Flagstone cybersecurity statement


We take the security of our clients’ personal information and valuable data very seriously. This includes the ever-evolving threat of cybersecurity – including external ‘threat actors’ and potential ‘malicious insiders’. We are committed to the management of cybersecurity-related risks, and we build resilience against potential cyber incidents.

Below, we outline the specific measures in place to protect client information and highlight our overall approach to cybersecurity, our clients, and their data.


1. Keeping you safe from fraudsters

Fraudsters are continually developing ever more clever ways to trick people into sending them money, usually by pretending to be someone they trust or someone in despair. Many are professionals, and have an uncanny way of making their emails and telephone calls seem legitimate. We will only ever authorise payments from a client’s Flagstone holding account to their nominated return account. If there is any shred of doubt about a payment – get another opinion, say from a friend or family member, or ask the financial institution for advice using a trusted contact number or email from their official website.


2. Cryptography

We use a number of state-of-the-art encryption standards across our entire enterprise. For the technical people out there, these include AES-256 (Advanced Encryption Standard) to protect data at rest and industry-standard hashing algorithms to protect authentication information. We also prefer to use TLS 1.2 (Transport Layer Security) on all software products.


3. Physical security

As a cloud-native business, no client data is held in our office. Instead, our SaaS platform is hosted by highly-protected data centres. Find out more here.


4. Operations

We have documented procedures for all standard operations, and change management is tightly controlled by our Change Management Policy. Dedicated teams of CloudOps and Principal Engineers monitor the live platform 24/7 for any alerts.


5. Incident management

We have a documented Incident Management policy. Any incidents are captured in reports and include root-cause analysis, lessons learned and follow-up actions. Again, our dedicated on-call teams monitor our live platforms 24/7 and must respond to an alert within 15 minutes – day or night.


6. Business continuity

We also have a Business Continuity Plan (BCP), recovery procedures and trained response teams. We test both our BCP and recovery procedures at least twice each year.


7. Suppliers

Our Risk Management Framework ensures we closely manage our suppliers using risk management principles – especially those we consider critical to our daily operations.


8. Looking out for vulnerable customers

Looking out for vulnerable customers is an integral part of our approach to protecting our clients. We understand unexpected circumstances can leave anyone struggling to manage their financial situation. By protecting people’s finances, we help them look after their families – and futures.



Take five to stop fraud

To help protect yourself from financial fraud, please visit ‘Take Five to stop fraud’. A national campaign offering straightforward, impartial advice, Take Five is packed with useful information and tips on how to keep your finances safe.