HOME security

Learn how Deputy keeps your data secure

View our security certifications, encryption standards, and other tools we employ to keep customer information safe.

Our Security Statement

At Deputy, we strive to maintain a security posture that aligns with leading industry standards with the objective of ensuring that any data entrusted to us is protected from unauthorised access. Our security controls are implemented with a focus on delivering optimal protection while also providing the best possible customer experience.

We prioritise security by investing in and maintaining a mature security program with strong controls. This empowers our customers, partners, vendors, and employees to operate with confidence, knowing that effective measures are in place to protect them.

Compliance

Deputy maintains leading security compliance certifications and attestations demonstrating its adherence to industry-appropriate controls.

We are ISO 27001 and UK Cyber Essentials certified and SOC2 Type II compliant. Additionally, we comply with the PCI-DSS standard as a level 3 merchant and perform an annual self-assessment (SAQ A) supported by quarterly scans from an Approved Scanning Vendor (ASV). Deputy is also listed with the Cloud Security Alliance as a CSA Star Level 1 organisation.

We have implemented security policies, standards, and controls to support our compliance with ISO 27001, SOC2 and PCI-DSS frameworks. These are reviewed annually by internal stakeholders, approved by senior management, and assessed by external auditors.

For more information about our Compliance programs, please visit our Trust Centre where our applicable compliance certificates, attestation reports and other relevant security documentation are available for download.

Product security

Security Best Practice Guides

We share security best practices Help Guides to educate our customers on how to keep their Deputy accounts safe. 

Account Security Best Practices
API Security Best Practices

Passwords and Multi-Factor Authentication

Deputy provides a variety of options to help you keep your account secure including Multi-Factor Authentication capabilities on every user account using industry-standard one-time codes.

Single Sign-On

For corporate customers, we support integration with single sign-on providers like Okta, Azure, and Oracle. All login and password data is encrypted, hashed, and stored separately to customer data — so employees can use Deputy safely with multiple employers.

Role-Based Access

Deputy provides role-based access levels so that employees, managers, and administrators can only view data that is relevant to them. This access can be customised to suit your needs.

Customer Separation

All customer data is kept logically separate through sharding of database partitions and multi-regional deployment. This ensures that there is no data overlap or loss of data integrity between customers.

Learn more about Deputy's security practices

  • Security Program and Team

    Our security program is based on and supported by policies following the ISO27001 framework which we certify against. We use the NIST cybersecurity framework to measure the efficacy and evolving maturity of our program over time.

    Our dedicated security team is responsible for the security of our people, our applications, and their underlying infrastructure. The team is also responsible for the delivery of security incident response and follows the SANS incident handling methodology to prepare, detect and respond to events.

  • People and Corporate Security
    • As a part of our hiring process, we conduct background checks and also ensure that all employees receive security awareness training during their onboarding and annually throughout their employment.

    • Our company-provided devices are centrally managed via a Mobile Device Management (MDM) technology and built from a standardised, secure configuration. The devices are also protected by an Extended Detection & Response (EDR) platform for advanced malware and ransomware protection.

    • Access to business systems is provided following the principle of least privilege and reviewed quarterly. Access is centrally managed via an authentication provider where multi-factor authentication (MFA) is enforced.

  • Secure Software Development Lifecycle (SDLC)
    • We follow the Agile methodology to continuously integrate new features into our application. Our team is trained in secure coding practices with the objective of preventing any vulnerabilities from being introduced from the OWASP Top 10.

    • We prioritize security in our product to help ensure the safety of our users. We achieve this through a "shift-left" approach that involves incorporating security into the design phase.

    • Various measures have been implemented to enable the detection of bugs or vulnerabilities in the development pipeline and repositories before deploying to production. Code scanning technologies are in place to support this process and prevent deployment if issues are found.

    • Security is a high priority during the deployment process, with code reviews and unit tests being essential components.

    • We maintain separate environments and databases for different stages of application development.

  • Infrastructure
    • We protect our applications with the use of a next-gen web application firewall (WAF) along with other security controls to mitigate the risks of common web attacks. 

    • Deputy leverages the cloud-hosting and managed services from Amazon Web Services (AWS) which maintains high standards of security across their data centres.

    • Our infrastructure is built for scalability and ready to support our customer’s data sovereignty needs in 3 strategic regions - Australia, United Kingdom and United States.

    • We protect our systems by monitoring configuration baselines and detecting abnormal and/or unauthorised changes. 

    • Systems performance monitoring is centrally managed, monitored and set to alert upon detection of abnormal workloads. 

    • Deputy utilizes a Security Information and Event Management platform (SIEM) with Security Orchestration and Automated Response (SOAR) capabilities. This allows us to monitor and analyze logs, detect anomalies, and support incident response efforts.

  • Data Security

    Deputy secures the transmission of data by encrypting it with TLS 1.2 or improved versions. Additionally, all data in storage, including backups, is encrypted with AES-256.

    To store credentials, a salt and work factor are utilized In order to securely store login information, a combination of a salt and work factor is employed. This approach is designed to protect user data from potential security breaches and unauthorized access.

  • Security Testing and Vulnerability Management
    • We validate the security posture of our applications by engaging an external third party to perform an annual penetration test.

    • We are also subject to an ongoing, private bug bounty program and encourage security researchers to disclose security vulnerabilities to us in a responsible manner. 

    • Regularly scheduled scans of our applications and infrastructure are also in place to confirm that all aspects of our systems are regularly inspected for potential weaknesses.

    • Vulnerability management is performed based on the perceived threats and prioritised in accordance with Deputy’s risk tolerances.

  • Backup and Disaster Recovery
    • Deputy's services are hosted in one of the AWS regions in Australia, the UK, or the United States. AWS's managed services help ensure that our systems remain resilient and redundant.

    • Daily backups are carried out through the automatic backup capabilities of AWS RDS.

    • Disaster recovery tests are performed annually and Recovery Point Objective (RPO) and Recovery Time Objective (RTO) have been defined.

    • More details about our service's reliability, resiliency and historical uptime can be found at status.deputy.com.

icon help

Talk to us about Security

Deputy’s in-house Security Team is dedicated to securing data, protecting Deputy from threats, and providing assurance to customers.