
| Is there the ability to tailor and generate reports in document format e.g. PDF? | Yes. See above in respect of reporting and MI capabilities. Yes, there is a wide range of functionality to download documents in pdf format. We can also easily create additional reporting for you on request. There is a separate report building plug-in that allows you to build all your own reports, although that is not usually required for investment compliance only clients, given the availability of a wide range of pre-packaged reports. |
| Which jurisdictions and fund types have built-in regulatory rules in your system? | We support regulatory rules for UCITS (including Ireland, Luxembourg, Malta, UK), RIAIF, QIAIF, Switzerland, and the UK. Additional rule sets are being released for the US 1940 Act, Hong Kong, Singapore, Canada, Nigeria, and UK Investment Association standards. |
| How are new rules added? Can users code complex rules themselves? | Users can create even complex rules with minimal training, often by adapting existing ones. However, we typically maintain a centralised rules library to ensure consistency, accuracy, and proper testing. |
| Does the system support soft and hard limits? | Yes, both soft and hard limits can be configured to enforce or flag rule thresholds. |
| Can rules be run ad hoc for one or more funds? | Yes, users can execute specific rules on selected funds outside of scheduled runs. |
| Can rules be run ad hoc for specific positions? | No, rules are evaluated at the portfolio level, not at individual position level. |
| Can breaches be overridden for a set time? | A temporary override (sleep function) is available; time-bound overrides are being added. |
| Can users drill into results? Any limits? | Yes, users can explore rule results in detail; no major limitations apply. |
| Can results be exported to Excel? | Yes, compliance results can be exported in Excel format for further analysis. |
| Can event-based rules be checked (e.g., borrowing limits)? | Yes, the system supports rules based on event frequency and duration, with customizable parameters. |
| Can multiple rating agencies be used in one rule? | Yes, rules can incorporate ratings from multiple agencies using AND/OR logic or highest/lowest selection. |
| Is there a 4-eyes check and audit log? | Yes, workflows include maker-checker functionality, role-based access, and a full audit trail. |
| How are derivative commitments calculated? | The system calculates exposures using standard methods (e.g., AUM, notional, delta) and handles netting and hedging automatically. |
| Can summary reports be generated by fund, region, or time? | Yes, users can generate reports across portfolios, jurisdictions, and timeframes using built-in reporting tools. |
| How are breaches logged and documented? | Breaches are logged automatically or manually, with full history, comments, severity levels, responsibilities, and attachments. |
| How does the system support breach investigations? | Each exception includes start/end dates and cause tracking, enabling “as of” analysis and compliance history review. |
| Any other notable capabilities? | Yes, including cheapest-to-deliver logic, collateral monitoring, and support for EPM across portfolios or components. |
| Do you offer a managed service? | Yes, both SaaS and Managed Service models are available; details are provided in the proposal. |
| How are issues/errors monitored and alerted? | Issues are visible in the workflow module, with breach history and comments. Alerts via email are being added. |
| How is system performance monitored? | A System Health Check module tracks processing times and performance metrics for rules and calculations. |
| Is there a health check dashboard? | Yes, it covers users, permissions, rule processing, data quality, and breach statistics. |
| Can rule runs be triggered automatically or on demand? | Yes, runs can be scheduled, triggered by data readiness, or initiated manually or via API. |
| Are users alerted when tasks complete? | Yes, completion is logged and visible; triggers can notify users or downstream systems. |
| How is technical documentation provided? | The system is web-based and user-friendly, minimizing the need for technical documentation. |
| How is user documentation provided? | In-app access to guides, videos, brochures, and interactive help covering all modules and data requirements. |
| What languages is documentation available in? | Currently in English, but many features support multilingual output and translation tools. |
| Question | Funds-Axis Response |
|---|---|
| What is the name of the module? | Investor Communications. |
| What solutions does the module cover? | Document Production incl widgets, Calculations, Hosting and Dissemination. |
| Is the service offered as technology-only, managed, or both? | Both options are available. |
| What documents do you produce? | Theoretically we can produce any document. |
| What document types to you have templates for? | UCITS/NURS KIIDs, EU/UK PRIIPs KIDs, CCI, Past Performance Documents and Factsheets. |
| Do you cater for translations? | Yes, documents can be produced in any languages. |
| Is there document approval cycle functionality? | Yes. |
| Is there access to a document library? | Yes. |
| Do you provide hosting services? | Yes, we provide permalinks which means that links on your website for documents only need to be set up once. |
| Do you disseminate documents? | Yes, we have automated document transfer mechanisms in place with the main data vendors. |
| Can you cater for bulk document creation? | Yes, we can create any amount of documents with one instruction. |
| How do you manage large document refreshes? | A large refresh project, such as UCITS KIID annual refresh is assigned a Project Status. This means that a dedicated Project Lead will liaisie with you from planning through to completion. Meeting frequencies will be agreed as per your requirements. |
| Can we provide the data or does it need to be linked to your database? | Either, we can provide you with data files for fixed templates and can provide user manuals to show you how to create and load your own files. |
| What calculation types do you perform? | We have 4 main categories of calculations: Regulatory risk/performance scenarios, costs and charges, performance and statistics, portfolio slicing and dicing. |
| What regulatory risk calculations do you perform? | UCITS KIID SRRI, CCI RRM, PRIIPs SRI and Performance Scenarios - both VAR and market calculations and we also cater for different pricing frequencies. |
| How frequently do you perform the regulatory risk calculations? | It depends on pricing frequency: UCITS KIID SRRI / CCI RRM - Weekly or monthly PRIIPs KID SRI - Daily, Weekly or Monthly PRIIPs KID Performance Scenarios - Monthly |
| Do you provide summary reporting for the regulatory risk calculations? | Yes. |
| Do you provide exception reporting for the regulatory risk calculations? | Yes. |
| What control reporting do you perform for the regualtory risk calculations? | As part of our managed service, among our controls, we review for data completeness, significant changes in daily/weekly/monthly performance, comparisons vs previous calculations and indiviudal price contributions to volatility. |
| When is the reporting typically available? | For managed services this is agreed in a SLA with each client and depends upon pricing frequency. We typcially see a 5 day SLA for weekly SRRI and a 10 day SLA for other risk/perf scenario calculations, but daily priced funds can be made available earlier if required. |
| Can all outputs feed directly into widgets and documents? | Yes. |
| What costs and charges calculations to you perform? | UCITS KIID Ongoing Charges (OGC) PRIIPs KID Management fees and other administrative or operating costs (previously known as Other Ongoing Costs (OOC)) PRIIPs KID Transaction Costs PRIIPS KID Performance Fees PRIIPs KID Reduction in Yield Total Costs and Annual Impact Where different periods required for EMT/EPT we cater for them too. |
| How frequently do you perform the costs and charges calculations? | OGC/OOC /Perf Fee - Monthly Transaction Costs - Can perform monthly but recommend quarterly RIY - As required |
| Can you cater for both portfolio and shareclass level trial balances? | Yes. |
| Do you source underlying fund costs? | Yes. |
| What reporting do you provide? | Typically for each cost calculation we would provide: - Summary vs Published Comparison. - Month to month Comparison. - Expense Breakdown Analysis. - Full Underlying Fund contribution analysis. |
| What controls to you have in place? | TB Line completeness AUM completeness Underlying Fund completeness Monthly movement analysis and tolerance checks |
| When is the reporting typically available? | For managed services this is agreed in a SLA with each client and depends upon availbility of TB, AUM and portfolio data. We typcially see a 10-15 day SLA for non-transaction costs calculations and longer for transaction costs due to the longer time it takes for us to receive the information. |
| Can all outputs feed directly into widgets and documents? | Yes. |
| What performance and statistics do you perform? | See link. |
| Can all outputs feed directly into widgets and documents? | Yes. |
| What portfolio analysis can you perform? | We can analyse a portfolio for any category once the invidual securities are tagged accordingly. |
| Do you source the category data? | We can source the information, consume it directly from your admin or other party (incl you), or a combination of both. |
| Can all outputs feed directly into widgets and documents? | Yes. |
| What widgets to you support? | We have multiple widgets covering all areas from static data, to performance charts through to costs disclosures and portfolio breakdowns. Essentially our widgets cover standard factsheet, KIID, PRIIPs KID and CCI disclosures. |
| How do the widgets work? | Third party integration can be carried using Widget or API. With the widget option, Galaxy provides iframe embeddable rendering of data. Using API, the data is provided using JSON format which can be rendered based upon your requirements. These options use JSON Web Token for authentication. |
| What data sharing templates can you provide? | EPT / EMT / FVPT / DCPT |
| How frequently do you provide? | They are available on demand via a one-click solution. |
| Can reporting be downloaded in excel? | Yes. |
| Do I need to take all of the above services or can I choose what I want? | Every individual document, template, widget, calculation service can be individually selected, as per your needs. |
| Question | Funds-Axis Response |
|---|---|
| Please describe your typical implementation process, including key phases and indicative timelines. | Funds-Axis follows a structured and collaborative implementation approach designed to ensure a smooth and efficient onboarding experience for all clients. While specific timelines and activities may vary depending on the scope and complexity of the solution, the typical implementation process includes the following key phases: Requirements Specification We work closely with clients during the pre-contract and onboarding phases to validate and refine requirements. This ensures alignment with business objectives and regulatory needs. Infrastructure Setup Standard infrastructure setup is typically completed within a short timeframe, often within one business day, depending on client-specific configurations. System Configuration and Development Our solutions are highly configurable. Where required, we implement tailored rule sets, workflows, or data integrations to meet client-specific needs. Full system development is generally not required. Report Formatting and Configuration Standard reporting templates are available, and we support configuration or customization based on client preferences or regulatory requirements. System Testing Internal testing is conducted to ensure system readiness and alignment with agreed specifications. This includes validation of rules, data flows, and reporting outputs. User Acceptance Testing (UAT) Clients are supported through a structured UAT phase, with guidance and documentation provided to ensure confidence in the solution prior to go-live. Process Mapping Our Customer Success team collaborates with clients to define and document operational processes, governance controls, and escalation procedures. This is typically delivered through interactive workshops. Training Comprehensive training is provided to client teams, including access to online resources, documentation, and tailored in-person or virtual sessions as required. Go-Live Support Dedicated support is provided during the go-live phase to ensure a smooth transition to live operations, including assistance with final testing and operational readiness. Post-Live Support Following go-live, clients are supported by our Business-as-Usual (BAU) and Managed Services teams, who provide ongoing assistance, monitoring, and change management support. |
| Please describe your approach to data integration, migration, and testing. | Funds-Axis has established data integrations with a wide range of third-party administrators and data providers. These integrations support automated data ingestion across all major asset classes and are designed for rapid deployment. Our data migration and integration processes are fully automated, with built-in validation and exception handling. The platform provides full visibility into data upload success and highlights any discrepancies or failed records. Testing is embedded throughout the process, including automated checks such as NAV tolerance testing, which ensures that uploaded portfolio values align with official NAVs. This ensures data accuracy and integrity from day one. |
| What is the typical implementation timeline for out-of-the-box solutions (excluding Investor Communications), and what factors may influence delivery? | For a standard out-of-the-box implementation, the typical timeline is approximately 4 to 6 weeks, depending on the scope and readiness of client inputs. This includes core system setup, configuration, rule implementation, and testing. Common factors that may impact timelines include: Availability of client resources and responsiveness Use of multiple data administrators or custom data feeds Delays in receiving or validating data Complexity or volume of bespoke rule requirements Concurrent onboarding projectsIncomplete or evolving business requirements We provide a generic project plan to guide expectations, but timelines are always tailored based on each client's specific needs and environment. |
| What is the typical implementation timeline for Investor Communications, and what factors may influence delivery? | For Investor Communications, the typical implementation timeline is around 4 weeks from the point all required data is provided. This includes system setup, configuration of communication templates, and testing. Delivery timelines may vary based on: Timeliness and completeness of client data Scope of services selected (e.g., factsheets, KIIDs, EETs, etc.) Customisation of templates or workflows Availability of client stakeholders for reviews and approvals We provide a tailored project plan based on the specific services selected and your operational environment. |
| What are the typical data sources required for the service, and what key data points are needed? | Funds-Axis supports integration from a wide range of data sources. While we can work with any provider, fund accounting data is typically preferred for its completeness and reliability. Common data sources include: Fund Accounting Systems – for holdings, valuations, transactions, and NAV Custodians – for custody cash and liquidity-related data ACDs – for fund-level attributes and compliance parameters PMS/OMS – for pre-trade and order-level data Third-party vendors – for security master and pricing data (e.g., ICE, Bloomberg) Additional sources relevant to Investor Communications include: Static data – such as share class details and fund identifiers Chart of accounts and trial balances Historic performance data Dividends, AUM, and share class prices Key data points typically required: Holdings and valuations Transactions and cash flows NAV and share class details Security identifiers and classifications Prospectus and regulatory parameters Custody cash balances (if applicable) Performance history, dividends, and AUM Static and financial data for reporting We offer flexible integration options tailored to each client’s operational setup and selected services. |
| How is source data typically transmitted to your platform? Please describe supported methods for all data sources. | Funds-Axis supports a variety of secure data transmission methods to accommodate different client and provider setups. The most commonly used and preferred method is secure file transfer protocol (sFTP). Other supported methods include: API integrations, where available Direct download from provider portals, subject to client-authorised access Encrypted email, used in limited, controlled scenarios Manual upload via the platform, for ad hoc or exception-based data For established data providers, we typically coordinate with the provider to set up access, configure reporting, and automate data retrieval. This may involve client authorisation to access specific portfolios or data sets via the provider's portal or reporting environment. Our approach is flexible, secure, and designed to minimise client effort while ensuring reliable and timely data delivery. |
| What third-party data feeds are required or supported for the service, and how are they typically sourced? | Funds-Axis supports a wide range of third-party data feeds to meet regulatory, operational, and reporting requirements. Our platform is data-source agnostic and integrates with most industry-standard providers. Commonly supported data types and sources include: Holdings Data – Typically sourced from fund administrators or custodians; foundational for portfolio and reporting services. Security and Issuer Data – Can be client-provided or sourced via ICE, Bloomberg, Refinitiv, or Morningstar. Includes identifiers, classifications, issuer details, and pricing. Index Constituent Data – Required for benchmark-relative reporting or index-based rules. Derivative Instrument Data – Includes underlying asset, price, contract size, and delta; available for standard instruments. CIS (Collective Investment Schemes) Data – Covers UCITS classification, investment restrictions, and asset class breakdowns. Investor Communications-specific data – Often sourced from the fund administrator and includes share class prices, AUM, dividends, static data, and performance history. We maintain integrations with major fund administrators and prime brokers, enabling efficient onboarding and data flow. Where needed, we can also source data directly (e.g., via ICE). |
| Do clients need to arrange licenses for third-party data feeds, or are any provided under your agreements? | Funds-Axis offers flexibility in how third-party data is sourced and licensed. Clients have two main options: Use of Funds-Axis Licensed Data We maintain licensing agreements with selected data providers (e.g., ICE) and can supply security and ratings data directly under our license. This is available for a fixed fee (e.g., £6 per security, up to 6,000 unique securities) and includes access to key data such as security identifiers, classifications, and credit ratings. This approach can reduce implementation time and simplify onboarding. Please note: when using our licensed data, there may be restrictions on how the data can be extracted or stored outside the platform, in line with provider licensing terms. Client-Supplied Data Alternatively, clients may choose to provide their own licensed data from providers such as Bloomberg, Refinitiv, Morningstar, or others. In this case, the client is responsible for ensuring appropriate licensing is in place. We are happy to support either model and will work with clients to determine the most efficient and compliant approach. |
| Do you provide a demonstration or test environment for user acceptance testing (UAT) and familiarisation prior to go-live? | Yes, Funds-Axis provides access to a dedicated client environment to support user acceptance testing (UAT) and familiarisation with the platform. Rather than using a generic demo site, we prioritise giving clients early access to their own configured environment, as this allows for more meaningful testing using familiar data and workflows. Within this environment, clients will also have access to: Sandbox portfolios pre-loaded with test data Custom test portfolios for bespoke testing scenarios Full platform functionality to simulate live operations This environment is typically available within two weeks of project initiation, enabling clients to begin testing and training well in advance of go-live. |
| What controls and procedures do you have in place to ensure a smooth transition during client onboarding? | Funds-Axis follows a structured and quality-assured onboarding process designed to ensure a smooth and efficient transition for every client. Our approach minimises client effort while ensuring a fully configured, tested, and ready-to-use platform within a typical timeframe of 4 weeks. Key control procedures include: Dedicated Onboarding Management A named project manager to oversee delivery A time-bound, standardised project plan A comprehensive onboarding pack including training and test documentation Quality Assurance & Internal Governance Internal project approval and oversight processes Standardised implementation and testing plans Multi-stakeholder internal sign-off, including compliance, risk, data, and automation teams Robust Testing Framework Internal testing by the implementation team prior to handover Independent review by the Managed Services team to validate readiness Multi-layered testing including data validation, rule execution, and exception handling Clients are provided access to their configured environment, along with training and support, ensuring they are fully prepared for go-live with minimal disruption. |
| Do you have a dedicated project management function, and how do you manage client migrations for core modules (excluding Investor Communications)? | Funds-Axis has a dedicated project management function that oversees all client onboarding and migration activities. Each implementation is led by a named Project Manager, who coordinates across multiple specialist teams to ensure a smooth and efficient transition. The Project Manager will track and report on project progress, setting up a governance structure to ensure the project is completed smoothly and on time. Our migration approach includes contributions from the following key teams: Projects Team - Leads the implementation, including portfolio setup, data integration, user configuration, and end-to-end testing. Intelligent Automations Team - Manages automated data ingestion, enrichment, and sequencing, ensuring seamless integration with client data sources Enterprise Data Management (EDM) - Oversees daily data flow monitoring, data quality assurance, and remediation processes. Rules Team - Ensures all regulatory and mandate rules are correctly configured, assigned, and tested. Risk Team - Validates the setup of derivatives and ensures accurate leverage and exposure calculations. Investment Compliance Team - Provides final sign-off on the implementation, confirming readiness for go-live from a compliance and operational perspective. This structured, cross-functional approach ensures that each client migration is delivered with precision, quality assurance, and minimal disruption. |
| How is roadmap planning managed across your platform and client onboarding processes? | Funds-Axis manages roadmap planning through two dedicated functions: Platform Roadmap - Overseen by the Platform Management Team, this roadmap governs the strategic development of platform features, enhancements, and regulatory updates. It is shaped by client feedback, industry trends, and regulatory change. Client Onboarding Roadmap - Managed by the Projects Team, this roadmap ensures timely and structured onboarding for each client. It includes planning for implementation milestones, resource allocation, and delivery timelines. For the Investor Communications module, onboarding is managed by the InvestorComms Team, who provide a tailored onboarding plan based on the specific services selected. Both roadmaps are closely aligned to ensure that platform evolution and client delivery remain coordinated and responsive to client needs. |
| What is your approach to user testing, and what support is provided during this phase (excluding Investor Communications)? | Funds-Axis provides a comprehensive and flexible user testing framework to support client assurance and familiarisation prior to go-live. Our approach recognises that different clients have different testing preferences and internal processes. Key components include: Pre-Configured Testing Documentation As part of the implementation, Funds-Axis performs and documents a full suite of system tests. This includes validation of data uploads, rule execution, exposure calculations, and reporting outputs. The test documentation is shared with the client to support review and sign-off. Standard Testing Checklist Clients are provided with a step-by-step testing checklist that can be used to independently verify system setup. This includes checks on user permissions, portfolio configuration, rule application, and data integrity. It is designed to be completed in approximately one day and serves as both a validation tool and a training aid. Sandbox Environment Clients have access to a dedicated environment with test portfolios and data, allowing for hands-on testing and scenario simulation. Testing can be led by Funds-Axis or executed by the client, depending on preference. Our goal is to ensure clients are fully confident in the system's readiness and functionality before go-live. |
| What governance structure do you have in place for project implementation, onboarding, and migration? | Funds-Axis applies a structured governance framework to all client onboarding and migration projects, ensuring clear accountability, timely delivery, and transparent communication. Key elements include: Dedicated Project Manager A named Project Manager is assigned to each client and acts as the primary point of contact. They are responsible for coordinating internal teams, managing the project plan, and overseeing onboarding and migration activities. Standardised Governance Tools The Project Manager maintains and monitors key governance artefacts, including: - Project and onboarding plans - Standardised implementation and testing plans - RAID logs (Risks, Assumptions, Issues, Dependencies) - Change control processes Regular Communication Weekly project calls are held to track progress, address issues, and align on next steps. Any deviations from the agreed plan are escalated and managed through formal governance channels. This governance model ensures that all stakeholders are aligned and that the project remains on track from initiation through to go-live. |
| What is your current client onboarding schedule, and how do you manage new transitions within your roadmap and BAU operations? | Funds-Axis manages client onboarding through a structured, capacity-aware approach that ensures each implementation receives dedicated attention without impacting business-as-usual (BAU) operations. We typically onboard clients one at a time, allowing for focused delivery and quality assurance. Our onboarding pipeline is healthy, and we anticipate onboarding a mix of small and medium-sized clients in the upcoming quarter. A medium-sized client - such as one with multiple portfolios and moderate complexity - can typically be onboarded within 4 to 6 weeks. Each new client is integrated into our onboarding roadmap and resourced accordingly. We maintain clear separation between onboarding and BAU teams to ensure that ongoing client support remains unaffected. This model allows us to scale efficiently while maintaining high service standards. |
| Question | Funds-Axis Response |
|---|---|
| What Service Level Agreements (SLAs) govern the client relationship? | Funds-Axis operates under a structured SLA framework that covers all key aspects of service delivery and support. This typically includes: Managed Services SLA - Outlines the scope, responsibilities, and performance standards for any bespoke managed services provided. Change Request SLA - Defines timelines and procedures for handling client-initiated system changes or enhancements. Support SLA - Covers the classification, response, and resolution times for bugs, issues, and support queries. These SLAs are designed to ensure transparency, accountability, and high service quality throughout the client relationship. Full SLA terms are provided during onboarding and can be tailored to meet specific client needs. |
| Can clients request amendments to the SLA to reflect their evolving business needs? | Yes, Funds-Axis is flexible in tailoring Service Level Agreements to meet individual client requirements. We are happy to work collaboratively with clients to create or amend SLA terms - particularly within the Managed Services SLA - to ensure alignment with evolving business priorities, operational models, or regulatory obligations. |
| What is the process for raising and escalating complaints or concerns? | Clients have access to multiple contact points, including operational staff, team leads, and account managers. Regular meetings (e.g., operational check-ins and quarterly SLA reviews) provide structured opportunities to raise issues. Concerns can also be escalated at any time through the defined contact chain, up to senior management. Full details are provided in the supporting documentation. |
| How frequently are formal service reviews conducted? | Formal service reviews are typically held on a quarterly basis. In addition, service performance is monitored internally on a monthly basis to ensure ongoing compliance with agreed standards. |
| What management information (MI) is provided to track SLA performance? | SLA performance is tracked through multiple channels: For managed services, daily operational data is recorded, including delivery times against agreed targets. This is reviewed during service meetings. For issues and change requests, items are logged and tracked in an internal system based on priority. Progress updates and SLA status reports are shared regularly and discussed during operational meetings. All relevant MI is available to support performance transparency and continuous improvement. |
| Will a dedicated relationship manager and service representative be assigned to our account? | Yes, a named Relationship Manager will be assigned to your account to ensure consistent communication and support. |
| Do you conduct regular review meetings with clients? If so, how often? | Yes, regular review meetings are held with clients. The frequency and structure are tailored to each client’s needs and outlined in the supporting documentation. For most modules, this typically includes weekly, bi-monthly, or monthly operational calls, along with formal quarterly SLA reviews. For the Investor Communications module, meetings are generally held monthly, with increased frequency during project implementation phases. |
| Where will our account be serviced from? | Your account will be primarily serviced from a central office location within your time zone, ensuring direct support and account management. Additional support may be provided by remote teams in other regions to enhance operational and technical coverage. |
| What training will be provided to help us understand your services and systems? | Initial training is delivered during onboarding through tailored sessions covering system functionality, workflows, and best practices. Ongoing training is available at a frequency aligned with your team's needs, including ad-hoc sessions for new features or specific queries. Training can be customised by user role, and supplemental materials are provided for self-paced learning and reference. |
| How do you support clients in staying informed about regulatory changes? | We actively monitor regulatory developments and provide timely updates through built-in tracking features and client communications. Each change is assessed for system impact, and necessary updates are incorporated into our product roadmap. Key support includes: Automated Updates: System changes are implemented automatically to maintain compliance. Client Notifications: Clients are proactively informed about relevant updates and their implications. System Enhancements: New data fields, reports, or rules are added as needed to reflect regulatory requirements. Details of recent or upcoming changes are shared through regular updates and supporting documentation. |
| What are your system availability hours and uptime commitments? | The system is available 24/7, with standard access typically provided between 6:00 AM and 10:00 PM GMT (subject to variation). Extended or round-the-clock availability can be arranged as a premium service. We target 99% uptime across all services. Maintenance is scheduled outside of business hours to minimise disruption, and clients are notified in advance of any planned downtime. System performance and availability are continuously monitored to ensure service reliability. |
| What are your system support and helpdesk hours (excluding Investor Communications)? | Support services are available across multiple time zones to ensure broad coverage: Standard Support Hours: UK & Europe: Monday to Friday, 7:00 AM to 5:00 PM (UK time) US: Monday to Friday, 7:00 AM to 7:00 PM (Eastern Time) Clients can raise support tickets directly through the platform. Response times are prioritized based on issue severity to minimize disruption to operations. |
| Do you offer user groups for client collaboration and feedback? | Yes, we facilitate dedicated user groups focused on key service areas such as compliance, reporting, and documentation. These forums enable clients to share insights, discuss challenges, and contribute to product development. Regular feedback sessions also promote the exchange of ideas and best practices, supporting continuous improvement. |
| Do you provide a service desk for handling service-related issues (excluding Investor Communications)? | Yes, a dedicated Service Desk is available for all service-related issues. Clients can raise tickets directly through the platform, with issues categorised by severity and prioritized accordingly. The Service Desk operates during core support hours and provides assistance with technical, functional, and performance-related matters. All issues are addressed in line with our Service Level Agreement (SLA) to ensure timely resolution. |
| How are service issues monitored and categorised (excluding Investor Communications)? | All service issues are tracked through the Service Desk, which provides real-time monitoring of ticket status and resolution progress. Clients can view updates directly through the platform. Issues are categorized by severity and business impact using the following grading system: Severity 1 (Critical): Major outages or failures affecting a majority of users. Immediate response with continuous resolution efforts. Severity 2 (High): Significant functional issues impacting essential operations. Response within 2 business hours. Severity 3 (Medium): Moderate issues or degraded performance. Response within 8 business hours. Severity 4 (Low): Minor or cosmetic issues with minimal operational impact. Response within 24 business hours. |
| Do you provide a service desk (excluding Investor Communications)? | Yes, we offer a built-in ticketing system for users to log and track support requests. |
| What is your support SLA? | Our SLA covers issue resolution, change requests, and managed services. Detailed terms are outlined in the contract annexures. |
| Where is your Service Desk located, and what are its operating hours (excluding Investor Communications)? | The Service Desk operates from multiple global locations to ensure broad time zone coverage, including primary offices and remote support centers. Operating Hours: UK & Europe: Monday to Friday, 7:00 AM to 5:00 PM (UK time) US: Monday to Friday, 7:00 AM to 7:00 PM (Eastern Time) This setup ensures timely and efficient handling of service-related issues across regions. |
| Where is your technology platform supported from, and is 24-hour coverage available for UK-based clients? | Our technology platform is supported from multiple global locations, including primary offices and dedicated support centers. This distributed model ensures seamless platform management and continuous monitoring. While standard support hours for UK-based clients are 7:00 AM to 5:00 PM (UK time), the platform is monitored 24/7 to ensure uptime and immediate response to critical issues outside of business hours. |
| How are problems raised, and what is your process for issue resolution, prioritisation, SLA response times, and dispute resolution (excluding Investor Communications)? | Clients can raise issues via the helpdesk ticketing system, email, or phone. Issues are prioritized based on severity, with response and resolution times governed by our SLA: Priority 1 (Critical): Immediate response, target fix within 4 hours Priority 2 (High): Response within 2 hours, fix within 8 hours Priority 3 (Medium): Response within 8 hours, fix within 24 hours Priority 4 (Low): Response within 24 hours, fix within 5 business days Unresolved issues follow a structured escalation process, starting with the Client Relationship Manager and escalating to senior management if necessary. Disputes may be referred to external mediation where appropriate. |
| How do you receive communication and feedback from clients? | We assign dedicated relationship managers and hold regular service review meetings to ensure open communication and timely feedback. |
| Question | Funds-Axis Response |
|---|---|
| Describe the end-to-end user journey for your product or portal. | We simplify complex processes. Clients submit data, which is automatically transformed, enriched, and loaded. Supplementary data is integrated, followed by calculations and rule-based checks. Results are displayed in a compliance workflow with full breach history. All holdings and calculations, including leverage, are accessible with time-stamped records. |
| How is portfolio data fed into your system? | Data is typically sent via secure sFTP for automated transformation and upload. We can also retrieve data from administrator portals, accept secure emails, or support manual uploads. |
| How is market data integrated? Do you support multiple vendors (e.g., Bloomberg, LSEG)? | Yes, we support defined integrations with major market data providers, including Bloomberg, ICE, and LSEG Refinitiv. |
| What data quality checks are built into the system? | Comprehensive checks occur at multiple stages: upon data receipt, during upload (e.g., mandatory fields, valid values), and within the system itself. |
| Can users add new variables or data fields to the system? | Users can create custom data items using existing fields, which can also be used in rules. While on-demand field creation is limited by design, additional fields can be added upon request. The system already includes hundreds of predefined elements for regulatory and reporting needs. |
| How does the system manage missing data? | Handling varies by data type. The system uses automated ETL processes to enrich or repair missing or invalid data. Options include blocking file or record uploads, applying default values, or leaving fields blank - depending on the scenario. |
| What user profiles are available in the system? | User access is fully configurable across modules, portfolios, permissions, and rules. We also offer recommended standard profiles to streamline setup. |
| What additional data is required for the product or specific features to function? | Core data includes holdings, security, and issuer-level information. Additional data may be needed based on functionality - e.g., index constituents for rule checks, derivative details (underlying, price, contract size, delta), and comprehensive CIS data for regulatory and mandate rules. We can provide much of this data as a service. |
| How can results and reports be accessed or extracted from the system? | Results and reports can be accessed manually or delivered via scheduled reports, including email distribution. |
| Do you offer standard data interfaces for connecting with external data providers? | Yes, we have integrations with 30+ administrators and data vendors. While not API-based, these enable seamless receipt, transformation, and upload of standard files. |
| How do you monitor regulatory changes across jurisdictions? | Our Regulatory Team actively monitors updates across jurisdictions for compliance, reporting, disclosures, and investor documentation. All changes are assessed for system impact, and development requests are raised as needed. |
| How is regulatory alignment maintained? | For investment compliance, regulations evolve slowly and typically with advance notice. Most changes are already covered within our existing rule sets, minimizing the need for additional development. |
| What is your commercial model for maintaining regulatory content? | Maintaining regulatory libraries is part of our core service and comes at no extra cost. Some clients also subscribe specifically for access to our regulatory content. |
| How do you handle situations where the software becomes non-compliant with regulations? | We are committed to maintaining compliance at no additional cost. Regulatory changes are monitored, assessed for product impact, and prioritized in our development roadmap - especially for disclosure and reporting modules. |
| Question | Funds-Axis Response |
|---|---|
| Do you enforce least privilege and role-based access control? | Yes, we follow AWS IAM best practices, including least privilege, role-based access, and multi-factor authentication (MFA). |
| Do you use AWS IAM Access Analyzer? | Yes, we use AWS IAM Access Analyzer to continuously monitor and analyze permissions granted to our AWS resources. |
| How do you monitor your cloud security posture? | We use AWS Security Hub to continuously monitor and assess our cloud environment for compliance and security risks. |
| Are your container images scanned for vulnerabilities? | Yes, Amazon Inspector is used to scan container images stored in Amazon ECR. |
| How do you manage secrets and credentials? | We use AWS Secrets Manager with automatic rotation for secure storage and management of secrets. |
| Are backups performed regularly? | Yes, we use AWS Backup to automate and manage backups across our environment. |
| How do you ensure governance and compliance across your cloud infrastructure? | We use AWS Config to continuously evaluate the configuration of AWS resources against compliance rules and best practices. |
| How do you monitor and log activities in your environment? | We use AWS CloudTrail and Amazon CloudWatch for comprehensive logging and monitoring of activities in our environment. |
| Do you have a SIEM in place? | Yes, we use SumoLogic for centralised log aggregation, monitoring, and alerting. |
| How do you detect and respond to threats? | We use Microsoft Defender for real-time threat detection and automated response, supported by documented incident response playbooks. |
| Do you perform vulnerability assessments? | Yes, we use Microsoft Defender, AWS Inspector, and DefectDojo to identify and manage vulnerabilities. |
| How do you track and manage vulnerabilities across your environment? | We use DefectDojo to centralise vulnerability data from multiple scanners and manage remediation workflows. |
| Do you monitor your external attack surface? | Yes, we use SecurityScorecard to continuously monitor and assess our public-facing assets. |
| What endpoint protection is in place? | We use Microsoft Defender for Endpoint Detection and Response (EDR/XDR) and Windows Defender ATP for antivirus protection. |
| Do you use a VPN for secure remote access? | Yes, we use OpenVPN Access Server to provide secure remote connectivity. |
| How is DNS traffic protected? | We use Pi-Hole DNS sinkhole to block malicious domains and ads. |
| Do you have a Host IDS in place? | Yes, we use Microsoft Defender as our Host Intrusion Detection System (IDS). |
| Do you have Active Response capabilities? | Yes, we use Microsoft Defender for automated threat response. |
| Do you test your applications for security vulnerabilities? | Yes, we use OWASP ZAP for DAST and Snyk, Semgrep, and Trufflehog for SAST. |
| Is code quality and security reviewed during development? | Yes, we use SonarCloud integrated into our CI/CD pipeline to ensure code quality and security. |
| Do you perform threat modeling? | Yes, we use OWASP Threat Dragon to identify and mitigate design-level threats. |
| How do you manage third-party risk? | We use ServiceDesk Plus for vendor tracking, conduct periodic security reviews, and monitor external risk via SecurityScorecard. |
| Do you report on security metrics? | Yes, we provide monthly security metrics and KPIs to our executive board. |
| How do you ensure compliance with security standards? | We use AWS Config and Security Hub to continuously monitor compliance with internal and external standards. |
| Do you have a Business Continuity Plan (BCP)? | Yes, we maintain a BCP and conduct regular tabletop exercises. |
| How is data protected? | Data is encrypted at rest and in transit, and we use DLP measures to prevent data loss. |
| How do you manage secrets and credentials? | We use AWS Secrets Manager with automatic rotation for secure storage and management of secrets. |
| Are backups performed regularly? | Yes, we use AWS Backup to automate and manage backups across our environment. |
| Do you have documented incident response playbooks? | Yes, we have documented Incident Response Plans and automated playbooks to ensure swift and effective response to incidents. |
| Question | Funds-Axis Response |
|---|---|
| Do you have a security and privacy program with documented policies? | Yes, we maintain a formal Information Security Management System (ISMS) aligned with ISO 27001 and a Quality Management System (QMS) aligned with ISO 9001. These include documented policies covering information security, privacy, access control, cloud usage, and incident response. Policies are reviewed and updated regularly to reflect evolving risks and regulatory requirements. |
| Are your privacy and security policies publicly available? | Yes, our core policies, including Privacy, Information Security, and Quality, are published on our website for transparency and stakeholder assurance. |
| Is there a designated security/privacy lead? | Yes, a Chief Information Security Officer (CISO) or equivalent role is responsible for overseeing our security and privacy programs, ensuring compliance, and managing risk. |
| Who can be contacted for security/privacy enquiries? | Security and privacy-related inquiries can be directed to our CISO or designated security contact, whose details are available upon request. |
| Do you hold any security or privacy certifications? | Yes, we are certified under ISO 27001 for information security and ISO 9001 for quality management, demonstrating our commitment to best practices and continuous improvement. |
| Do you provide security awareness training? | Yes, all staff undergo security awareness training during onboarding and annually thereafter. Training covers key topics such as data protection, phishing, social engineering, and incident reporting, with regular updates on emerging threats. |
| How are security and privacy policies enforced and communicated? | Policies are enforced through onboarding, annual training, and regular internal communications. Updates and reminders are issued by our security team to ensure ongoing awareness and compliance. |
| Can you demonstrate compliance with your security and privacy program? | Yes, we hold ISO 27001 and ISO 9001 certifications, undergo annual external audits, and conduct regular internal audits to validate the effectiveness of our controls. |
| Do you assess compliance of third-party vendors? | Yes, all third-party vendors are subject to annual reviews and must comply with our security and privacy requirements as outlined in our vendor management policy. |
| Do you assess third-party vendors and control their data access? | Yes, all third-party vendors are subject to due diligence and annual reviews. Access to client data is restricted and only granted under specific, controlled circumstances, if at all. |
| Do you have an incident response policy? | Yes, we maintain a documented Incident Response Plan that defines security incidents and data breaches, and outlines procedures for detection, reporting, and resolution. |
| Do you have a business continuity plan? | Yes, we have a Business Continuity and Disaster Recovery Plan that ensures operational resilience and service availability during disruptions. |
| What are your backup and restore processes? | Daily backups are performed with 7-day retention and point-in-time recovery. Systems are designed for high availability with automated failover. RPO is 12 hours and RTO is 3 hours, with coordinated backups ensuring consistency across systems. |
| What are your Recovery Time Objective (RTO) and Recovery Point Objective (RPO) in a business continuity or disaster recovery scenario? | Our disaster recovery framework is designed to ensure rapid service restoration and minimal data loss: Recovery Point Objective (RPO): 12 hours. Recovery Time Objective (RTO): 3 hours. These targets support business continuity by minimising downtime and preserving data integrity during unexpected disruptions. |
| What disaster recovery (DR) arrangements are in place, and how are they tested? | Our disaster recovery framework includes the following: Testing Frequency: DR procedures are tested biannually to ensure readiness. Last Test: Conducted in March 2025. Test Outcome: Successful, with a Pass, Satisfactory - rating. A summary report is available upon request. DR Infrastructure: On-premise coordination from our UK office. Cloud-based infrastructure hosted on Amazon Web Services (AWS), providing high availability, redundancy, and failover across multiple availability zones. |
| How do you manage ongoing compliance and regulatory updates? | We monitor regulatory changes, maintain a dedicated compliance team, and implement updates through automated rule changes. Clients are kept informed, and regular audits ensure continued compliance. |
| Do you have a data access control policy with monitoring? | Yes, access to systems and data is governed by a formal Access Control Policy. Access is role-based, granted on a need-to-know basis, and monitored using security tools to detect unauthorized activity. |
| Do you monitor system access? | Yes, system access is controlled and continuously monitored using tools such as Security Information and Event Management (SIEM) and Intrusion Detection Systems (IDS). |
| How is user management handled in your solution? | User access is managed through role-based controls aligned with organisational structure, following OWASP best practices for authentication and session security. |
| Do you support SSO via Azure AD? | SSO via Azure AD is planned for a future release. |
| Do you enforce a password policy and MFA? | Yes, we enforce a strong password policy and require Multi-Factor Authentication (MFA) for all users to enhance account security. |
| What is your solution’s IT architecture? | Our solution is hosted on AWS using Docker containers managed via ECS for scalability and high availability. The backend is built with Java 17 and Spring Boot, while the frontend uses Vue.js. PostgreSQL is used for data storage via AWS RDS. CI/CD is managed with Jenkins and Terraform, with full encryption and monitoring in place. |
| Briefly describe your technology stack. | Our stack includes Java, Spring Boot, Vue.js, PostgreSQL, and Docker, hosted on AWS. We use JWT for authentication, REST APIs for integration, and tools like Sisense and Jasper for reporting. |
| What is your underlying technology and database stack? | We use Java 17 with Spring Boot for backend, Vue.js for frontend, and PostgreSQL 13 for data management. The platform is hosted on AWS and uses Docker, Jenkins, and Terraform for CI/CD and infrastructure automation. |
| Can you provide a high-level architecture diagram? | Yes, a high-level architecture diagram is available upon request. |
| Where are your systems and data hosted? | All systems and data are hosted on AWS in the EU (Ireland region). Data is replicated across availability zones for resilience and complies with GDPR. |
| Do you manage your own data centers? | No, we use secure, geographically appropriate cloud infrastructure (e.g., AWS in Europe) to host our applications and data, benefiting from their physical and logical security controls. |
| Do you use a CMDB with automated asset discovery? | Yes, we maintain a Configuration Management Database (CMDB) that supports automated discovery of IT assets, helping ensure accurate inventory and change management. |
| Do you outsource any part of the service? | No core services are outsourced. Cloud hosting is provided by AWS, and internal support may be provided by a wholly owned subsidiary under full governance. |
| Is sensitive data encrypted in transit? | Yes, all data transmitted over networks is encrypted using industry-standard protocols such as SSL/TLS to ensure confidentiality and integrity. |
| Is sensitive data encrypted at rest? | Yes, data stored in our systems is encrypted at rest using secure encryption standards to protect against unauthorised access. |
| How is the system accessed and is data encrypted? | The system is accessed via secure internet connections using standard web browsers. Data is encrypted in transit using TLS and at rest using AES-256 encryption. |
| How is data security maintained during testing and implementation? | All development and testing are conducted in isolated environments using sandbox data, no client data is used. Developers have no access to production systems. Clients are provided with test environments and portfolios to validate rules and scenarios safely before going live. |
| Does your solution support REST APIs? | Yes, our platform is built with an API-first approach and supports RESTful APIs for all core functionalities. |
| How is API authentication handled? | Authentication is managed using JWT tokens issued after login. |
| How is API authorization handled? | Authorization is role-based, with permissions configured to control access to specific data and features. |
| Is any software installation required on client systems? | No, our solution is delivered as Software as a Service (SaaS), requiring no installation or access to client infrastructure. |
| How is your software updated? | We use a Continuous Integration/Continuous Deployment (CI/CD) approach to manage software updates. This ensures timely deployment of new features, patches, and security fixes. |
| Describe your release management process. | We follow a CI/CD process for automated deployments, ensuring timely and reliable software releases. |
| How are patches and hotfixes applied? | Patches and hotfixes are deployed through our CI/CD pipeline to ensure rapid and consistent updates. |
| What is your upgrade and release methodology? | We use Agile and CI/CD for automated deployments. Releases undergo automated and manual testing in a staging environment. Clients are notified in advance of scheduled updates and receive release notes post-deployment. |
| What server logs do you maintain and how are they monitored? | We use a centralized monitoring platform to collect and analyze server logs, including system events, access logs, and performance metrics. Logs are continuously monitored for anomalies and retained per our data retention policy. |
| Do you perform vulnerability scanning and penetration testing? | Yes, we conduct regular automated vulnerability scans and annual third-party penetration tests to identify and remediate security risks. |
| Do you have a server update and patching policy? | Yes, we follow a structured patch management process as part of our CI/CD pipeline to ensure timely updates in response to security threats and software improvements. |
| Do you have a server security policy and how is data integrity maintained? | Yes, our server security policy includes controls for secure configuration, monitoring, and data integrity. We use cloud-native tools and best practices to manage and protect our infrastructure. |
| How is capacity management handled in your product? | Capacity is managed through continuous monitoring of our cloud infrastructure, with auto-scaling and proactive traffic analysis to ensure optimal performance. |
| What scalability options are available (horizontal/vertical/storage)? | Our solution supports both horizontal and vertical scaling using cloud-native auto-scaling features, with flexible storage capacity to meet growing demands. |
| Are there any capacity limits? | There are no fixed limits. Resources scale dynamically based on usage patterns and system demand. |
| What are your standard response times for user queries? | Response times vary by query type and severity. Performance is continuously monitored to meet service expectations. |
| What are your daily operational activities (e.g., batch jobs, file transfers)? | We run scheduled batch jobs for data processing and reporting, perform daily database backups, and support secure file transfers via SFTP. Systems are continuously monitored and auto-scaled for performance and reliability. |
| Do you have an equipment disposal policy? | Yes, we follow a formal IT asset disposal policy that ensures secure decommissioning and data sanitization of all hardware in compliance with industry standards. |
| What is your process for bespoke development requests and are enhancements included in the contract term? | Clients can submit bespoke development requests via their Relationship Manager. Each request is reviewed for feasibility and alignment with our roadmap. Approved items are prioritized and scheduled based on impact and complexity. Most enhancements are included at no extra cost, and clients are kept informed throughout. Custom reports can also be developed as needed. |
| Do clients contribute to product development? | Yes, client feedback is actively encouraged and incorporated through relationship managers and feedback sessions. Requests are evaluated and prioritized based on broader client benefit. |
| What are your strategic plans and roadmap? | We maintain roadmaps for infrastructure, product, and specific modules. These are aligned with client needs, regulatory changes, and innovation goals. Key items include AI enhancements, workflow automation, and jurisdictional updates. |
| Question | Funds-Axis Response |
|---|---|
| Do your systems and procedures meet GDPR Article 32 requirements for data security? | Yes, our systems, IT infrastructure, and data protection procedures comply with Article 32 of the GDPR, ensuring the security, integrity, and confidentiality of all data, including investor information. |
| Are you compliant with data protection regulations in relevant jurisdictions? | Yes, we comply with all applicable data protection regulations across the jurisdictions in which we operate. Our Data Protection Policy outlines our approach to safeguarding personal and sensitive data, including defined processes and responsibilities. |
| Does your Privacy Notice meet GDPR requirements? Please provide a link. | Yes, our Privacy Notice complies with GDPR requirements. It is publicly available at https://funds-axis.com/privacy-cookies/. |
| Please provide DPO contact details or explain why a DPO is not appointed. | Trevor Dempster, our Chief Information Security Officer (CISO), currently fulfils the responsibilities of a Data Protection Officer. He can be contacted at trevor.dempster@funds-axis.com for any data protection enquiries. |
| Who is your EU Representative under GDPR Article 27, if applicable? | Trevor Dempster serves as our EU Representative under Article 27 of the GDPR and can be contacted at trevor.dempster@funds-axis.com. |
| How often are your data protection policies reviewed? | Our data protection policies and procedures are reviewed annually to ensure ongoing compliance with regulatory requirements and industry best practices. |
| Do you transfer personal data to any sub-delegates? | No, we do not transfer personal data to any sub-delegates. As standard, we do not collect or process personal data beyond user email addresses. |
| If yes, please list sub-delegates, their locations, and data storage locations. | We have a wholly owned subsidiary and a managed services team based in India that support technology development and infrastructure maintenance. However, we do not collect or process personal data beyond user email addresses. |
| Will you provide advance notice of new sub-delegates, especially for non-EEA data transfers? | Confirmed. We will provide advance notification of any new sub-delegates, particularly where data transfers to non-EEA countries are involved. |
| Are sub-delegates contractually required to meet GDPR standards, including safeguards for non-EEA transfers? | Yes, all sub-delegates are contractually required to provide data protection equivalent to GDPR standards. Non-EEA data transfers are safeguarded using mechanisms such as Binding Corporate Rules or EDPB-approved Standard Contractual Clauses. |
| Do you have written consent from data subjects to outsource or delegate data processing? | Not applicable. We do not outsource or delegate data processing activities that require written consent from data subjects. Please refer to the earlier note regarding our 100% subsidiary in India, which supports non-personal data functions. |
| Have all authorised personnel committed to data confidentiality? | Yes, all personnel authorised to process personal data are contractually bound by confidentiality obligations, in line with our internal policies and applicable data protection laws. |
| Do you have a process for managing data subject rights requests? | Yes, we have a defined process for handling data subject rights requests, ensuring timely and compliant responses in accordance with GDPR and other applicable regulations. |
| Do you maintain a GDPR-compliant Record of Processing Activities (RoPA)? | Yes, we maintain an up-to-date Record of Processing Activities in accordance with Article 30 of the GDPR, covering all relevant processing and sub-processing activities. |
| Do you have procedures for handling personal data breaches in line with GDPR? | Yes, we have GDPR-compliant procedures in place for identifying, managing, and reporting personal data breaches, including internal escalation protocols and notification timelines. |
| Will all relevant stakeholders be informed of personal data breaches without undue delay? | Yes, we are committed to notifying all relevant stakeholders, including AIFMs, Investment Managers, and Management Companies, without undue delay in the event of a personal data breach. |
| How are employees trained on data protection and breach reporting? | Employees receive data protection training during onboarding and through regular internal sessions. This includes awareness of our data protection policies, breach reporting procedures, and their individual responsibilities. |
| Do you have procedures for identifying and conducting DPIAs where required? | Yes, we have established procedures to assess whether a Data Protection Impact Assessment (DPIA) is required. Where applicable, DPIAs are conducted to evaluate and mitigate risks in line with GDPR requirements. |
| Will you notify a client DPO immediately if asked to act against data protection laws? | Yes, we are committed to immediately notifying the client’s DPO if we are ever instructed to undertake any action that may infringe GDPR or other applicable data protection laws. |
| Question | Funds-Axis Response |
|---|---|
| Do you have a charity or philanthropy programme? Please summarise recent activity. | Yes, we have a Charity Committee that coordinates regular fundraising and volunteering initiatives. We are proud corporate sponsors of several organisations, including: Action Cancer – providing cancer prevention, detection, and support services in Northern Ireland. NSPCC Northern Ireland – working to protect children and prevent abuse. Basis.Point – supporting educational equality for children experiencing disadvantage in Ireland. Our employees actively participate in events supporting these causes throughout the year. |
| Do you have a diversity and inclusion policy? | Yes, we have a formal Diversity & Inclusion policy that promotes an inclusive, respectful, and equitable workplace for all employees. |
| Do you use zero-hour contracts? | No, we do not use zero-hour employment contracts. |
| Are you compliant with all relevant labour laws and regulations? | Yes, we comply with all applicable labour laws and employment regulations in the jurisdictions where we operate. |
| Do you have a health and safety policy? | Yes, we maintain a comprehensive Health & Safety policy to safeguard the well-being of our employees and ensure a safe working environment. |
| Are you aligned with the UN Global Compact Principles? | Yes, we are committed to the UN Global Compact Principles, integrating sustainability, ethical conduct, and responsible business practices across our operations. |
| Have you appointed a Head of ESG or equivalent? | Yes, ESG and sustainability oversight is provided at Board level, ensuring strategic alignment and accountability across the organisation. |
| Do you have a waste management policy? | Yes, our Waste Management Policy is embedded within our Physical Security Procedure, ensuring responsible handling, disposal, and environmental compliance across our operations. |
| Do you have an energy management policy? | Yes, energy management is addressed within our Community and Social Responsibility Policy, reflecting our commitment to energy efficiency and sustainable operational practices. |
| Do you have an ESG, environmental, or sustainability policy? | Yes, we follow a comprehensive Community and Social Responsibility Policy that incorporates environmental sustainability, ethical conduct, and responsible business practices. |
| Do you monitor CO₂ emissions? If so, please provide data or plans to monitor and reduce. | We are in the process of implementing emissions monitoring, with a focus on reducing our carbon footprint. Our primary emissions source is cloud infrastructure, and we plan to use the AWS Customer Carbon Footprint Tool. We are committed to achieving net-zero emissions by 2026. |
| Have you set science-based targets to reduce carbon emissions? | We have not set formal science-based targets, as we are committed to achieving net-zero emissions by 2026 - a timeline that aligns with or exceeds typical reduction pathways. |
| Do you hold any ISO 14000 certifications? | No, we are not currently certified under ISO 14000. However, we hold ISO 27001 for information security management and ISO 9001 for quality management. |
