Security

Last updated: 27 March 2026

Our Commitment

At TTClassify, security is designed-in to everything we build. Your trade classification data is sensitive, and we treat it with the highest standard of care.

Our security program is designed to protect your data at every layer — in transit, at rest, and in processing. Access permissions and identity management are foundations. Processes are independently audited and accredited to internationally recognised standards.

Certifications & Compliance

ISO 27001 Security

Information security accreditation ISO/IEC 27001:2022 aligned with international standards. More →

GDPR Compliant

Full compliance with EU General Data Protection Regulation requirements.

Cyber Essentials Plus

Approved to the UK government's standard for IT security.

Data Encryption

  • In transit: All data is encrypted using TLS 1.3 with forward secrecy. We enforce HTTPS across all endpoints and APIs.
  • At rest: Data is encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management service with automatic rotation.
  • Backups: All backups are encrypted with separate keys and stored in geographically distributed, access-controlled locations.

Infrastructure

TTClassify is hosted on enterprise-grade cloud infrastructure with:

  • Multi-region deployment for high availability and disaster recovery
  • Automated scaling to handle traffic spikes without service degradation
  • Network segmentation with firewalls and intrusion detection systems
  • DDoS protection and web application firewall (WAF)
  • Single-tenant deployment option available for Enterprise customers

Access Controls

  • Authentication: Multi-factor authentication (MFA) supported for all accounts. Single Sign-On (SSO) via SAML 2.0 and OpenID Connect available on Enterprise plans.
  • Authorization: Role-based access control (RBAC) with principle of least privilege enforced across all internal systems.
  • Employee access: Production data access is restricted to essential personnel, logged, and reviewed regularly. All employees undergo background checks and security training.

Application Security

  • Secure software development lifecycle (SSDLC) with mandatory code reviews
  • Static and dynamic application security testing (SAST/DAST) in CI/CD pipeline
  • Dependency scanning for known vulnerabilities with automated patching
  • Regular third-party pen testing (at least annually)
  • Bug discovery programme for responsible disclosure of security vulnerabilities

Incident Response

Our incident response program includes:

  • 24/7 security monitoring and alerting
  • Documented incident response plan with defined severity levels and escalation procedures
  • Notification to affected customers within 72 hours of a confirmed data breach
  • Post-incident review and remediation for every security event

Data Isolation

  • Customer data is logically isolated at the application and database levels.
  • No customer can access another customer's data.
  • Enterprise customers may opt for single-tenant deployment with dedicated infrastructure for complete physical isolation.

Contact Security Team

To report a concern or ask about our security practices, .
PGP key: Available on request for encrypted communications