The Vitesse Executive management team has overall accountability for the protection of information assets. Day to day responsibility for the operational aspects of our information security framework is supported by the Director of Technical Operations and the Chief Information Security Officer (CISO).

As a mandated part of our culture, it is embedded that everybody within our organisation has a responsibility for contributing to the safeguarding of information assets, through ongoing training and awareness initiatives.  Our chosen information security framework is the globally recognised ISO 27001:2022, with certification obtained in March 2024. The operation and maintenance of the ISMS is performed by the CISO and the Risk & Assurance team.

Performance of the ISMS is monitored and measured by our Information Security Working Group (ISWG) through a scheduled programme of internal audits and the daily operation of the implement controls. The ISWG reports routinely to our Executive Risk Committee.

Our key infrastructure and client platform are hosted in highly secure and resilient Microsoft Azure Cloud services, in geo-specific data centres across the UK, EU and the US. Microsoft is one of the leading providers of cloud computing and hosting services, trusted by many of the largest multinational companies in the world.

The physical security controls and safeguarding of the servers that host Vitesse systems, its internal documentation and client information, is carried out in accordance with Microsoft’s many security accreditations, including ISO 27001, ISO 22301, ISO 270017/8 as well as routine audits per SOC 1/2/3.

Further information can be found at https://www.microsoft.com/en-us/trust-center.

With the ever-increasing risks and threats posed by third and even fourth parties, it is crucial to apply a mature approach to supplier management.

Vitesse operates a robust due diligence programme to ensure that all critical third parties contracting with us, are vetted and assessed to ensure that they comply with Vitesse’s standards covering Technology controls, Data-protection and Security, Financial stability and Operational resilience.

The procurement and contracting process is managed between our Senior Operational Resilience Manager, Director of Technical Operations, CISO and our external legal counsel to ensure all aspects are dealt with.

We take a risk-based approach to supplier management which has higher control and evidence requirements for parties that may introduce or support a critical service/component to our business operations or handle a higher sensitivity of data such as special category data under DPA/GDPR 2018. Our supplier management programme is designed to achieve industry best practice and compliance with all relevant regulatory requirements e.g. FCA/PRA Operational Resilience and DORA.

To detect and monitor any technical vulnerabilities within our IT estate, including our critical systems, applications, infrastructure and our computing devices, we operate a layered set of mechanisms, including:
- Routine automated internal vulnerability scanning;
- Multiple external vulnerability scans throughout the year by different third-party security providers;
- Quarterly penetration testing of our externally available services;
- Annual Cyber Essentials Plus external scanning;
- Quarterly PCI DSS scanning;
- Annual security assessment by a trusted security partner;
- and Dynamic and Static Application Security Testing (SAST/DAST) using two separate products.
‍
Actions and recommendations that follow all the above mechanisms are managed by the CISO, the Technical Operations team, the Risk & Assurance team and the Development teams, depending on the nature of each issue/finding. Actions are remediated according to the severity, with critical and high level findings resolved as a matter of urgency.

Our technical architecture is designed with segregation as a key principle, with role-based access mechanisms as a primary control. Authentication to internal and external systems is supported by robust password policies and multi-factor authentication, and data flow protected in transit and at rest by AES256 encryption.

The ‘least privilege’ rule is in effect to ensure that access to authorised systems is provided at a level required for the necessary task(s).

Our boundary is protected by a multi-layered set of security controls, including web application firewalls (WAF), robust DDoS mitigation, multifactor privileged access management, network isolation, host-based firewalls, content filtering and advanced threat prevention.

Regulatory requirements continue to evolve with constant pressure on businesses to meet a multitude of controls related to privacy and data integrity. Through our dedicated Risk and Compliance teams, Vitesse maintains a regulatory compliance platform that gives our customers confidence that the platform will remain compliant with all necessary legislation.

As a reflection of the high standards that Vitesse works to, we are ISO 27001 certified and conduct annual SOC 1 Type II audits. Additionally, we perform continuous risk analysis and assessments, internal audits and PCI-DSS assessments. We understand the importance of providing our customers with the assurance they need from their significant third-party providers.

Information security risk management is embedded in our operating procedures, as a mechanism to detect, monitor, treat and mitigate risks. Governance is provided by our Executive Risk Committee supported by information from our Information Security Working Group.

Information security related risks are formally recorded and routinely inspected and evaluated by the CISO, the Technical Operations team and the Risk & Assurance team. Risks are assessed according to likelihood vs. impact, and an appropriate degree of risk treatment applied.

We use centralised risk registers to record and track risks associated with information security, fraud and compliance, which are used to identify the critical assets and data within our organisation and critical IT systems and applications. Due to the sensitivity and criticality of these assets, we operate a low risk tolerance and implement risk treatments to reduce the residual risks to an acceptable level as agreed by the Executive Risk Committee.

As part of any ongoing information security framework, our continuous assessment and improvement process reviews potential vulnerabilities – as a result of risk assessments – which produce a routine set of actions and projects led by our CISO.

Our critical infrastructure and applications have full logging enabled, with a retention of at least 12 months.

Our infrastructure, identity and end user device logs are fed into our Security Information and Event Management (SIEM) platform, which is managed by the Technical Operations team, the CISO, and our 24*7 outsourced Security Operations Centre (SOC).

Automation rules are in place for certain alerts, and manual remediations applied where required – including defined escalation paths from the SOC through to Vitesse senior management.

Application logs for our core platform are monitored by Microsoft Application Insights, with alerts sent to specific internal teams depending on the nature of the alert, including Operations, Risk & Assurance and Platform Operations. Further, the Risk & Assurance team are responsible for performing routine weekly inspections of key activities performed on the platform by internal staff.

Our infrastructure sits behind a robust DDoS mitigation platform and set of Web Applications Firewalls (WAF) provided by Cloudflare and is routinely monitored by our Technical Operations team.

We also have in place a documented Disaster Recovery programme which is tested quarterly to ensure ongoing effectiveness.