Outsourcing Policy (OSP)

(3.1.3) Does our business retain responsible for the outsourced activity?

Yes, Tiller Technologies is defined as a Data Processor within the Data Processing Agreement (DPA), which is part of our service agreement with you. This means we only process data based on your instructions as the Data Controller. The DPA confirms that Tiller cannot be delegated the responsibility for compliance decisions under regulatory law. For example, the decision to onboard a customer can only rest with you, while Verify by Tiller will provide the necessary information and check results to support that decision.

(3.2.1) How can our business conduct suitable and proportionate due diligence on Tiller?

Our Trust Centre is designed to provide all the information your business needs to complete a thorough due diligence assessment on Tiller Technologies. Should you require any additional information not available there, please feel free to contact us.

(3.2.3) How does choosing Tiller Technologies help reduce "material risk"?

As a Jersey-registered company with all operational and managerial functions based on the island, Tiller Technologies is well-positioned to minimize any jurisdictional and regulatory risks. Our heritage in financial services gives us deep insight into the needs of regulated companies, but our primary focus is as a RegTech firm. We prioritize robust cybersecurity and sound data protection policies, and you can find a detailed overview of these measures in the security section of our Trust Centre.

(3.2.4.2) Does Tiller have adequate capacity and resources to perform the Outsourced Activity?

Tiller has implemented with the use of the ISMS framework a complete suite of policies and procedures backed up by a robust governance and oversight structure. This is applied across the company and full details a provided, including supporting document in our Trust Centre.

(3.2.4.3) Does Tiller have adequate capacity and resources to perform the Outsourced Activity?

Tiller Technologies Limited operates as a wholly owned subsidiary of Tiller Group Limited. The group is in a sound financial position, with its most recent annual accounts publicly available via the company registry. We also maintain all necessary and appropriate insurance policies.

(3.2.5.2) As a cloud services provider, does Tiller adhere to all industry good practices for data security and cyber risks?

Tiller has implemented with the use of the ISMS framework a complete suite of policies and procedures backed up by a robust governance and oversight structure. Security to Tiller is paramount. As a leading SaaS provider, we are committed to upholding the highest standards of information security, ensuring the confidentiality, integrity, and protection of you and client's valuable data within our platforms. Full details are provided in the security section of the Trust Portal, including supporting documentation.

(3.2.5.3) Does Tiller adhere to international standards?

Tiller Technologies has implemented the widely accepted Information Security Management System (ISMS), aligning with the internationally recognized ISO/IEC 27001:2022 standard. This framework is foundational to Tiller's operations, providing clear guidelines for the systematic management of information security, data governance and business compliance.

The ISMS framework helps Tiller ensure it can manage the confidentiality, integrity, and availability of all its information assets, including it SaaS platforms, networks, applications, and services. ISMS serves as a dynamic and systematic approach to identify and manage information security risks, fostering continuous improvement of Tiller's security controls to protect against evolving threats and uphold the trust placed in its operations.

The Verify by Tiller platform is hosted in Azure data centres in Dublin, Ireland and Amsterdam, Netherlands. Both operate within the laws and regulations of the European Economic Area (EEA).

(3.3.1) Does Tillers service agreement include enforcement of the provisions set out in section 3.3.1 of the JFSC Outsourcing Policy (OSP)

All ten terms (3.3.1.1 to 3.3.1.10) under core principle 3 are fully addressed in the Tiller Technologies Service Agreement, Terms and Conditions, and the incorporated Data Processing Agreement. A copy of these documents is provided for your review as part of the quotation process.

(3.3.2) How does Tillers service agreement meet the provisions set out in section 3.3.2 of the JFSC Outsourcing Policy (OSP)

All ten terms (3.3.2.1 to 3.3.2.10) under core principle 3 are fully addressed in the Tiller Technologies Service Agreement, Terms and Conditions, and the incorporated Data Processing Agreement. A copy of these documents is provided for your review as part of the quotation process.

(3.4.5.3) How does Tiller oversee and test the Outsourced Activity and to identify, monitor and mitigate against all associated risks?

Tiller has implemented with the use of the ISMS framework a comprehension suite of Vulnerability, Incident and Risk Management policies and procedures. These are designed to identify, Prioritise, Mitigate, Verify and Report and Monitor any occurrence of a vulnerability or incident or identified risk. Information on these processes and the supporting documentation is available in our Trust Centre.

(3.5.5) What provisions exist in Tillers agreement terms and conditions to minimise the impact of voluntary or involuntarily termination of its services?

Tiller Technolgies as part of the termination clauses in the Data Processing Agreement which forms part of the overall Service Agreement, makes provision that if the service expires or terminates, the businesses data is made available for download and safe keeping by the business, after which the data will be deleted, except to the extent Tiller is required by applicable law to retain some of the data.

(3.6.1 ) Do I need to notify the JFSC of our businesses use of Verify by Tiller?

Your business must make that determination based on the nature of your business, operational reliance on our services and specific circumstances. We cannot make that determination for you.

Saying that, for Jersey regulated companies the answer is probably yes because of paragraph (3.6.5). You may still be required to notify the JFSC, but you may not have to wait for a 'No Objection'. Tiller has provided via the request form below an almost completed JFSC Outsourcing Notification form. Tiller has provided answers to the form's questions; however, it is the sole responsibility of your business to review those answers, ensure you agree with them based on your own due diligence assessments and that they are correct for your company's business operation.

(3.7.2) Does Tiller have provision in its agreements to ensure, where the JFSC require access to information to effectively supervise the outsourcing it can?

Tiller Technologies is a Jersey Registered company and although not licenced by the regulators, is still subject to all Jerseys laws. Tiller operates its Verify by Tiller platform from data centres in Ireland and the Netherlands and uses the services of other companies outside of Jersey. Tillers agreements with those companies all include provisions to ensure access to data required by law, by any court of competent jurisdiction or by any regulatory or administrative body is assured.

(3.7.3) Does Tiller have provision in its agreements to ensure other jurisdictions secrecy laws does not impede the JFSC require access to information to effectively supervise the outsourcing?

Tiller does operate its Verify by Tiller platform from data centres in Ireland and the Netherlands. Tillers agreements with their hosting provider includes provisions to ensure access to data required by law, by any court of competent jurisdiction or by any regulatory or administrative body is assured.