Trusted Custodian

Committed to the highest standards of security, privacy, and compliance.

Here, you will find detailed information about our security practices, regulatory compliance, and the measures we take to protect your data. Our dedication to transparency and robust risk management underscores our promise to keep your information safe and secure.

Authorised and regulated by:

Financial Conduct Authority FCA 900646 in the UK
De Nederlandsche Bank DNB R140513 in Europe
NYS Department of Financial Services in the US

ISO27001 Certification
BSI ISO 27001 logo
IT Security Audit
CE logo
Pen testing
LRQA Nettitude logo
Finance Audit
Hazlewoods logo
SOC1 Type II Audit
Grant Thornton Logo

Audits

green checkmark
Annual Financial Accounts (EU)
CROP, Oct 2024
green checkmark
PCI DSS Self Attestation
3B Data Security, Jun 2024
green checkmark
CyberEssentials Plus
Claranet, May 2024
green checkmark
AML & TF Audit (NL)
FSCOM, May 2024
green checkmark
AML & TF Audit (UK)
FSCOM, Apr 2024
green checkmark
Cyber Security & Technology Review
Mitigo, Apr 2024
green checkmark
ISO27001 Information Security Certification Audit
BSI, Mar 2024
green checkmark
API & Application Penetration Tests
Nettitude, Feb 2024
See more
green checkmark
Annual Financial Accounts (UK)
Hazlewoods, Dec 2023
green checkmark
External SWIFT Audit
Dionach, Dec 2023
green checkmark
Client Funds Safeguarding Audit
Hazlewoods, Nov 2023
green checkmark
Assurance Report (ISAE 3402 – Type 2) [SOC 1 Type 2]
Grant Thornton, Mar 2023
See less

Information Security Management System

Technical Security
green checkmark
Application Security
green checkmark
AV/Malware
green checkmark
Backup and Data Retention
green checkmark
Cloud and Network Security
green checkmark
Data Encryption
See more
green checkmark
Identification, Access Control and Authentication
green checkmark
Perimeter Protection
green checkmark
Security Architecture
green checkmark
Secure Software Development
See less
Operational Security
green checkmark
Acceptable Use
green checkmark
Business Continuity Planning
green checkmark
Clear Desk & Screen
green checkmark
Data Handling
green checkmark
Disaster Recovery
See more
green checkmark
Incident Management
green checkmark
Mobile & Remote Working
green checkmark
Password Management
green checkmark
Physical Access Control
green checkmark
Removable Media
green checkmark
Sanitisation, Disposal and Destruction
green checkmark
Service Level Objectives
green checkmark
Use of Social Media
See less
Risk Management
green checkmark
Audit Disclosure
green checkmark
Asset Management
green checkmark
Education and Awareness Training
green checkmark
Incident Reporting and Improvement
green checkmark
Supply Chain Assessment and Management
See more
green checkmark
Vulnerability Assessment
See less

Security foundations

Security Operations​
  • Dedicated Technical Operations Team, accountable for rolling out the security framework across Vitesse
  • Utilising core cloud-based infrastructure including, Cloud Native SIEM and Cloud Native 'Defender’ technologies
Cyber Security​
  • Ransomware detection, mitigation and prevention
  • Endpoint protection
  • Cloud-based attack detection, prevention and quarantining for known and unknown threat types
  • Network segmentation, anomaly logging and alerting
Monitoring & Detection
  • Proactive 24/7x365 monitoring, technical analysis support and threat response measures
  • IDS / IPS, DDoS, WAFDaily endpoint and internal scanning
  • SIEM real time alerting
Identity & Access Management Controls​
  • Strong Access Controls implemented across all systems including Strong Password standards, MFA and Conditional Access
  • Role Based and Least Privilege principles implemented ensuring the right people have access to the right information
  • Conditional Access policies such as Impossible Travel implemented and monitored
Physical Security​
  • Vitesse data centres are hosted by Microsoft Azure using top tier physical and logical access controls. 
  • Vitesse offices are secure with physical data protection measures implemented, including CCTV, Alarms, Alerting and Clear Desk policy
Data Protection​
  • Control framework to ensure data protection both at rest and in transit
  • Information classification, data encryption, and data leakage prevention
Training and Awareness​
  • All measures are supported by comprehensive and mandatory security training for all staff
  • Ongoing intelligence-based company-wide alerting and fake attacks used to check compliance
Policies & Governance​
  • Supported by detailed policies, procedures and standards
  • Security risks are identified, monitored and reported via the Risk Management Framework 
  • Supported by an independent assurance programme
Key Architectural Principles​
  • Security by design and by default
  • Default deny, fail securely
  • Distrust input from external applications 
  • Least privilege, least functionality
  • Defence in depth

Detailed Security Principles

Security Operations

The Vitesse Executive management team has overall accountability for the protection of information assets. Day to day responsibility for the operational aspects of our information security framework is supported by the Director of Technical Operations and the Chief Information Security Officer (CISO).

As a mandated part of our culture, it is embedded that everybody within our organisation has a responsibility for contributing to the safeguarding of information assets, through ongoing training and awareness initiatives.  Our chosen information security framework is the globally recognised ISO 27001:2022, with certification obtained in March 2024. The operation and maintenance of the ISMS is performed by the CISO and the Risk & Assurance team.

Performance of the ISMS is monitored and measured by our Information Security Working Group (ISWG) through a scheduled programme of internal audits and the daily operation of the implement controls. The ISWG reports routinely to our Executive Risk Committee.

Architecture

Our technical architecture is designed with segregation as a key principle, with role-based access mechanisms as a primary control. Authentication to internal and external systems is supported by robust password policies and multi-factor authentication, and data flow protected in transit and at rest by AES256 encryption.

The ‘least privilege’ rule is in effect to ensure that access to authorised systems is provided at a level required for the necessary task(s).

Our boundary is protected by a multi-layered set of security controls, including web application firewalls (WAF), robust DDoS mitigation, multifactor privileged access management, network isolation, host-based firewalls, content filtering and advanced threat prevention.

Physical Security

Our key infrastructure and client platform are hosted in highly secure and resilient Microsoft Azure Cloud services, in geo-specific data centres across the UK, EU and the US. Microsoft is one of the leading providers of cloud computing and hosting services, trusted by many of the largest multinational companies in the world.

The physical security controls and safeguarding of the servers that host Vitesse systems, its internal documentation and client information, is carried out in accordance with Microsoft’s many security accreditations, including ISO 27001, ISO 22301, ISO 270017/8 as well as routine audits per SOC 1/2/3.

Further information can be found at https://www.microsoft.com/en-us/trust-center.

Compliance

Regulatory requirements continue to evolve with constant pressure on businesses to meet a multitude of controls related to privacy and data integrity. Through our dedicated Risk and Compliance teams, Vitesse maintains a regulatory compliance platform that gives our customers confidence that the platform will remain compliant with all necessary legislation.

As a reflection of the high standards that Vitesse works to, we are ISO 27001 certified and conduct annual SOC 1 Type II audits. Additionally, we perform continuous risk analysis and assessments, internal audits and PCI-DSS assessments. We understand the importance of providing our customers with the assurance they need from their significant third-party providers.

Supplier Management

With the ever-increasing risks and threats posed by third and even fourth parties, it is crucial to apply a mature approach to supplier management.

Vitesse operates a robust due diligence programme to ensure that all critical third parties contracting with us, are vetted and assessed to ensure that they comply with Vitesse’s standards covering Technology controls, Data-protection and Security, Financial stability and Operational resilience.

The procurement and contracting process is managed between our Senior Operational Resilience Manager, Director of Technical Operations, CISO and our external legal counsel to ensure all aspects are dealt with.

We take a risk-based approach to supplier management which has higher control and evidence requirements for parties that may introduce or support a critical service/component to our business operations or handle a higher sensitivity of data such as special category data under DPA/GDPR 2018. Our supplier management programme is designed to achieve industry best practice and compliance with all relevant regulatory requirements e.g. FCA/PRA Operational Resilience and DORA.

Information Security Risk Management

Information security risk management is embedded in our operating procedures, as a mechanism to detect, monitor, treat and mitigate risks. Governance is provided by our Executive Risk Committee supported by information from our Information Security Working Group.

Information security related risks are formally recorded and routinely inspected and evaluated by the CISO, the Technical Operations team and the Risk & Assurance team. Risks are assessed according to likelihood vs. impact, and an appropriate degree of risk treatment applied.

We use centralised risk registers to record and track risks associated with information security, fraud and compliance, which are used to identify the critical assets and data within our organisation and critical IT systems and applications. Due to the sensitivity and criticality of these assets, we operate a low risk tolerance and implement risk treatments to reduce the residual risks to an acceptable level as agreed by the Executive Risk Committee.

As part of any ongoing information security framework, our continuous assessment and improvement process reviews potential vulnerabilities – as a result of risk assessments – which produce a routine set of actions and projects led by our CISO.

Vulnerability Management

To detect and monitor any technical vulnerabilities within our IT estate, including our critical systems, applications, infrastructure and our computing devices, we operate a layered set of mechanisms, including:
- Routine automated internal vulnerability scanning;
- Multiple external vulnerability scans throughout the year by different third-party security providers;
- Quarterly penetration testing of our externally available services;
- Annual Cyber Essentials Plus external scanning;
- Quarterly PCI DSS scanning;
- Annual security assessment by a trusted security partner;
- and Dynamic and Static Application Security Testing (SAST/DAST) using two separate products.

Actions and recommendations that follow all the above mechanisms are managed by the CISO, the Technical Operations team, the Risk & Assurance team and the Development teams, depending on the nature of each issue/finding. Actions are remediated according to the severity, with critical and high level findings resolved as a matter of urgency.

Incident Management & Resilience

Our critical infrastructure and applications have full logging enabled, with a retention of at least 12 months.

Our infrastructure, identity and end user device logs are fed into our Security Information and Event Management (SIEM) platform, which is managed by the Technical Operations team, the CISO, and our 24*7 outsourced Security Operations Centre (SOC).

Automation rules are in place for certain alerts, and manual remediations applied where required – including defined escalation paths from the SOC through to Vitesse senior management.

Application logs for our core platform are monitored by Microsoft Application Insights, with alerts sent to specific internal teams depending on the nature of the alert, including Operations, Risk & Assurance and Platform Operations. Further, the Risk & Assurance team are responsible for performing routine weekly inspections of key activities performed on the platform by internal staff.

Our infrastructure sits behind a robust DDoS mitigation platform and set of Web Applications Firewalls (WAF) provided by Cloudflare and is routinely monitored by our Technical Operations team.

We also have in place a documented Disaster Recovery programme which is tested quarterly to ensure ongoing effectiveness.

Still have a question?

Contact our security experts for further details or support for a comprehensive due diligence.
Contact us