🔓 Security

We enforce strict role-based access controls (RBAC) to ensure users have only the access they need. Single Sign-On (SSO) and Multi-Factor Authentication (MFA) strengthen authentication, with phishing-resistant FIDO2 hardware security keys deployed for privileged accounts. We leverage a centralised platform to manage identities, access, and user lifecycles seamlessly. Supported by robust Joiner-Mover-Leaver (JML) processes, this platform ensures consistent control and oversight. Conditional access policies authenticate both users and corporate devices, allowing only trusted endpoints to access critical systems. Regular access reviews, detailed logging, and anomaly detection further enhance security and maintain oversight.

We implement stringent data protection measures to ensure the security of sensitive information throughout its lifecycle. All data is encrypted at rest and in transit using AES-256 and TLS 1.2+, with encryption keys securely managed in a FIPS 140-2 compliant Key Management System (KMS). We have Data Loss Prevention (DLP) technology in place to prevent unauthorised data access or sharing, while threat intelligence capabilities extend protection by proactively monitoring for leaked credentials and exposed data on the dark web.

We conduct comprehensive pre-employment screening for all employees to ensure trust and compliance. Our team undergoes ongoing security training and awareness programs, including phishing simulations, social engineering training, and regulatory compliance workshops. By fostering a culture of security, we empower our employees to actively contribute to the protection of our platform.

Our advanced fraud prevention tools actively monitor for suspicious activities, such as unusual transaction patterns, ensuring potential threats are identified and mitigated early. Complementing this, we integrate proactive threat intelligence into our security framework, continuously monitoring the dark web, deep web, and public internet for leaked credentials, data exposure, phishing domains, and brand impersonation attempts.

Our dedicated 24/7 incident response team follows predefined security protocols to rapidly contain and mitigate security incidents. Incident response plans are continuously tested to ensure swift remediation with minimal impact. Our business continuity and disaster recovery programs are regularly assessed to guarantee operational resilience in the event of disruptions.

Regular penetration testing is conducted in collaboration with CREST-accredited security firms and utilises CBEST to simulate real-world attack scenarios and uncover vulnerabilities. Alongside penetration testing, advanced tooling is employed for automated scanning and threat intelligence-led attack surface monitoring, providing proactive risk detection. The continuous vulnerability management program ensures that critical security patches and updates are applied promptly, minimising the attack surface and enhancing overall security.

Built on a robust three lines of defence model, our security framework ensures accountability and oversight at every level. Comprehensive policies, certified to the ISO 27001 standard, are regularly reviewed and updated to address emerging threats and compliance obligations. This governance model guarantees adherence to legal, financial, and cybersecurity standards, maintaining the integrity and resilience of our operations.

Shieldpay’s multi-cloud architecture, built on AWS and GCP, ensures scalability, security, and operational resilience. Our services are hosted across multiple availability zones, providing high availability, redundancy, and fault tolerance. To safeguard against service disruptions, we deploy automated scaling, DDoS mitigation, and Web Application Firewall (WAF) protection. Additionally, physical security measures at our cloud data centres include restricted access, biometric authentication, and 24/7 surveillance, ensuring a secure foundation for our platform.

We integrate security into every stage of the Software Development Lifecycle (SDLC) to ensure a resilient and secure platform. Our development process includes static and dynamic code analysis, secrets scanning, and mandatory peer code reviews to detect vulnerabilities early. Supply chain security is embedded into our CI/CD pipelines, with automated dependency scanning and integrity checks ensuring that only approved and secure components are included in releases. Regular penetration testing and threat modelling further strengthen our defences, ensuring every deployment meets the highest security standards.

Shieldpay is committed to transparency and continuous security improvement. Our Security Information and Event Management (SIEM) system provides real-time monitoring, logging, and analysis of security events across all systems. Regular internal and external security audits validate our compliance with industry best practices and regulatory standards.

Shieldpay maintains a rigorous third-party risk management program, ensuring that all vendors, suppliers, and partners adhere to our security and compliance standards. This includes thorough due diligence, ongoing monitoring, and security assessments to identify potential risks. Contractual agreements enforce strict security controls for all third-party engagements.

Our platform is protected by 24/7 security monitoring, real-time threat detection, and a dedicated security team. We use Extended Detection and Response (XDR) to provide advanced threat visibility across endpoints, networks, and cloud environments, enabling proactive threat hunting and rapid mitigation. Intrusion Detection and Prevention Systems (IDS/IPS) actively monitor and block suspicious activity. Embedded monitoring mechanisms, such as canary tokens, enhance our ability to detect unauthorised access.