Infrastructure

Tiller Technologies leverages the robust, virtualised infrastructure provided by Microsoft Azure data centres strategically located in Dublin, Ireland, and Amsterdam, Netherlands. This choice of infrastructure provides was based on the exceptional quality, security, and resilience provided by Azure, crucial for handling sensitive data and ensuring continuous service availability. Azure's state-of-the-art facilities are designed with multiple layers of physical and digital security, and geo-redundancy for disaster recovery, ensuring that data remains protected and services are resilient against disruptions. Tiller further enhances this by requiring confidential data stored in those data centres to be encrypted both at rest and in transit, and by maintaining comprehensive backup procedures for all cloud-stored data

Our commitment to data and system integrity is underscored by our adherence to rigorous information security standards. Tiller Technologies' cloud services are certified to the ISO/IEC 27001:2022 international standard for information security, with annual surveillance audits confirming ongoing compliance. We also align with the ISO/IEC 27017 code of practice for information security controls in the cloud and ISO/IEC 27018 for the protection of personally identifiable information (PII) in the cloud. This dedication, combined with our robust availability management policy and regular testing of incident response plans, ensures that Tiller's infrastructure and services provide a secure, reliable, and highly available environment for our platforms and customer data.

The Verify by Tiller platform has been specifically designed and developed to be scalable. All our services are hosted on virtualized infrastructure, a core component that enables rapid and dynamic scaling to meet demand. This virtualized infrastructure and architecture allows us to efficiently scale "up" by adding additional performance resources when needed and to scale "out" by expanding the number of concurrent operations, ensuring consistent high performance even during peak loads.

To facilitate seamless and efficient communication across our distributed software services, Tiller Technologies employs an Enterprise Service Bus (ESB) as its middleware communication layer. The ESB is instrumental in enabling data communication in a decoupled, scalable, and reliable manner, preventing single points of failure and allowing individual services to evolve independently without impacting the overall platform.

For database scalability, Azure SQL Server Elastic Pools utilising Database Transactional Unit (DTU) based configuration optimising the database storage, compute and IO usage.

Tiller follows a standard 7 step strategy to appropriately manage the data it holds. This approach to DLP, is designed to prevent sensitive data from leaving our controlled environment without authorization. To do this we have implemented processes that identify, monitor, and protect data at rest, in motion, and in use across our systems.

Our strategy integrates seamlessly with Azure's native security capabilities, leveraging its advanced features to detect anomalous activities, and enforce granular access controls. We continuously refine our DLP measures based on ongoing threat intelligence and regular assessments, ensuring that our defences evolve to counter emerging risks and maintain the confidentiality and integrity of your data.

Our 7-step DLP strategy:

1. Prioritise data based on sensitivity, ownership, volatility

2. Categorise data based on type, location, storage, retention

3. Risk classification based on access, visibility, change control

4. Review & monitor based on priority, category & risk, review and ensure the data is under appropriate control and management. Establish a review frequency based on the priority & risk

5. Effect a reporting structure for key stakeholders to communicate current status, risk & incidents effectively

6. Effect training to both technical and administrative staff on the controls and monitoring procedures and policies

7. Effect control steps as part of the change and incident management processes, to ensure any changes or incidents are affected in line with the DLP strategy

Tiller as part of its selection process for host provider took the Data Protection Act requirements into careful consideration. Microsoft has been a leader amongst providers, ensuring its Azure services and the contracts that govern them are fully compliant with UK and EU regulations. The Data Protection Act requires companies using cloud services and the cloud providers themselves, to mitigate for the following:

• Implementing retention effectively in the cloud. We ensure that PII data held is only retained in the cloud databases, backups etc. for the period required to perform our services and that data is deleted at the end of that period.

• Cloud provider breach response and notification. We have confirmed that our agreements with Microsoft Azure ensure their compliance with regulatory obligations for notification and mitigation support in the event of a breach.

• Processing of personal data outside the European Economic Area (EEA). Tiller only uses Azure resources and storage hosted and maintained within the EEA. We currently use Azure datacentres in Dublin & Amsterdam.

• Data portability & data ownership. Our Azure agreement (Microsoft Online Agreement Addendum Financial Services) explicitly ensures provision for data export and our services include export to machine readable formats. The addendum also ensures our compliance with the FCA's FG 16/5 guidance for firms outsourcing to the 'cloud' and other third-party IT services.

• Risk management. Our cloud provider, Microsoft Azure is subject to our Data Protection Impact Assessment process. Also, our agreement with Microsoft Azure ensures there is a right to access independent audit reports on their service available via their Service Trust Portal: https://servicetrust.microsoft.com/ViewPage/PrivacyDataProtection

• Security of Privacy. Azure was selected as our cloud provider as they meet all UK and international data protection and security standards, and those standards are regularly assessed and PEN tested. with the results accessible. https://servicetrust.microsoft.com/viewpage/PenTest