Security & Data Protection
AccountKits approach to protecting our systems and your data.
ISO 27001 security standard compliance
AccountKit is independantly certified as compliant with ISO/IEC 27001:2022, the leading global information security management system (ISMS) standard.
If you would like a copy of the certificate as part of your evaluation process, please reach out to support@account-kit.com
Our commitment to you and the protection of your data
Protecting our customers’ data — and your clients’ data — is a core priority at AccountKit. We apply modern industry standards and best practices to ensure your information is secure, available, and controlled.
For detailed documentation and certifications, please visit our Trust Centre.
Data Location & Hosting
All customer data is hosted in Amazon Web Services (AWS) infrastructure located in Sydney, Australia.
We do not host customer data in multiple regions. Data from UK and EU customers is processed in Australia in accordance with applicable data transfer safeguards, including Standard Contractual Clauses.
AccountKit is built within the OutSystems platform, which operates on AWS infrastructure and is used globally across government and enterprise environments.
How We Protect Your Data
We implement layered security controls across infrastructure, application, and access levels.
This includes encryption, access controls, audit logging, continuous monitoring, and secure development practices designed to protect your data at all times.
Access Controls & Authentication
Access to data is restricted based on the principle of least privilege.
-
Multi-factor authentication (2FA) is mandatory for all users
-
Configurable authentication options including authenticator apps and SSO
-
Tenant-level control over password policies and login methods
User permissions allow administrators to control what data users can access and what actions they can perform.
Encryption & Data Security
-
All data in transit is encrypted using TLS 1.2 or higher
-
Data at rest is encrypted using AES-256
-
Passwords and security data are securely hashed
We implement protections against common threats including cross-site scripting (XSS) and SQL injection.
Monitoring, Logging & Alerts
AccountKit is continuously monitored for downtime, errors, and access activity.
-
Detailed audit logs are maintained
-
System activity is tracked for security and debugging
-
Critical alerts are escalated immediately to our engineering team
Backups & Disaster Recovery
-
Regular backups are maintained across multiple physical locations
-
Data can be restored to specific points in time within a 14-day window
-
Full system recovery procedures are in place to minimise disruption
Independent Testing & Certification
AccountKit is independently certified to ISO/IEC 27001:2022.
We also undergo regular penetration testing by independent global security specialists to identify and address potential vulnerabilities.
Sub-processors & Infrastructure Providers
We rely on trusted third-party providers to deliver our services, including infrastructure, communications, and integrations.
These providers are subject to appropriate contractual and security obligations.
A list of key sub-processors is available upon request or can be viewed here.
Administrative Access Controls
Access to production systems is strictly controlled.
-
Access is limited to authorised personnel only
-
Access is granted based on operational necessity
-
All access is monitored and logged
Data Ownership
You retain full ownership of your data.
-
You can export your data at any time
-
AccountKit does not store your underlying documents (these remain in your document management system such as SharePoint or Google Drive)
Vendor Management
All vendors and contractors undergo a structured due diligence process before engagement.
The level of assessment depends on the type of data involved and the associated risk profile.
Trust Centre
For detailed security documentation, certifications, and reports, visit our Trust Centre.