Security at Cutover

Introduction

Cutover works with some of the world’s largest organizations, including global banks, insurers, financial institutions and retail giants. Our clients expect the highest level of security and entrust Cutover to ensure the confidentiality, integrity and availability of their data. Cutover has implemented a dedicated security operations function which is represented at the highest level to maintain accountability and transparency of process.

 

Culture and Awareness

We operate a culture of need-to-know and secure-by-design principles, where security is a responsibility shared by the entire team. We are committed to respecting the privacy of our clients and employees, as well as protecting data about them from outside parties. The management team ensures a secure environment in which to store and process this information, which is reflected in the employee on-boarding process and investment in training and general awareness programs.

 

Employee Background Checks and Training

Cutover employees undergo regional background screening before they commence employment with us. Once part of the team, our employees receive continuous security training, which includes a review of internal policies, security best practices and other regulatory principles. Further security training is delivered online via information security and cyber security platforms. All of our employees are required to complete and comply with Cutover’s information security policies.

 

Cutover Platform Security

Authentication and Authorization:
  • The Cutover platform supports complex password policies, which can be customised to align with an organization’s password policy requirements.
  • Cutover secures user credentials with cryptographic salt and hashing methods.
  • Cutover supports the industry standard SAML-based Single-Sign-On (SSO), which can reduce the risk associated with bad password habits, accelerate user adoption, and support better data security.
  • Within the Cutover platform, permissions are managed and aligned to a user’s role.

 

Encryption:

Data transfer is over a REST API by default. All communications with the Cutover API is over SSL and utilises TLS1.2 (256-bit). Data at rest is encrypted using AES 256.

 

Secure by Design:

Cutover engineers write code that is designed from the foundation to be robust and secure. Our engineering and site resiliency teams also regularly take part in peer and code reviews and internally and externally audited penetration tests as well as reviewing security logs and proactive automated events.

 

Network and Platform Security

AWS Cloud:

Cutover utilizes Amazon Web Services (AWS) to provision and host production environments and client data. Environments are located in multiple regions across the EU and US. AWS data centres are ISO 27001:2013, GDPR, Privacy Shield, SOC 1, SOC 2 and SOC 3 certified. For more information, see the comprehensive list of AWS compliance programs here.

 

Cutover provisions single-tenanted client environments, providing a high level of data isolation and integrity. Each environment also benefits from individual Virtual Private Cloud (VPC) architecture to further secure data flow.

 

Resiliency

Cutover has architected and implemented a high availability disaster recovery solution spanning multiple geographic regions and data centers. The model supports hot primary and secondary environments and a warm tertiary standby that enables rapid failover at scale.

All data centers are built in clusters in multiple regions where the Cutover platform is deployed in an n+1 configuration to ensure that in the event of a failure, there is sufficient capacity to route traffic to active sites.

Each data center is designed as an independent failure zone, physically separated within a region and located in lower risk flood plains. Uninterruptible power suppliers and high redundancy power grids reduce single points of failure. These architectural decisions allow Cutover to remain resilient from system failures and natural disasters.

 

Information Security

Cutover’s security model is aligned to the internationally recognized ISO 27001:2013 standard which covers all aspects of information security, including resiliency, incident management, policies and processes, physical security, third-party security, network and access control, cryptographic controls, password security and information classification.

 

Compliance

Cutover adheres to the latest guidelines and implement change based on industry standards. Cutover compliance is delivered and monitored through a range of independently audited assurance programs:

 

Information Commissioner’s Office (ICO):

Cutover is registered with the ICO to support the implementation of data protection principles.
Registration number: ZA152033.

 

ISO 27001:2013:

Data protection, trust and continuous improvement are core to Cutover’s working practices. Cutover was awarded the ISO 27001 certification in 2018.

 

UK Cyber Essentials:

The scheme has been developed by the UK Government to provide a clear statement of basic controls organizations should implement to mitigate the risk from internet threats. Cutover conducts a yearly review to maintain the accreditation.
Registration number QGCE 476

 

General Data Protection Regulation (GDPR):

Cutover have reviewed the UK Information Commissioner’s Office (ICO) guidelines and checklists for GDPR. As a result, compliant policies, processes and a data processing addendum have been implemented that adhere to the new regulation.

 

Physical Security

The Cutover platform is designed to operate efficiently and securely. The network configuration and infrastructure are regularly penetration tested by independent third parties.

 

Cutover HQ:

Employees access the premises via registered access cards. Visitors are signed in under their respective roles and accompanied at all times. Cutover offices are monitored 24/7 with CCTV surveillance.

 

Cloud:

Cutover utilizes AWS who provide a high level of physical security. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems and other electronic means. AWS staff must pass two-factor authentication a minimum of two times to access data centre floors.

 

Summary

If you have any questions, or require further detailed answers, please get in touch with our information security team by emailing us at security@cutover.com.