Visit Funds-Axis Trust Center for more information about our security policies, compliance and audit reports.
Trust and Security
At Funds-Axis, we understand the importance of earning and keeping your trust. Thatโs why we take data security extremely seriously.
This Data Security Statement outlines our commitment to protecting the privacy and confidentiality of the information you entrust to us.
Data Security Procedures
- Trust
- Standards & Compliance
- Infrastructure
- Application & Infrastructure Security
- Workplace Security
- Data Protection & Disaster Recovery
- Reporting a Security Issue
Trust
At Funds-Axis, trust is foundational to everything we do. We do not sell, rent, or share your corporate or personal data with third parties under any circumstances.
We use your data solely to deliver the services you have contracted with us, and only on a strict need-to-know basis. Our internal access controls, data handling policies, and employee training are all designed to uphold the confidentiality and integrity of your information at every stage.
We are committed to transparency and accountability in how we manage and protect your data.
Standards & Compliance
Funds-Axis is certified and compliant with leading international standards and regulatory frameworks to ensure the highest levels of security, quality, and operational resilience.
- ISO 27001 (Information Security Management Systems)
- ISO 9001 (Quality Management Systems)
- Fully compliant with the Digital Operational Resilience Act (DORA)
- Fully compliant with the NIS2 Directive
Our Information Security Management System (ISMS) is subject to regular internal and external audits to ensure continuous improvement. We continuously monitor and enhance our controls to align with evolving regulatory requirements and industry best practices.
Our certificates and compliance reports are available to download within the Funds-Axis Trust Centre.
Infrastructure
Our infrastructure is built on industry-leading cloud platforms to ensure resilience, scalability, and security. We leverage Amazon Web Services (AWS) for hosting our client-facing applications and Microsoft Azure for managing internal systems and devices. Both platforms maintain rigorous compliance with global security standards and offer robust protections for data and systems.
- Our client-facing application is hosted on Amazon Web Services (AWS) within the European Economic Area, using ISO- and GDPR-aligned data centres with 24/7 physical security and strict logical access controls. Learn more about AWSโs certifications and security practices.
- AWS infrastructure is designed for high availability and fault tolerance, with built-in redundancy across multiple Availability Zones.
- Internal services and corporate devices are managed via Microsoft Azure Active Directory and Azure Intune, providing enterprise-grade endpoint protection, patch management, and remote wipe capabilities. Learn more about Azureโs security practices.
- We apply strict access controls and continuous monitoring to all infrastructure components to detect and respond to threats in real time.
Application & Infrastructure Security
Our client-facing application is hosted entirely on Amazon Web Services (AWS), which provides enterprise-grade security, resilience, and compliance. AWS maintains a wide range of global certifications and compliance frameworks, which you can explore in detail on the AWS Security Center.
We combine AWSโs native protections with our own rigorous security practices to safeguard customer data at every layer of the stack:
- We retain full governance over all AWS components where customer data is stored or processed.
- Our application is hosted in ISO- and GDPR-aligned AWS data centres located within the European Economic Area, featuring 24/7 physical security, biometric access controls, and strict logical access management.
- The platform is deployed across multiple AWS Availability Zones to ensure high availability, automatic failover, and built-in network redundancy, with a commitment to โฅ99.9% uptime.
- All data is encrypted using AES-256 at rest and HTTPS (TLS 1.2+) in transit. SFTP Plus is used for secure file transfers.
- Encrypted VPN connections are used between corporate sites and AWS environments, and multi-factor authentication (MFA) is enforced for all client portals and administrative consoles.
- Each customerโs data is logically isolated in its own Virtual Private Cloud (VPC), preventing cross-tenant access.
- Login credentials are securely stored using industry-standard hashing algorithms, and secrets are managed through AWS Secrets Manager with strict access controls.
- Comprehensive audit logging is in place for all user and system activity, with centralised log retention and automated alerting for anomalous behavior.
- We conduct monthly internal vulnerability scans with immediate patching, and annual third-party penetration tests across both infrastructure and application layers.
- Our CI/CD pipelines include functional, regression, security, and usability testing, along with rigorous code reviews and Software Composition Analysis (SCA) to detect and remediate vulnerabilities in third-party dependencies.
Workplace Security
We enforce robust security controls across our people, devices, and physical environments to ensure a secure and compliant workplace:
- All corporate laptops and desktops (Windows 10/11) are centrally managed via Azure Intune, with full-disk encryption, anti-malware protection, automatic updates, enforced screen-lock policies, and remote wipe capability for lost or compromised devices.
- Access to services, source code repositories, production consoles, and third-party tools is secured using two-factor authentication (2FA) wherever possible.
- Employees are granted the minimum access required to perform their roles: Sales and Customer Relationship Managers have access to personal data, while Business-As-Usual (BAU) staff are limited to name and email address only.
- Background checks are conducted on all new hires, and confidentiality clauses are included in every employment contract.
- Regular security and GDPR refresher training is provided through our in-house online learning platform, with specialised modules for employees handling customer data.
- Continuous audit logging captures all user and administrator activities on corporate devices, with centralised log retention and automated alerting for anomalous behaviour.
- Our offices are protected by controlled entry systems, CCTV monitoring, and a strict clean desk policy.
Data Protection & Disaster Recovery
We design our systems with resilience, availability, and data integrity at the core, applying data privacy by design principles in full compliance with GDPR:
- Critical systems are replicated across multiple AWS Availability Zones for high availability and automatic failover, supporting a guaranteed uptime of โฅ99.9%.
- Customer data is automatically backed up daily using encrypted cloud-based storage.
- Quarterly restore drills validate backup integrity and recovery effectiveness.
- A comprehensive Business Continuity and Disaster Recovery Plan is maintained and supported our Incident Management team.
- Each customerโs data is logically isolated within dedicated environments to ensure data segregation and prevent cross-tenant access.
Reporting a Security Issue
If you suspect any vulnerability in the Funds-Axis HighWire application, please contact our CISO via trevor.dempster@funds-axis.com.
We review all security reports promptly and respond with appropriate remediation actions.