The latest on all things related to Vitesse and Insurance.

Here, you will find detailed information about our security practices, regulatory compliance, and the measures we take to protect your data. Our dedication to transparency and robust risk management underscores our promise to keep your information safe and secure.
Financial Conduct Authority FCA 900646 in the UK
De Nederlandsche Bank DNB R140513 in Europe
NYS Department of Financial Services in the US
SSO Solution
Our Single Sign-On (SSO) solution is a critical component of our commitment to enhance both security and user convenience when accessing the Vitesse portal.
User Authentication
SSO integrates with your organisation’s identity provider through protocols like SAML 2.0, enabling users to log in Vitesse in a few clicks and reducing the risk of password-related security breaches.
Access Management
Administrators can enforce access policies across the organisation. Immediate revocation of access for departing employees or those changing roles minimises security vulnerabilities.
Compliance and Audit
SSO provides organisations with enhanced visibility into login activity through their identity management systems. Centralised logging capability supports compliance and offers an auditable access framework.
- Dedicated Technical Operations Team, accountable for rolling out the security framework across Vitesse
- Utilising core cloud-based infrastructure including, Cloud Native SIEM and Cloud Native 'Defender’ technologies
- Proactive 24/7x365 monitoring, technical analysis support and threat response measures
- IDS / IPS, DDoS, WAFDaily endpoint and internal scanning
- SIEM real time alerting
- Vitesse data centres are hosted by Microsoft Azure using top tier physical and logical access controls.
- Vitesse offices are secure with physical data protection measures implemented, including CCTV, Alarms, Alerting and Clear Desk policy
- All measures are supported by comprehensive and mandatory security training for all staff
- Ongoing intelligence-based company-wide alerting and fake attacks used to check compliance
- Security by design and by default
- Default deny, fail securely
- Distrust input from external applications
- Least privilege, least functionality
- Defence in depth
- Ransomware detection, mitigation and prevention
- Endpoint protection
- Cloud-based attack detection, prevention and quarantining for known and unknown threat types
- Network segmentation, anomaly logging and alerting
- Strong Access Controls implemented across all systems including Strong Password standards, MFA and Conditional Access
- Role Based and Least Privilege principles implemented ensuring the right people have access to the right information
- Conditional Access policies such as Impossible Travel implemented and monitored
- Control framework to ensure data protection both at rest and in transit
- Information classification, data encryption, and data leakage prevention
- Supported by detailed policies, procedures and standards
- Security risks are identified, monitored and reported via the Risk Management Framework
- Supported by an independent assurance programme
As a mandated part of our culture, it is embedded that everybody within our organisation has a responsibility for contributing to the safeguarding of information assets, through ongoing training and awareness initiatives. Our chosen information security framework is the globally recognised ISO 27001:2022, with certification obtained in March 2024. The operation and maintenance of the ISMS is performed by the CISO and the Risk & Assurance team.
Performance of the ISMS is monitored and measured by our Information Security Working Group (ISWG) through a scheduled programme of internal audits and the daily operation of the implement controls. The ISWG reports routinely to our Executive Risk Committee.
The physical security controls and safeguarding of the servers that host Vitesse systems, its internal documentation and client information, is carried out in accordance with Microsoft’s many security accreditations, including ISO 27001, ISO 22301, ISO 270017/8 as well as routine audits per SOC 1/2/3.
Further information can be found at https://www.microsoft.com/en-us/trust-center.
Vitesse operates a robust due diligence programme to ensure that all critical third parties contracting with us, are vetted and assessed to ensure that they comply with Vitesse’s standards covering Technology controls, Data-protection and Security, Financial stability and Operational resilience.
The procurement and contracting process is managed between our Senior Operational Resilience Manager, Director of Technical Operations, CISO and our external legal counsel to ensure all aspects are dealt with.
We take a risk-based approach to supplier management which has higher control and evidence requirements for parties that may introduce or support a critical service/component to our business operations or handle a higher sensitivity of data such as special category data under DPA/GDPR 2018. Our supplier management programme is designed to achieve industry best practice and compliance with all relevant regulatory requirements e.g. FCA/PRA Operational Resilience and DORA.
- Routine automated internal vulnerability scanning;
- Multiple external vulnerability scans throughout the year by different third-party security providers;
- Quarterly penetration testing of our externally available services;
- Annual Cyber Essentials Plus external scanning;
- Quarterly PCI DSS scanning;
- Annual security assessment by a trusted security partner;
- and Dynamic and Static Application Security Testing (SAST/DAST) using two separate products.
Actions and recommendations that follow all the above mechanisms are managed by the CISO, the Technical Operations team, the Risk & Assurance team and the Development teams, depending on the nature of each issue/finding. Actions are remediated according to the severity, with critical and high level findings resolved as a matter of urgency.
The ‘least privilege’ rule is in effect to ensure that access to authorised systems is provided at a level required for the necessary task(s).
Our boundary is protected by a multi-layered set of security controls, including web application firewalls (WAF), robust DDoS mitigation, multifactor privileged access management, network isolation, host-based firewalls, content filtering and advanced threat prevention.
As a reflection of the high standards that Vitesse works to, we are ISO 27001 certified and conduct annual SOC 1 Type II audits. Additionally, we perform continuous risk analysis and assessments, internal audits and PCI-DSS assessments. We understand the importance of providing our customers with the assurance they need from their significant third-party providers.
Information security related risks are formally recorded and routinely inspected and evaluated by the CISO, the Technical Operations team and the Risk & Assurance team. Risks are assessed according to likelihood vs. impact, and an appropriate degree of risk treatment applied.
We use centralised risk registers to record and track risks associated with information security, fraud and compliance, which are used to identify the critical assets and data within our organisation and critical IT systems and applications. Due to the sensitivity and criticality of these assets, we operate a low risk tolerance and implement risk treatments to reduce the residual risks to an acceptable level as agreed by the Executive Risk Committee.
As part of any ongoing information security framework, our continuous assessment and improvement process reviews potential vulnerabilities – as a result of risk assessments – which produce a routine set of actions and projects led by our CISO.
Our infrastructure, identity and end user device logs are fed into our Security Information and Event Management (SIEM) platform, which is managed by the Technical Operations team, the CISO, and our 24*7 outsourced Security Operations Centre (SOC).
Automation rules are in place for certain alerts, and manual remediations applied where required – including defined escalation paths from the SOC through to Vitesse senior management.
Application logs for our core platform are monitored by Microsoft Application Insights, with alerts sent to specific internal teams depending on the nature of the alert, including Operations, Risk & Assurance and Platform Operations. Further, the Risk & Assurance team are responsible for performing routine weekly inspections of key activities performed on the platform by internal staff.
Our infrastructure sits behind a robust DDoS mitigation platform and set of Web Applications Firewalls (WAF) provided by Cloudflare and is routinely monitored by our Technical Operations team.
We also have in place a documented Disaster Recovery programme which is tested quarterly to ensure ongoing effectiveness.