First Accounts SAAS Limited: Security & GDPR Guidelines

Last updated: 12th January 2020

User Authentication

First Accounts SAAS Limitedd user accounts are protected with a strong password and two-factor authentication (2FA) can been implemented.
2FA can be configured to remain within the existing environment of your organisation, protected by current sign-on credentials.

Encryption

To ensure the confidentiality and integrity of your files, all content is encrypted in transit and at rest with world-class encryption and key management techniques.

Multiple layers of encryption are used to support customers’ needs for reliability, security and control over their sensitive content.

We partnered with Microsoft Azure to provide on-demand management of keys through the Azure Key Vault service which uses Hardware Security Modules (HSM’s) to safeguard cryptographic keys. The HSM’s are FIPS 140-2 Level 2 validated, a NIST security certification.

​Content is encrypted with a one-time AES-256 symmetric key. This key is then encrypted using an asymmetric 2048 bit RSA. We never have access to the key, it simply invokes a mechanism that is provided by the Key Vault.

​All key usage is recorded in an unchangeable audit log and we can never change that record of truth. All connections to our software are secure and encrypted using SSL (Secure Sockets Layer). This is the same level of encryption used by leading banks and government agencies.

Physical Data Infrastructure

Our services are hosted in a state-of-the-art SAS70 Type II, SSAE 16 facility that has achieved ISO 27001 certification.

​Physical access is strictly controlled by professional security staff utilizing video surveillance, state of the art intrusion detection systems, and other electronic means.

​Authorized staff must pass two-factor authentication no fewer than three times to access data centre floors. We use multiple data centres with reliable power sources and backup systems with 99.9% SLAs and redundancy. Physical servers are located in London and failover servers are located in the Dublin, Ireland.

Data Privacy & GDPR compliance

EU General Data Protection Regulation (GDPR)

​We process personal data in accordance the current data protection laws in the EU. In addition, our commitment to data privacy is demonstrated by the additional steps taken to comply with the general data protection regulation (GDPR) which came into force on 25 May 2018.

​By maintaining strict adherence to GDPR, we allow our customers to ensure their own compliance to the new regulation which has considerable implications beyond existing data protection laws.