Your data, safe and secure

ISO 27001 is a framework for managing IT security and sets out the specification for an information security management system (ISMS) that helps keep data safe. Caruso has achieved ISO 27001:2022 certification and is audited annually to ensure ongoing compliance.

Caruso hosts all of its data in physically secure Amazon Web Services (AWS) facilities, including 24/7 on-site security, camera surveillance, and more.

Cloudflare protects Caruso’s internet-facing services from threats posed by the public internet and the dark web with the best Web Application Firewall (WAF) and DDoS protection available.

All of Caruso’s servers are within their own virtual private cloud (VPC) with network access control lists (ACLs) that prevent unauthorised requests from getting to Caruso’s internal network. Most of Caruso’s internal systems are entirely unreachable from the public internet.

All data sent to or from Caruso is encrypted in transit using 256-bit encryption. Caruso’s API and application endpoints are TLS/SSL only and score an A rating on Qualys SSL Labs‘ tests.

Caruso was built with disaster recovery in mind. Data is spread across multiple data centres and will continue to be available should any one data centre fail. Disaster recovery procedures are regularly tested using real-world scenarios.

Caruso uses granular backup solutions for databases that contain customer data. All actions taken to modify Caruso resources and infrastructure are logged and audited.

Caruso implements a protocol for handling security events, including escalation procedures, rapid mitigation, and post-mortem.

Caruso’s software is developed with the philosophy that each client’s data must be isolated at multiple levels. Client data is separated at storage retrieval and data transport and verified at the response gateway.

Software development is conducted according to a documented SDLC process, and every change is tracked with version control. Automated controls ensure changes are peer-reviewed and pass extensive automated test suites before delivery.

Caruso does not test on client data, period. Caruso operates dedicated development and testing environments.

Caruso’s engineering team maintains a robust suite of automated tests to identify defects early in the software development lifecycle.

Caruso uses third-party security tools to continuously scan for vulnerabilities. Caruso engages third-party security experts to perform detailed penetration tests on the Caruso application and infrastructure on a recurring basis and upon infrastructural upgrades.

Access to client data is limited to authorised employees who require it for their job. Caruso is entirely served over HTTPS. There are no corporate resources or additional privileges from being on Caruso's network.

Access to investor and transaction information by Caruso employees is recorded and audited.

All employees complete annual security awareness training.

Caruso performs criminal background checks on all new employees.

All employee contracts include a confidentiality agreement.

Caruso has developed a comprehensive set of security policies covering various topics, including the ones mentioned on this page. These policies are updated frequently and shared with all employees.