Your data, safe and secure
We have a deep appreciation for the sensitivity of your data. We combine enterprise-grade security features with regular external audits to ensure it's always protected.
We comply with global data protection and security frameworks.Learn More
We use best-in-class infrastructure to secure your sensitive data.Learn More
Our software is developed with security front of mind.Learn More
We hold our team to the highest standards.Learn More
ISO 27001 Certification
ISO 27001 is a framework for managing IT security and sets out the specification for an information security management system (ISMS) that helps keep data safe. Caruso has achieved ISO 27001:2022 certification and is audited annually to ensure ongoing compliance.
Best-in-class infrastructure provider
Caruso hosts all of its data in physically secure Amazon Web Services (AWS) facilities, including 24/7 on-site security, camera surveillance, and more.
Hardened web security
Cloudflare protects Caruso’s internet-facing services from threats posed by the public internet and the dark web with the best Web Application Firewall (WAF) and DDoS protection available.
Virtual private cloud (VPC)
All of Caruso’s servers are within their own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorised requests from getting to Caruso’s internal network. Most of Caruso’s internal systems are entirely unreachable from the public internet.
All data sent to or from Caruso is encrypted in transit using 256-bit encryption. Caruso’s API and application endpoints are TLS/SSL only and score an A rating on Qualys SSL Labs‘ tests.
Failover and disaster recovery
Caruso was built with disaster recovery in mind. Data is spread across multiple data centres and will continue to be available should any one data centre fail. Disaster recovery procedures are regularly tested using real-world scenarios.
Backups and monitoring
Caruso uses granular backup solutions for databases that contain customer data. All actions taken to modify Caruso resources and infrastructure are logged and audited.
Caruso implements a protocol for handling security events, including escalation procedures, rapid mitigation, and post-mortem.
Client data separation
Caruso’s software is developed with the philosophy that each client’s data must be isolated at multiple levels. Client data is separated at storage retrieval and data transport and verified at the response gateway.
Development and change management
Software development is conducted according to a documented SDLC process, and every change is tracked with version control. Automated controls ensure changes are peer-reviewed and pass extensive automated test suites before delivery.
Dedicated development and test resources
Caruso does not test on client data, period. Caruso operates dedicated development and testing environments.
Automated test suites
Caruso’s engineering team maintains a robust suite of automated tests to identify defects early in the software development lifecycle.
Penetration tests, and vulnerability scanning
Caruso uses third-party security tools to continuously scan for vulnerabilities. Caruso engages third-party security experts to perform detailed penetration tests on the Caruso application and infrastructure on a recurring basis and upon infrastructural upgrades.
Restricted access to data
Access to client data is limited to authorised employees who require it for their job. Caruso is entirely served over HTTPS. There are no corporate resources or additional privileges from being on Caruso's network.
Audited employee access logs
Access to investor and transaction information by Caruso employees is recorded and audited.
Continuous security training
All employees complete annual security awareness training.
Caruso performs criminal background checks on all new employees.
All employee contracts include a confidentiality agreement.
Caruso has developed a comprehensive set of security policies covering various topics, including the ones mentioned on this page. These policies are updated frequently and shared with all employees.