Trust and Security

At Funds-Axis, we understand the importance of earning and keeping your trust. That’s why we take data security extremely seriously.

This Data Security Statement outlines our commitment to protecting the privacy and confidentiality of the information you entrust to us.

Visit Funds-Axis Trust Center for more information about our security policies, compliance and audit reports.

Visit Funds-Axis Trust Center

Data Security Procedures

Trust

At Funds-Axis, trust is foundational to everything we do. We do not sell, rent, or share your corporate or personal data with third parties under any circumstances.

We use your data solely to deliver the services you have contracted with us, and only on a strict need-to-know basis. Our internal access controls, data handling policies, and employee training are all designed to uphold the confidentiality and integrity of your information at every stage.

We are committed to transparency and accountability in how we manage and protect your data.

Standards & Compliance

Funds-Axis is certified and compliant with leading international standards and regulatory frameworks to ensure the highest levels of security, quality, and operational resilience.

  • null
    ISO 27001 (Information Security Management Systems)
  • null
    ISO 9001 (Quality Management Systems)
  • null
    Fully compliant with the Digital Operational Resilience Act (DORA)
  • null
    Fully compliant with the NIS2 Directive

Our Information Security Management System (ISMS) is subject to regular internal and external audits to ensure continuous improvement. We continuously monitor and enhance our controls to align with evolving regulatory requirements and industry best practices.

Our certificates and compliance reports are available to download within the Funds-Axis Trust Centre.

Certificate number: NQA 117811 and 117812.

Infrastructure

Our infrastructure is built on industry-leading cloud platforms to ensure resilience, scalability, and security. We leverage Amazon Web Services (AWS) for hosting our client-facing applications and Microsoft Azure for managing internal systems and devices. Both platforms maintain rigorous compliance with global security standards and offer robust protections for data and systems.

  • null
    Our client-facing application is hosted on Amazon Web Services (AWS) within the European Economic Area, using ISO- and GDPR-aligned data centres with 24/7 physical security and strict logical access controls. Learn more about AWS’s certifications and security practices.
  • null
    AWS infrastructure is designed for high availability and fault tolerance, with built-in redundancy across multiple Availability Zones.
  • null
    Internal services and corporate devices are managed via Microsoft Azure Active Directory and Azure Intune, providing enterprise-grade endpoint protection, patch management, and remote wipe capabilities. Learn more about Azure’s security practices.
  • null
    We apply strict access controls and continuous monitoring to all infrastructure components to detect and respond to threats in real time.

Application & Infrastructure Security

Our client-facing application is hosted entirely on Amazon Web Services (AWS), which provides enterprise-grade security, resilience, and compliance. AWS maintains a wide range of global certifications and compliance frameworks, which you can explore in detail on the AWS Security Center.

We combine AWS’s native protections with our own rigorous security practices to safeguard customer data at every layer of the stack:

  • null
    We retain full governance over all AWS components where customer data is stored or processed.
  • null
    Our application is hosted in ISO- and GDPR-aligned AWS data centres located within the European Economic Area, featuring 24/7 physical security, biometric access controls, and strict logical access management.
  • null
    The platform is deployed across multiple AWS Availability Zones to ensure high availability, automatic failover, and built-in network redundancy, with a commitment to ≥99.9% uptime.
  • null
    All data is encrypted using AES-256 at rest and HTTPS (TLS 1.2+) in transit. SFTP Plus is used for secure file transfers.
  • null
    Encrypted VPN connections are used between corporate sites and AWS environments, and multi-factor authentication (MFA) is enforced for all client portals and administrative consoles.
  • null
    Each customer’s data is logically isolated in its own Virtual Private Cloud (VPC), preventing cross-tenant access.
  • null
    Login credentials are securely stored using industry-standard hashing algorithms, and secrets are managed through AWS Secrets Manager with strict access controls.
  • null
    Comprehensive audit logging is in place for all user and system activity, with centralised log retention and automated alerting for anomalous behavior.
  • null
    We conduct monthly internal vulnerability scans with immediate patching, and annual third-party penetration tests across both infrastructure and application layers.
  • null
    Our CI/CD pipelines include functional, regression, security, and usability testing, along with rigorous code reviews and Software Composition Analysis (SCA) to detect and remediate vulnerabilities in third-party dependencies.

Workplace Security

We enforce robust security controls across our people, devices, and physical environments to ensure a secure and compliant workplace:

  • null
    All corporate laptops and desktops (Windows 10/11) are centrally managed via Azure Intune, with full-disk encryption, anti-malware protection, automatic updates, enforced screen-lock policies, and remote wipe capability for lost or compromised devices.
  • null
    Access to services, source code repositories, production consoles, and third-party tools is secured using two-factor authentication (2FA) wherever possible.
  • null
    Employees are granted the minimum access required to perform their roles: Sales and Customer Relationship Managers have access to personal data, while Business-As-Usual (BAU) staff are limited to name and email address only.
  • null
    Background checks are conducted on all new hires, and confidentiality clauses are included in every employment contract.
  • null
    Regular security and GDPR refresher training is provided through our in-house online learning platform, with specialised modules for employees handling customer data.
  • null
    Continuous audit logging captures all user and administrator activities on corporate devices, with centralised log retention and automated alerting for anomalous behaviour.
  • null
    Our offices are protected by controlled entry systems, CCTV monitoring, and a strict clean desk policy.

Data Protection & Disaster Recovery

We design our systems with resilience, availability, and data integrity at the core, applying data privacy by design principles in full compliance with GDPR:

  • null
    Critical systems are replicated across multiple AWS Availability Zones for high availability and automatic failover, supporting a guaranteed uptime of ≥99.9%.
  • null
    Customer data is automatically backed up daily using encrypted cloud-based storage.
  • null
    Quarterly restore drills validate backup integrity and recovery effectiveness.
  • null
    A comprehensive Business Continuity and Disaster Recovery Plan is maintained and supported our Incident Management team.
  • null
    Each customer’s data is logically isolated within dedicated environments to ensure data segregation and prevent cross-tenant access.

Reporting a Security Issue

If you suspect any vulnerability in the Funds-Axis Galaxy application, please contact our CISO via trevor.dempster@funds-axis.com.

We review all security reports promptly and respond with appropriate remediation actions.

Previous tab Next tab