Security at Thirdfort

Thirdfort is committed to maintaining appropriate technical and organisational measures to protect our data against unauthorised or unlawful processing.

Password security and authentication


Users of the Thirdfort Platform are authenticated via two-factor authentication. This requires a user to verify their identity in two unique ways before they are granted access to the system. 

Each user can log in via one of the following options: 

  • Provide a one-time password using an authenticator app. This flow will ask the user to enter a one-time password from the authentication app or their choice.

  • Provide a one-time password via a phone message. This flow will ask the user to receive an SMS or an automated voice message on their registered phone.

This provides an extra layer of protection for user accounts and decreases the risk of unauthorised access and system breaches.


Our employees log in to the Thirdfort Platform using an account that is subject to strict security controls, including robust requirements around password complexity and multi-factor authentication. Only staff that strictly need access are granted it, and only at the minimum level required.

We have policies and technologies that ensure credentials are securely managed. We also ensure:

  • all devices are encrypted, meaning all data on the device cannot be extracted without a cryptographic key; and

  • common attacks, such as the use of boot mode, are prevented from being used to access the data. 

We grant access to systems and accounts in line with the principle of least privilege. Such access is removed on notice of termination or the employees’ last day as part of our standard off-boarding process.

Data protection at Thirdfort

In order to successfully perform your requested checks, Thirdfort gathers and processes personal data, including biometric information from clients. We collect, process and store this data in line with the Data Protection Act 2018, UK GDPR, and all other relevant data protection legislation.


All information regarding the collection and processing of PII at Thirdfort is set out in our Privacy Policy


We host our technical infrastructure and our databases on Google Cloud Platform ("GCP"). This means we inherit the robust security structure and mechanisms that are maintained by GCP. You can read about Google’s compliance infrastructure here.

Data is stored in our database services which are managed by GCP. We have three data centres located at different physical sites. 

We do not permit data storage on local machines.


We use service providers which are located outside of the UK and European Union. Where this is the case, we ensure adequate contractual provisions are in place between us and the service provider, including arranging for UK GDPR compliant transfer mechanisms to be in place. 
You can read more about our data providers and sources here.


Data in transit is encrypted using at least TLS 1.2. 

All data is encrypted at rest following industry best practices and leveraging ciphers that guarantee a level of protection equivalent to AES-256 or stronger.

All of our web applications enforce the use of HTTPS.

All database data is encrypted and backups are well protected.


We employ a variety of measures to segregate data across our IT estate. Our software architecture ensures the separation of data and the security of information between different customers and application components. 


We perform routine vulnerability scanning of our assets and firewalls are used to protect data and systems from the Internet and other untrusted networks. We monitor our security logs frequently to detect malicious activity. 

We conduct penetration testing annually, with any remediation actions identified built into our Engineering team’s workload in accordance with priority and urgency.


We currently store all our customer data on GCP and leverage the mechanisms provided by Google to ensure the integrity of the data. This allows us to provide geo-redundancy for 99.9% of newly written objects within an hour. 


All of our employees and contractors are required to sign standardised employment or contractor agreements prior to their start date, which contain detailed confidentiality provisions.


As you are the Data controller of all initiation and report data, we must receive a written data deletion request from you in order for us to remove this data from our platform. If your client would like us to remove the report from our system, we would need to request confirmation from you before actioning this.
Please send all written data deletion request to our support team ([email protected]) from the user who requested the check.

On receipt of your request, all initiation and report data is removed from our platform within 30 days. This includes the client’s name and mobile number, and all information used to generate the report including their date of birth and home address. The report will be permanently deleted and unavailable to download or recover.

FCA Regulated

Thirdfort is licensed by the Financial Conduct Authority (FCA) to offer account information services. This means the FCA has conducted an in-depth review of our security policies, and we are required to send quarterly reports regarding our Operational and Security Risks.

Security certifications and accreditations

We currently hold the following certifications and accreditations:

Digital Identity and Attributes Trust Framework

A government (DSIT) certification scheme under which Thirdfort has been certified as a Identity Service Provider (IDSP).

ISO 27001 Certified

ISO27001

A globally recognised information security standard which provides a framework and guidelines for establishing, implementing and managing an information security system.

ISO 9001

ISO9001

The international standard for a quality management system, designed to help organisations demonstrate their ability to consistently meet customer and regulatory requirements and continuously improve customer satisfaction.