Security Controls

At Mobilleo we take great care over the security of our customer’s data that our applications store and process. Our company has been ISO-27001 accredited since 2016, with our Information Security Management System (ISMS) applying across our business. We process personal data in accordance to GDPR and the payment gateway providers we use are PCI-DSS compliant.

Through organisational, physical and technological controls we ensure that customers’ data retains:

  • Confidentiality, so that it is only accessible by people or systems that have been authorised to do so.
  • Integrity, so that it remains accurate and complete.
  • Availability, so that customers can always access their data when they need to.
Organisational Controls
  • Our Information Security policies are reviewed annually to ensure that they remain appropriate as our business grows and the cybersecurity landscape changes.
  • Our ISMS is externally audited annually to help ensure that we are complying with it as it’s been designed.
  • Our Information Security Handbook which describes our policies and their application is trained out to all joining staff and annually thereafter. Complying with our policies forms part of staff terms of employment. Software developers and other technical staff receive additional training in how to design, build and care for data securely.
  • All joining staff are DBS checked before employment and then re-checked every three years.
  • Our Joiners/Movers/Leavers process, in hand with our System Access Register ensures that staff only have access to systems/data that their job role requires, and that this access is revoked when no longer required.
  • All data that we use and process is tracked using our Information Asset Register and Documentation of Processing Activities. These ensure that all data in our care is managed by a nominated owner, has a legal justification for being processed and is protected by appropriate controls. All information has a Data Classification which directs how it should be protected and who may have access to it.
  • All of our suppliers and sub-processors of personal data are vetted to ensure that they apply appropriate security controls to data in their care.
  • Our Information Security Incident and Data Breach processes ensure that any issues are dealt with in the appropriate time and are reviewed for policy compliance/improvement.
  • Our Risk Management process records and assesses potential risks to Information Security so that appropriate controls or mitigations are put in place.
  • Our Operational Business Continuity Plan ensures that our business can continue to function in events that disrupt our office facilities.
Physical Controls
  • The data centres that host Mobilleo data are protected by numerous security controls, for more information see https://aws.amazon.com/compliance/data-center/controls/
  • Our offices are protected from unauthorised access and have CCTV surveillance.
  • Document scanning, clear desk policy and secure shredding ensure that paper-based information is minimised.
Technological Controls
  • Our applications are designed with a ‘Defence in Depth’ approach and to industry best standards including OWASP.
  • The core Mobilleo system and its data is load balanced across 3 geographically instanced data centres in London, providing resilience against spikes in demand and hardware/power/local network failures. Our infrastructure and software architecture model can be replicated to other territories as required.
  • We have application/performance monitoring and alerting in place to allow us to react to infrastructure events whilst planning for growth.
  • All system data is encrypted in transit using strong cryptographic approaches.
  • Our Hosted Systems Business Continuity Plan ensures that we can recover from data loss and corruption.
  • Our applications are penetration tested and vulnerability scanned by a CREST accredited external agency on a regular basis.
  • All compilers have anti-virus/malware protection in place that is kept up to date.
  • We do not allow removal media use within the business.
  • All portable devices have hard disk encryption.
  • Our password policy, enforced technologically where available ensures strong passwords are in place with Multi-Factor-Authentication applied where appropriate/available.