Security

This Security Statement applies to the products, services, websites and apps offered by any-3. We refer to those products, services, websites and apps collectively as the "services" in this Statement. 
Any-3 values the trust that our customers place in us by letting us act as custodians of their data. We take our responsibility to protect and secure information seriously and strive for complete transparency around our security practices detailed below.

Physical Security

Any-3's information systems and technical infrastructure are hosted in UK world class accredited data centres. Physical security controls at our data centres include 24x7 monitoring, cameras, visitor logs, entry requirements.

Compliance

any-3 is working towards ISO 27001 certification.

Access Control

Access to any-3's technology resources is only permitted through secure connectivity (e.g., VPN, SSH) and requires multi-factor authentication. any-3 grants access on a need to know on the basis of least privilege rules, reviews permissions quarterly, and revokes access immediately after employee termination.

Security Policies

any-3 maintains and regularly reviews and updates its information security policies, at least on an annual basis. Employees must acknowledge policies on an annual basis and undergo additional training such Secure Coding, and job specific security and skills development and/or privacy law training for key job functions. The training schedule is designed to adhere to all specifications and regulations applicable to any-3.

Personnel

any-3 conducts background screening at the time of hire. In addition, any-3 communicates its information security policies to all personnel (who must acknowledge this), and provides ongoing privacy and security training.

Vulnerability Management and Penetration Tests

any-3 maintains a documented vulnerability management program which includes periodic scans, identification, and remediation of security vulnerabilities on servers, workstations, network equipment, and applications. All networks, including test and production environments, are regularly scanned using trusted third party vendors. Critical patches are applied to servers on a priority basis and as appropriate for all other patches.
We also conduct regular internal and external penetration tests and remediate according to severity for any results found.

Encryption

We encrypt your data in transit using secure TLS cryptographic protocols. any-3 data is also encrypted at rest.

Development

Our development team employs secure coding techniques and best practices, focused around the OWASP Top Ten.
Development, testing, and production environments are separated. All changes are logged and tested before being deployed to production systems.

Asset Management

any-3 maintains an asset management policy which includes identification, classification, retention, and disposal of information and assets. Company-issued devices are equipped with full hard disk encryption and up-to-date antivirus software. Only company-issued devices are permitted to access corporate and production networks.

Information Security Incident Management

any-3 maintains security incident response policies and procedures covering the initial response, investigation, customer notification (no less than as required by applicable law), public communication, and remediation. These policies are reviewed regularly.

Breach Notification

Despite best efforts, no method of transmission over the Internet and no method of electronic storage is perfectly secure. We cannot guarantee absolute security. However, if any-3 learns of a security breach, we will notify affected users so that they can take appropriate protective steps. Our breach notification procedures are consistent with our obligations under applicable laws and regulations, as well as any industry rules or standards applicable to us. We are committed to keeping our customers fully informed of any matters relevant to the security of their account and to providing customers all information necessary for them to meet their own regulatory reporting obligations.

Information Security Aspects of Business Continuity Management

any-3's databases are backed up on a rotating basis of full and incremental backups and verified regularly. Backups are encrypted and stored within a secure environment to preserve their confidentiality and integrity and are tested regularly to ensure availability.

Logging and Monitoring

Application and infrastructure systems log information to a centrally managed log repository for troubleshooting, security reviews, and analysis by authorised any-3 personnel. Logs are preserved in accordance with regulatory requirements.