Data Security

Your data, safe and secure

We have a deep appreciation for the sensitivity of your data. We combine enterprise-grade security features 
with regular external audits to ensure it's always protected.


We comply with global data protection and security frameworks.

Learn More


We use best-in-class infrastructure to secure your sensitive data.

Learn More


Our software is developed with security front of mind.

Learn More


We hold our team to the 
highest standards.

Learn More


ISO 27001 Certification

ISO 27001 is a framework for managing IT security and sets out the specification for an information security management system (ISMS) that helps keep data safe. Caruso has achieved ISO 27001:2022 certification and is audited annually to ensure ongoing compliance.


Best-in-class infrastructure provider

Caruso hosts all of its data in physically secure Amazon Web Services (AWS) facilities, including 24/7 on-site security, camera surveillance, and more.

Hardened web security

Cloudflare protects Caruso’s internet-facing services from threats posed by the public internet and the dark web with the best Web Application Firewall (WAF) and DDoS protection available.

Virtual private cloud (VPC)

All of Caruso’s servers are within their own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorised requests from getting to Caruso’s internal network. Most of Caruso’s internal systems are entirely unreachable from the public internet.


All data sent to or from Caruso is encrypted in transit using 256-bit encryption. Caruso’s API and application endpoints are TLS/SSL only and score an A rating on Qualys SSL Labs‘ tests.

Failover and disaster recovery

Caruso was built with disaster recovery in mind. Data is spread across multiple data centres and will continue to be available should any one data centre fail. Disaster recovery procedures are regularly tested using real-world scenarios.

Backups and monitoring

Caruso uses granular backup solutions for databases that contain customer data. All actions taken to modify Caruso resources and infrastructure are logged and audited.

Incident response

Caruso implements a protocol for handling security events, including escalation procedures, rapid mitigation, and post-mortem.


Client data separation

Caruso’s software is developed with the philosophy that each client’s data must be isolated at multiple levels. Client data is separated at storage retrieval and data transport and verified at the response gateway.

Development and change management

Software development is conducted according to a documented SDLC process, and every change is tracked with version control. Automated controls ensure changes are peer-reviewed and pass extensive automated test suites before delivery.

Dedicated development and test resources

Caruso does not test on client data, period. Caruso operates dedicated development and testing environments.

Automated test suites

Caruso’s engineering team maintains a robust suite of automated tests to identify defects early in the software development lifecycle.

Penetration tests, and vulnerability scanning

Caruso uses third-party security tools to continuously scan for vulnerabilities. Caruso engages third-party security experts to perform detailed penetration tests on the Caruso application and infrastructure on a recurring basis and upon infrastructural upgrades.


Restricted access to data

Access to client data is limited to authorised employees who require it for their job. Caruso is entirely served over HTTPS. There are no corporate resources or additional privileges from being on Caruso's network.

Audited employee access logs

Access to investor and transaction information by Caruso employees is recorded and audited.

Continuous security training

All employees complete annual security awareness training.

Employee vetting

Caruso performs criminal background checks on all new employees.


All employee contracts include a confidentiality agreement.

Corporate policies

Caruso has developed a comprehensive set of security policies covering various topics, including the ones mentioned on this page. These policies are updated frequently and shared with all employees.

See Caruso in action

Learn how Caruso can help you effortlessly manage your investors and funds, whether you have $10M or $100B in AUM.