Security

Securing the future of investment management

We care about security. If you have any questions,
or encounter any issues, please contact us.

Security is at the heart of what we do

Landytech is ISO 27001 certified, providing enterprise-grade security for your complete peace of mind. Sesame has been engineered with confidentiality, integrity and availability as core principles.

Our approach to security is grounded in the following core principles:

Risk-Based Approach:

We prioritize actions based on the potential risk and impact to our organization.

Least Privilege:

Access is granted at the minimum level necessary for each role, reducing the potential for unauthorized access.

Defence in
Depth:

We implement multiple layers of security controls to protect our systems and data.

Attack Surface Reduction:

We proactively minimize the number of vulnerabilities that could be exploited by an attacker.

Secure Identity and Access Management:

We ensure that only authorized individuals have access to our systems and data.

Process-Driven:

Our security measures are not ad-hoc but based on well-defined, documented, and repeatable processes.

Repeatable:

Our security practices are designed to be consistently applied across the organization.

Continuous Improvement:

We regularly review and update our security practices in response to evolving threats and new learnings.

Compliance certificates

This certification is a testament to our extensive security measures and risk management strategies. In a time where cybersecurity threats are on the rise, this certification underscores our steadfast dedication to safeguarding our company data, customer information, and other valuable assets.

We are fully compliant with the EU and UK General Data Protection Regulations (GDPR). This means we’re committed to protecting your data and upholding the highest standards of privacy. You can rest assured that your information is safe, secure, and handled with utmost care

For information about our security program and relevant documentation, visit the Landytech Trust Centre

Data Protection

Data at rest:

All data in our databases and storage accounts are encrypted with our own customer managed keys, using AES-256 encryption

Data in transit:

We use TLS 1.2 or higher for all transmitted data.

Secret management:

Encryption keys and secrets are managed by a key Vault. It is for secure key management, providing centralized, access-controlled storage of encryption keys. It safeguards keys with Hardware Security Modules and offers audit trails for all key usage. Automated tasks like key rotation are handled, enhancing key security.

Access to all data is protected by strong Role-Based Access Control, and monitored to detect any unauthorized access.

Product Security

Sesame is built with a security-first approach to development. We have adopted a DevSecOps approach, where security is integrated at every stage of the pipeline, from planning to public release. Security requirements are considered during the planning phase. The code is tested during development, reviewed before being committed, and tested again before deployment. But our security measures don’t stop when the product goes live. We actively monitor for new vulnerabilities in our libraries and application and conduct regular penetration testing to discover risks that might have been missed previously.

Vulnerability scanning

Our goal is to proactively identify vulnerabilities before the code is deployed into production and to continuously monitor for new vulnerabilities in our running applications.

Static Application Security Testing (SAST): We perform continuous testing of our source code and infrastructure provisioning code prior to compilation.

Dynamic Application Security Testing (DAST): We conduct periodic scans of our running applications before they are deployed into production.

Cloud Security Posture Management (CSPM): We continuously scan our cloud infrastructure to identify and mitigate security risks.

Cloud Workload Protection Platform (CWPP): We continuously scan our cloud workloads to identify risks such as misconfigurations and vulnerable libraries, and to detect threats.

Patch management: We adhere to a rigorous patch management practice, ensuring all changes are thoroughly reviewed and tested before deployment. Our well-established patching procedure guarantees the stability and security of our systems. Leveraging Infrastructure as Code (IaC), we deploy all patches systematically and efficiently.

This comprehensive approach to vulnerability scanning underscores our commitment to maintaining the highest standards of security for our platform.

Enterprise Security

We leverage a centralized Mobile Device Management (MDM) platform to efficiently manage all endpoints, ensuring seamless enforcement of critical security configurations. This comprehensive approach guarantees uniform application and control of essential security measures, including encryption, malware protection, application deployment, and patch management, across the organization.

Secure remote access

Access to both company and customer resources is facilitated exclusively through company-issued devices, which are under continuous surveillance to ensure compliance with our stringent security requirements. Connections to cloud resources are done via Bastion and virtual Private Networks (VPN).

Security education

Our employees are the cornerstone of our security program. Recognizing their vital role, we ensure they receive annual training on general security and data protection. This commitment to continuous learning underscores our dedication to maintaining the highest standards of security.

Identity and access management

At Landytech, security is a core priority. Our identity management program is meticulously designed to enforce strict access controls across all company resources and customer data. We adhere to industry best practices, including the principles of least privilege, need-to-know, and separation of duties, ensuring that access is granted only where necessary.

To safeguard our systems, we implement phishing-resistant multi-factor authentication (MFA) and single sign-on (SSO) solutions, enhancing both security and user experience. Access is strictly role-based, ensuring that employees have only the permissions required for their specific responsibilities. Additionally, we maintain secure provisioning and continuous access management, reinforcing our commitment to protecting sensitive information.

Network Security

Our platform is fortified by robust virtual networks, each meticulously segregated by firewalls and network security groups. We prioritize security and efficiency, maintaining separate environments for development, staging, and production. This segregation ensures isolated testing and deployment, minimising risks and enhancing performance. Our commitment to this structured approach underscores our dedication to providing secure and reliable services.

Physical security

We are a cloud-based company and physical security is handled by the cloud service provider.

Monitoring

We have robust monitoring of our infrastructure, with data points across identity, network, application and hardware. The logs are collected in our SIEM, and correlated for detection and response to malicious activities, bugs, and for troubleshooting.

Availability

We create products with high availability that cater to the needs of our customers, leveraging the scalability provided by our Cloud Service Provider (CSP).