Trusted Custodian

The latest on all things related to Vitesse and Insurance.

Trust Centre
Trust Centre

Committed to the highest standards of security, privacy, and compliance.

Here, you will find detailed information about our security practices, regulatory compliance, and the measures we take to protect your data. Our dedication to transparency and robust risk management underscores our promise to keep your information safe and secure.



BSI LogoCyber Essentials LogoPentest PeopleHazlewoods LogoGrant Thornton LogoDora Logo
BSI LogoCyber Essentials LogoPentest PeopleHazlewoods LogoGrant Thornton LogoDora Logo
BSI LogoCyber Essentials LogoPentest PeopleHazlewoods LogoGrant Thornton LogoDora Logo
Compliance

Authorisation and regulations

Financial Conduct Authority FCA 900646 in the UK
De Nederlandsche Bank DNB R140513 in Europe
NYS Department of Financial Services in the US

Audit

CyberEssentials Plus
API & Application Penetration Tests
PCI DSS Self Attestation
ISO 27001 Information Security Certification Audit
Annual Financial Accounts (UK)
Client Funds Safeguarding Audit
Assurance Report (ISAE 3402 – Type 2) [SOC 1 Type 2]
External SWIFT Audit
Annual Financial Accounts (EU)
AML & TF Audit (NL)
AML & TF Audit (UK)
Cyber Security & Technology Review
Show moreless

Technical Security

Application Security
AV/Malware
Backup and Data Retention
Cloud and Network Security
Data Encryption
Identification, Access Control and Authentication
Perimeter Protection
Security Architecture
Secure Software Development
Show moreless

Risk Management

Audit Disclosure
Asset Management
Education and Awareness Training
Incident Reporting and Improvement
Supply Chain Assessment and Management
Vulnerability Assessment

Operational Security

Acceptable Use
Business Continuity Planning
Clear Desk & Screen
Data Handling
Disaster Recovery
Incident Management
Mobile & Remote Working
Password Management
Physical Access Control
Removable Media
Sanitisation, Disposal and Destruction
Service Level Objectives
Use of Social Media
Show moreless
Single Sign On

SSO Solution

Our Single Sign-On (SSO) solution is a critical component of our commitment to enhance both security and user convenience when accessing the Vitesse portal.

User Authentication

SSO integrates with your organisation’s identity provider through protocols like SAML 2.0, enabling users to log in Vitesse in a few clicks and reducing the risk of password-related security breaches.

Access Management

Administrators can enforce access policies across the organisation. Immediate revocation of access for departing employees or those changing roles minimises security vulnerabilities.

Compliance and Audit

SSO provides organisations with enhanced visibility into login activity through their identity management systems. Centralised logging capability supports compliance and offers an auditable access framework.

Security foundations

Vitesse Security Governance Framework​

Security Operations​
  • Dedicated Technical Operations Team, accountable for rolling out the security framework across Vitesse
  • Utilising core cloud-based infrastructure including, Cloud Native SIEM and Cloud Native 'Defender’ technologies
Monitoring & Detection
  • Proactive 24/7x365 monitoring, technical analysis support and threat response measures
  • IDS / IPS, DDoS, WAFDaily endpoint and internal scanning
  • SIEM real time alerting
Physical Security​
  • Vitesse data centres are hosted by Microsoft Azure using top tier physical and logical access controls. 
  • Vitesse offices are secure with physical data protection measures implemented, including CCTV, Alarms, Alerting and Clear Desk policy
Training and Awareness​
  • All measures are supported by comprehensive and mandatory security training for all staff
  • Ongoing intelligence-based company-wide alerting and fake attacks used to check compliance
Key Architectural Principles​
  • Security by design and by default
  • Default deny, fail securely
  • Distrust input from external applications 
  • Least privilege, least functionality
  • Defence in depth
Cyber Security​
  • Ransomware detection, mitigation and prevention
  • Endpoint protection
  • Cloud-based attack detection, prevention and quarantining for known and unknown threat types
  • Network segmentation, anomaly logging and alerting
Identity & Access Management Controls​
  • Strong Access Controls implemented across all systems including Strong Password standards, MFA and Conditional Access
  • Role Based and Least Privilege principles implemented ensuring the right people have access to the right information
  • Conditional Access policies such as Impossible Travel implemented and monitored
Data Protection​
  • Control framework to ensure data protection both at rest and in transit
  • Information classification, data encryption, and data leakage prevention
Policies & Governance​
  • Supported by detailed policies, procedures and standards
  • Security risks are identified, monitored and reported via the Risk Management Framework 
  • Supported by an independent assurance programme
Detailed Security Principles
Security Operations
The Vitesse Executive management team has overall accountability for the protection of information assets. Day to day responsibility for the operational aspects of our information security framework is supported by the Director of Technical Operations and the Chief Information Security Officer (CISO).

As a mandated part of our culture, it is embedded that everybody within our organisation has a responsibility for contributing to the safeguarding of information assets, through ongoing training and awareness initiatives.  Our chosen information security framework is the globally recognised ISO 27001:2022, with certification obtained in March 2024. The operation and maintenance of the ISMS is performed by the CISO and the Risk & Assurance team.

Performance of the ISMS is monitored and measured by our Information Security Working Group (ISWG) through a scheduled programme of internal audits and the daily operation of the implement controls. The ISWG reports routinely to our Executive Risk Committee.
Physical Security
Our key infrastructure and client platform are hosted in highly secure and resilient Microsoft Azure Cloud services, in geo-specific data centres across the UK, EU and the US. Microsoft is one of the leading providers of cloud computing and hosting services, trusted by many of the largest multinational companies in the world.

The physical security controls and safeguarding of the servers that host Vitesse systems, its internal documentation and client information, is carried out in accordance with Microsoft’s many security accreditations, including ISO 27001, ISO 22301, ISO 270017/8 as well as routine audits per SOC 1/2/3.

Further information can be found at https://www.microsoft.com/en-us/trust-center.
Supplier Management
With the ever-increasing risks and threats posed by third and even fourth parties, it is crucial to apply a mature approach to supplier management.

Vitesse operates a robust due diligence programme to ensure that all critical third parties contracting with us, are vetted and assessed to ensure that they comply with Vitesse’s standards covering Technology controls, Data-protection and Security, Financial stability and Operational resilience.

The procurement and contracting process is managed between our Senior Operational Resilience Manager, Director of Technical Operations, CISO and our external legal counsel to ensure all aspects are dealt with.

We take a risk-based approach to supplier management which has higher control and evidence requirements for parties that may introduce or support a critical service/component to our business operations or handle a higher sensitivity of data such as special category data under DPA/GDPR 2018. Our supplier management programme is designed to achieve industry best practice and compliance with all relevant regulatory requirements e.g. FCA/PRA Operational Resilience and DORA.
Vulnerability Management
To detect and monitor any technical vulnerabilities within our IT estate, including our critical systems, applications, infrastructure and our computing devices, we operate a layered set of mechanisms, including:
- Routine automated internal vulnerability scanning;
- Multiple external vulnerability scans throughout the year by different third-party security providers;
- Quarterly penetration testing of our externally available services;
- Annual Cyber Essentials Plus external scanning;
- Quarterly PCI DSS scanning;
- Annual security assessment by a trusted security partner;
- and Dynamic and Static Application Security Testing (SAST/DAST) using two separate products.

Actions and recommendations that follow all the above mechanisms are managed by the CISO, the Technical Operations team, the Risk & Assurance team and the Development teams, depending on the nature of each issue/finding. Actions are remediated according to the severity, with critical and high level findings resolved as a matter of urgency.
Architecture
Our technical architecture is designed with segregation as a key principle, with role-based access mechanisms as a primary control. Authentication to internal and external systems is supported by robust password policies and multi-factor authentication, and data flow protected in transit and at rest by AES256 encryption.

The ‘least privilege’ rule is in effect to ensure that access to authorised systems is provided at a level required for the necessary task(s).

Our boundary is protected by a multi-layered set of security controls, including web application firewalls (WAF), robust DDoS mitigation, multifactor privileged access management, network isolation, host-based firewalls, content filtering and advanced threat prevention.
Compliance
Regulatory requirements continue to evolve with constant pressure on businesses to meet a multitude of controls related to privacy and data integrity. Through our dedicated Risk and Compliance teams, Vitesse maintains a regulatory compliance platform that gives our customers confidence that the platform will remain compliant with all necessary legislation.

As a reflection of the high standards that Vitesse works to, we are ISO 27001 certified and conduct annual SOC 1 Type II audits. Additionally, we perform continuous risk analysis and assessments, internal audits and PCI-DSS assessments. We understand the importance of providing our customers with the assurance they need from their significant third-party providers.
Information Security Risk Management
Information security risk management is embedded in our operating procedures, as a mechanism to detect, monitor, treat and mitigate risks. Governance is provided by our Executive Risk Committee supported by information from our Information Security Working Group.

Information security related risks are formally recorded and routinely inspected and evaluated by the CISO, the Technical Operations team and the Risk & Assurance team. Risks are assessed according to likelihood vs. impact, and an appropriate degree of risk treatment applied.

We use centralised risk registers to record and track risks associated with information security, fraud and compliance, which are used to identify the critical assets and data within our organisation and critical IT systems and applications. Due to the sensitivity and criticality of these assets, we operate a low risk tolerance and implement risk treatments to reduce the residual risks to an acceptable level as agreed by the Executive Risk Committee.

As part of any ongoing information security framework, our continuous assessment and improvement process reviews potential vulnerabilities – as a result of risk assessments – which produce a routine set of actions and projects led by our CISO.
Incident Management & Resilience
Our critical infrastructure and applications have full logging enabled, with a retention of at least 12 months.

Our infrastructure, identity and end user device logs are fed into our Security Information and Event Management (SIEM) platform, which is managed by the Technical Operations team, the CISO, and our 24*7 outsourced Security Operations Centre (SOC).

Automation rules are in place for certain alerts, and manual remediations applied where required – including defined escalation paths from the SOC through to Vitesse senior management.

Application logs for our core platform are monitored by Microsoft Application Insights, with alerts sent to specific internal teams depending on the nature of the alert, including Operations, Risk & Assurance and Platform Operations. Further, the Risk & Assurance team are responsible for performing routine weekly inspections of key activities performed on the platform by internal staff.

Our infrastructure sits behind a robust DDoS mitigation platform and set of Web Applications Firewalls (WAF) provided by Cloudflare and is routinely monitored by our Technical Operations team.

We also have in place a documented Disaster Recovery programme which is tested quarterly to ensure ongoing effectiveness.

Still have a question?

Contact our security experts for further details or support for a comprehensive due diligence.