Learn how Deputy keeps your data secure
View our security certifications, encryption standards, and other tools we employ to keep customer information safe.
Our Security Statement
At Deputy, we strive to maintain a security posture that aligns with leading industry standards with the objective of ensuring that any data entrusted to us is protected from unauthorised access. Our security controls are implemented with a focus on delivering optimal protection while also providing the best possible customer experience.
We prioritize security by investing in and maintaining a mature security program with strong controls. This empowers our customers, partners, vendors, and employees to operate with confidence, knowing that effective measures are in place to protect them.
Compliance
Deputy maintains leading security compliance certifications and attestations demonstrating its adherence to industry-appropriate controls.
We are ISO 27001 and UK Cyber Essentials certified and SOC2 Type II compliant. Additionally, we comply with the PCI-DSS standard as a level 3 merchant and perform an annual self-assessment (SAQ A) supported by quarterly scans from an Approved Scanning Vendor (ASV). Deputy is also listed with the Cloud Security Alliance as a CSA Star Level 1 organisation.
We have implemented security policies, standards, and controls to support our compliance with ISO 27001, SOC2 and PCI-DSS frameworks. These are reviewed annually by internal stakeholders, approved by senior management, and assessed by external auditors.
For more information about our Compliance programs, please visit our Trust Centre where our applicable compliance certificates, attestation reports and other relevant security documentation are available for download.
Product security
Security Best Practice Guides
We share security best practices Help Guides to educate our customers on how to keep their Deputy accounts safe.
Passwords and Multi-Factor Authentication
Deputy provides a variety of options to help you keep your account secure including Multi-Factor Authentication capabilities on every user account using industry-standard one-time codes.
Single Sign-On
For corporate customers, we support integration with single sign-on providers like Okta, Azure, and Oracle. All login and password data is encrypted, hashed, and stored separately to customer data — so employees can use Deputy safely with multiple employers.
Role-Based Access
Deputy provides role-based access levels so that employees, managers, and administrators can only view data that is relevant to them. This access can be customised to suit your needs.
Customer Separation
All customer data is kept logically separate through sharding of database partitions and multi-regional deployment. This ensures that there is no data overlap or loss of data integrity between customers.
Learn more about Deputy's security practices
- Security Program and Team
Our security program is based on and supported by policies following the ISO27001 framework which we certify against. We use the NIST cybersecurity framework to measure the efficacy and evolving maturity of our program over time.
Our dedicated security team is responsible for the security of our people, our applications, and their underlying infrastructure. The team is also responsible for the delivery of security incident response and follows the SANS incident handling methodology to prepare, detect and respond to events.
- People and Corporate Security
As a part of our hiring process, we conduct background checks and also ensure that all employees receive security awareness training during their onboarding and annually throughout their employment.
Our company-provided devices are centrally managed via a Mobile Device Management (MDM) technology and built from a standardised, secure configuration. The devices are also protected by an Extended Detection & Response (EDR) platform for advanced malware and ransomware protection.
Access to business systems is provided following the principle of least privilege and reviewed quarterly. Access is centrally managed via an authentication provider where multi-factor authentication (MFA) is enforced.
- Secure Software Development Lifecycle (SDLC)
We follow the Agile methodology to continuously integrate new features into our application. Our team is trained in secure coding practices with the objective of preventing any vulnerabilities from being introduced from the OWASP Top 10.
We prioritize security in our product to help ensure the safety of our users. We achieve this through a "shift-left" approach that involves incorporating security into the design phase.
Various measures have been implemented to enable the detection of bugs or vulnerabilities in the development pipeline and repositories before deploying to production. Code scanning technologies are in place to support this process and prevent deployment if issues are found.
Security is a high priority during the deployment process, with code reviews and unit tests being essential components.
We maintain separate environments and databases for different stages of application development.
- Infrastructure
We protect our applications with the use of a next-gen web application firewall (WAF) along with other security controls to mitigate the risks of common web attacks.
Deputy leverages the cloud-hosting and managed services from Amazon Web Services (AWS) which maintains high standards of security across their data centres.
Our infrastructure is built for scalability and ready to support our customer’s data sovereignty needs in 3 strategic regions - Australia, United Kingdom and United States.
We protect our systems by monitoring configuration baselines and detecting abnormal and/or unauthorised changes.
Systems performance monitoring is centrally managed, monitored and set to alert upon detection of abnormal workloads.
Deputy utilizes a Security Information and Event Management platform (SIEM) with Security Orchestration and Automated Response (SOAR) capabilities. This allows us to monitor and analyze logs, detect anomalies, and support incident response efforts.
- Data Security
Deputy secures the transmission of data by encrypting it with TLS 1.2 or improved versions. Additionally, all data in storage, including backups, is encrypted with AES-256.
To store credentials, a salt and work factor are utilized In order to securely store login information, a combination of a salt and work factor is employed. This approach is designed to protect user data from potential security breaches and unauthorized access.
- Security Testing and Vulnerability Management
We validate the security posture of our applications by engaging an external third party to perform an annual penetration test.
We are also subject to an ongoing, private bug bounty program and encourage security researchers to disclose security vulnerabilities to us in a responsible manner.
Regularly scheduled scans of our applications and infrastructure are also in place to confirm that all aspects of our systems are regularly inspected for potential weaknesses.
Vulnerability management is performed based on the perceived threats and prioritised in accordance with Deputy’s risk tolerances.
- Backup and Disaster Recovery
Deputy's services are hosted in one of the AWS regions in Australia, the UK, or the United States. AWS's managed services help ensure that our systems remain resilient and redundant.
Daily backups are carried out through the automatic backup capabilities of AWS RDS.
Disaster recovery tests are performed annually and Recovery Point Objective (RPO) and Recovery Time Objective (RTO) have been defined.
More details about our service's reliability, resiliency and historical uptime can be found at status.deputy.com.