Security & confidentiality

The NUMARQE application uses industry-standard encryption methods to protect data at rest and in motion. This is achieved in transit using HTTPS AES-256 or better, where data transmission happens between customer browsers and our application and APIs. We use Amazon's RDS and S3 services to store application data. All data stored AES-256 (or better) encrypted, as are our automated backups, read replicas, and snapshots. The transmission with RDS and S3 uses Transport Layer Security (TLS) v1.2.

NUMARQE isolates our database instances in our virtual private network. Extremely limited access is granted by using industry-standard encrypted IPSec VPN for maintenance purposes only.

After a period of inactivity or time, user sessions are expired to prevent unsanctioned access to a user's account.

NUMARQE encourages and enforces strong password requirements and supports additional factors via mobile biometric authentication such as Face ID and Touch ID.

As users onboard and accounts are created, all users, by default, are required to set up an additional factor for authentication. Knowing a user's password is not enough, and an additional factor will be presented. All sensitive user action amendments to the platform and account require users to re-authenticate to confirm the intended user is performing the correct action.

One-time authorisation challenges for registering new devices approved for authenticating users to the platform.

NUMARQE uses Amazon’s AWS services for hosting our platform application data and business logic. Additionally, Vercel is used to host and serve our static frontends, which also uses AWS. No data used to operate our platform is stored at Vercel. For more information: AWS Compliance

Our cloud service providers implement layered physical security controls to ensure on-site security, including vetted security guards, fencing, video monitoring, intrusion detection technology, and more. For more information: AWS Physical Security

NUMAQRE is deployed on public cloud infrastructure. Services are deployed to multiple zones for availability and are configured to scale dynamically in response to measured and expected load. Our continuous integration processes incorporate simulated load tests and API response time tests. 

In the event of a significant outage, NUMARQE has the ability to deploy a new instance of the application to a new hosting environment in a different region. Our Disaster Recovery plan ensures the availability of services and ease of recovery during such a disaster. This plan and its processes are tested and reviewed regularly as we evolve and continuously improve.

Development, staging and production environments are separated. No customer data is used in any non-production environment and is highly restricted.

Our quality controls are baked into our continuous integration processes, review and test the code base. We analyse code for uniformity, library use, optimisation techniques and known security issues, and developers peer review all code before it is merged into master branches to ensure that it is fit for purpose.

Protecting customer privacy is key to our philosophy and success. We fully manage where and how we store customer data and do not include customer data in any system or environment other than our production services. The NUMARQE privacy policy, which describes how we handle data, can be found here

There are risks associated with improper vendor management. We evaluate and onboard all our vendors. We take steps to evaluate their information security standards and make sure they comply with the standards we upheld ourselves by or better. NUMARQE works with PCI DSS-certified partners to safeguard your payment information to provide you with the best level of service. We re-assess all vendors on an ongoing basis and generally have a relationship with them.