Platform Security and Compliance Policy

Last updated: 27th August 2025

1. Introduction

This Platform Security and Compliance Policy sets out the measures implemented by ArtAML™ Limited to safeguard personal data, ensure platform resilience and maintain compliance with applicable regulations. The policy is designed to provide assurance to clients and their customers who upload Customer Due Diligence information into the ArtAML™ platform.

2. Data Security

ArtAML™ applies layered security measures to protect the confidentiality, integrity and availability of data. All data is encrypted in transit using TLS 1.2 or higher and encrypted at rest using AES-256. Keys are managed securely with appropriate rotation practices. Confidential information is segregated logically within the multi-tenant environment.

3. Security Controls Framework

The following categories of controls are applied across ArtAML™ systems and infrastructure:

3.1 Physical Access Controls

Hosting providers (including DigitalOcean and Backblaze) operate ISO 27001-certified and SOC 2-audited data centres. Facilities are protected by perimeter security, locked access, CCTV monitoring and restricted entry to authorised personnel only.

3.2 System Access Controls

Multi-factor authentication is required for administrative access. Strong password policies are enforced including minimum length, complexity and expiration. Unique user IDs are assigned to all users. Sessions are logged and monitored to detect unusual or unauthorised activity. Authentication mechanisms include secure tokens and role-based permissions.

3.3 Data Access Controls

Role-based access controls restrict data access to personnel with a legitimate business need. Access rights are reviewed regularly and revoked promptly when no longer required. All access to personal data is logged. Encryption at rest ensures data is protected against unauthorised disclosure.

3.4 Transmission Controls

All data transmitted between clients, their customers and ArtAML™ systems is protected using TLS 1.2+ encryption. Secure APIs are used for third-party integrations. Key management practices prevent interception or misuse.

3.5 Input Controls

System logs maintain records of data creation, modification and deletion. Input validation prevents malformed or malicious data from being introduced. Audit trails are maintained to support investigations and demonstrate compliance with the Money Laundering Regulations.

3.6 Data Backups

Encrypted backups are taken regularly and stored in geographically separate facilities. Backups are tested periodically to verify integrity and recovery capability. Backblaze provides secondary encrypted storage in ISO 27001-certified data centres. Business continuity and disaster recovery plans ensure service availability.

3.7 Data Segregation

Client data is logically segregated within the ArtAML™ multi-tenant platform. Database-level controls prevent unauthorised cross-client access. Segregation is preserved across live systems, backups and archives.

3.8 Cybersecurity and Vulnerability Management

ArtAML™ applies regular vulnerability scanning, penetration testing and patch management. Security patches are applied promptly. Network segmentation and firewalls restrict unauthorised access. An incident response process is maintained including escalation paths, containment measures and client notification. Threat intelligence feeds and monitoring tools are used to detect potential attacks.

4. System Monitoring and Logging

Systems are continuously monitored for performance, availability and security events. Logs are centralised, time-synchronised and retained in line with compliance obligations. Alerts are generated for anomalous or suspicious activity. Monitoring supports incident detection and forensic investigation.

5. Compliance and Certifications

ArtAML™ and its hosting partners comply with applicable data protection and security standards. Sub-processors such as DigitalOcean and Backblaze maintain ISO 27001 certification and SOC 2 compliance. Controls are aligned with the requirements of UK GDPR, the Data Protection Act 2018 and the Money Laundering Regulations 2017.

6. Business Continuity and Disaster Recovery

ArtAML™ maintains business continuity and disaster recovery plans to ensure resilience. These include failover strategies, regular backup testing and restoration exercises. Recovery time objectives and recovery point objectives are defined and tested to ensure availability of services during disruption.

7. Incident Response

An incident response framework is in place to identify, assess and resolve security incidents. The framework includes escalation procedures, root cause analysis and corrective actions. Clients will be notified without undue delay if an incident impacts their data. Lessons learned are incorporated into updated procedures.

8. Review and Updates

This policy is reviewed and updated as necessary to reflect changes in technology, regulatory requirements and best practice. Clients will be provided with the latest version of the policy on request.