Organisational & Security Measures

🏛️ Standards, Frameworks & Compliance

Information Security Management

Standard/Framework	Description
ISO 27001	Internationally recognised standard for information security management systems (ISMS)
ISO 42001	Global standard for AI Management Systems, ensuring responsible and transparent AI governance
NIST CSF 2.0	US National Institute of Standards and Technology Cybersecurity Framework for comprehensive risk management
AWS Well-Architected Framework	AWS framework for designing and operating reliable, secure, efficient cloud workloads across six pillars (operational excellence, security, reliability, performance efficiency, cost optimisation, sustainability)
GDPR	Full compliance with UK/EU data protection and privacy regulations
Cyber Essentials Plus	UK Government-backed cybersecurity certification with independent technical verification
WCAG 2.2 AA	Web Content Accessibility Guidelines ensuring our platform is accessible to all users, including those with disabilities

AI Governance (ISO 42001)

Our use of AI and large language models is governed by ISO 42001, the global standard for AI Management Systems. This ensures we implement responsible AI practices, transparent governance, risk assessment, and continuous improvement for all AI systems used in our platform.

We use purpose-selected models from providers including OpenAI, Google (DeepMind), Anthropic (Claude), Meta Llama, AWS, and xAI (Grok), each selected for specific tasks. All AI providers are contractually vetted for security and data protection.

AI Data Protection Commitments:

• No customer PII used to train external AI models — contractually enforced with all providers
• Data minimisation enforced — only the minimum necessary data is passed to AI systems
• Prompts anonymised and tokenised before leaving our environment where technically feasible
• AI access segregated from production databases by design
• Human review safeguards in place for AI-assisted operational decisions
• AI is not authorised to initiate payments or move funds. All payment execution is deterministic and rules-based; AI is used only for non-transactional functions such as categorisation, anomaly flagging, and content generation
• Data Processing Impact Assessments (DPIAs) completed for all AI use cases involving personal data
• AI providers contractually restricted from using iAntz data for model training

NIST CSF 2.0 Core Functions

Function	Our Approach
Govern	Security leadership, policies, and risk management oversight
Identify	Asset management, risk assessment, and supply chain security
Protect	Access controls, encryption, and security awareness training
Detect	Continuous monitoring, anomaly detection, and threat intelligence
Respond	Incident response planning, communication, and mitigation
Recover	Business continuity, backup restoration, and lessons learned

🇬🇧 UK-Based Operations & Data Residency

• Core platform data — application data and PII processed and stored in AWS UK (London) regions
• Entire operation — development, support, and administration — run from the UK
• Full compliance with UK GDPR and UK data protection regulations
• Where third-party processors are used, processing is contractually restricted to the UK or UK/EU regions; personal data is not transferred outside UK/EU
• All third-party processors operate under formal Data Processing Agreements (DPAs) and, where applicable, UK GDPR Standard Contractual Clauses (SCCs)
• Full subprocessor disclosure is provided in the Data Processors section of this page — we do not use undisclosed subprocessors

☁️ Cloud Infrastructure

AWS Well-Architected Framework

Our platform is built primarily on Amazon Web Services (AWS), architected according to the six pillars of the AWS Well-Architected Framework:

Pillar	What This Means
Security	Defence in depth, identity management, and data protection at every layer
Reliability	Fault-tolerant architecture ensuring services remain available
Performance Efficiency	Optimised resources for fast, responsive user experiences
Cost Optimisation	Efficient infrastructure keeping costs sustainable
Operational Excellence	Automated operations, monitoring, and continuous improvement
Sustainability	Environmentally responsible cloud practices

Cloud Providers

• Primary: Amazon Web Services (AWS)
• Complementary: Microsoft Azure, Google Cloud Platform
• Uptime Target: 99.99%
• Data Residency: UK regions exclusively

🔧 Infrastructure as Code (IaC)

Repeatable, Auditable, Secure

• All cloud infrastructure defined in version-controlled code
• Every server, database, network configuration, and security rule managed as code
• Infrastructure changes go through code review and approval processes
• Complete audit trail of all infrastructure modifications
• Rapid environment rebuild capability from trusted code templates

Cloud Drift Detection & Monitoring

• Real-time drift detection comparing live infrastructure against defined templates
• Immediate alerting for any deviation from expected state
• Automated remediation restoring secure configurations where appropriate
• Root cause analysis for every drift event

Environment Segregation

• Strict production / staging / development segregation — separate AWS accounts per environment
• No live data in test environments — masked and synthetic datasets used exclusively
• Restricted production access — production access requires explicit approval, MFA, and is fully logged
• Production database snapshots access-restricted by IAM policy; no developer direct access
• Separate encryption keys per environment — a staging key cannot decrypt production data

🔐 Encryption

Data Protection

State	Encryption Standard
In Transit	TLS 1.3 enforced for all connections. TLS 1.2 supported only for legacy compatibility. HSTS enabled. Perfect Forward Secrecy enforced.
At Rest	AES-256-GCM for all stored data. Encryption keys segregated by environment and rotated automatically.

All data encrypted using AES-256-GCM

Key Management

• All encryption keys managed via AWS Key Management Service (KMS)
• Automatic key rotation enforced — no manual key handling
• Strict IAM separation of duties — no single person can access both keys and data
• Encryption keys segregated by environment — production, staging, and development keys are fully isolated
• Key usage audited in AWS CloudTrail for every cryptographic operation

Secrets Management

• All application secrets (API keys, credentials, tokens) stored in AWS Secrets Manager
• No secrets stored in code repositories — enforced at CI/CD pipeline level
• Secrets access logged and audited; access revoked immediately on personnel change
• Runtime secret injection — application containers never hold secrets at rest

🔑 Access Control & Identity Management

Role-Based Access Control (RBAC)

• Granular permissions assigned based on job function
• Segregation of duties preventing single points of compromise
• Easy onboarding/offboarding through role assignment
• Consistent permission enforcement across all users

Principle of Least Privilege

• Default-deny posture – access explicitly granted, never assumed
• Time-bound permissions – elevated access expires automatically
• Regular access reviews – periodic audits removing unnecessary access
• Just-in-time access – administrative privileges granted on-demand and logged

🔓 Authentication

Passwordless Sign-In

• Biometric authentication (fingerprint, facial recognition)
• Magic links (secure one-time login links)
• Hardware security keys (FIDO2/WebAuthn compliant)
• Authenticator app push notifications

Single Sign-On (SSO)

We support the following SSO protocols and identity providers:

Supported protocols

• SAML 2.0 — service-provider initiated flow
• OpenID Connect (OIDC) — any OIDC-compliant provider (authorization code flow recommended)
• OAuth 2.0 — used by OIDC and native providers (e.g. Google sign-in)

Supported identity providers (via SAML/OIDC)

• Microsoft Entra ID (Azure AD)
• Google Workspace

Multi-Factor Authentication (MFA)

We support the following second factors:

Supported second factors

• Authenticator apps (TOTP) — time-based one-time passwords (e.g. Google Authenticator); recommended for higher assurance
• SMS (phone) codes — one-time codes sent by text message

When users sign in via SSO (e.g. Microsoft Entra ID or Google Workspace), the identity provider can enforce additional factors—such as FIDO2/WebAuthn, conditional access, or organisation-defined policies—according to your IdP configuration.

• MFA can be required for all users, offered optionally, or required only for sensitive actions or roles
• Email verification is required before MFA enrollment; email-based codes are used for account recovery only, not as a primary second factor

Account Protection Controls

• Rate limiting on all authentication endpoints — login, password reset, and OTP endpoints are rate-limited and throttled to block brute-force and credential stuffing attacks
• WAF rules for credential stuffing — Cloudflare WAF enforces bot-score thresholds and blocks known attack tooling signatures at the network edge
• Short-lived session tokens — access tokens expire after a short window; refresh token rotation invalidates previous tokens on each use, limiting the blast radius of token theft
• Concurrent session controls — suspicious parallel sessions from different locations trigger step-up authentication
• Device binding and risk-based authentication — new or unrecognised devices trigger additional verification; high-risk signals (new location, impossible travel) escalate the authentication requirement
• Strong MFA for privileged roles — TOTP required for admin and financial roles; for SSO users, IdP policies (e.g. Entra ID, Google Workspace) can enforce FIDO2/WebAuthn or conditional access with no SMS fallback
• Account lockout and anomaly alerting — repeated failed attempts lock the account and alert the user; security team is notified of patterns consistent with targeted attacks

📝 Audit Logging

Immutable Audit Logs

All user actions and system events captured in tamper-proof storage:

What We Log:

• User logins, logouts, and failed authentication attempts
• Data access, modifications, and deletions
• Permission changes and role assignments
• System configuration changes
• API access and third-party integrations
• Administrative actions and elevated access usage

Immutability Benefits:

• Forensic integrity for incident investigations
• Unalterable compliance evidence
• Insider threat protection
• Legal admissibility of records

🛡️ Vulnerability Management

Automated Infrastructure Scanning

• Regular automated vulnerability scanning of all infrastructure
• Vulnerabilities prioritised, tracked, and remediated according to strict SLAs
• Continuous hardening against emerging threats

Application Security Testing

• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Security testing before every production release

Penetration Testing

• Annual independent penetration test by external security experts
• Additional tests triggered after major architectural changes or new high-risk features
• Critical and high-severity findings receive external retest to confirm remediation
• Ethical hacking using real-world attack techniques (OWASP, PTES)
• Continuous automated scanning runs between point-in-time tests
• Findings addressed under strict SLA before potential exploitation

👨‍💻 Secure Development Practices

OWASP Top 10 Compliance

Protection against all major web application security risks:

• Injection attacks (SQL, NoSQL, command injection)
• Broken authentication and session management
• Sensitive data exposure
• Cross-site scripting (XSS) and request forgery
• Security misconfigurations
• Vulnerable components
• Insufficient logging

CI/CD Security Pipeline

Automated security analysis integrated into development workflow:

• Source code vulnerability scanning before deployment
• Dependency monitoring for outdated or insecure components
• Container and IaC misconfiguration detection
• Licence compliance verification
• Secrets detection preventing credential exposure
• Automatic deployment blocking when issues detected

Secure Coding Standards

• Developer security awareness training
• Security reviews embedded in code review process
• Shift-left security approach catching issues early

🖥️ Security Monitoring

Security Information & Event Management (SIEM)

Centralised security visibility and threat detection:

Capability	Description
Log Aggregation	Real-time collection and normalisation from all systems
Correlation Engine	Pattern identification across related events
Threat Detection	Behavioural analytics and threat intelligence
Automated Alerting	Immediate notifications for security events
Incident Timeline	Complete event reconstruction for investigations
Compliance Reporting	Audit-ready reports for regulatory requirements

Real-Time Monitoring

• Anomalous login patterns (unusual times, locations, devices)
• Privilege escalation attempts
• Data exfiltration indicators
• Brute force and credential stuffing attacks — rate limiting and WAF rules enforced
• Suspicious API usage patterns
• Infrastructure and application anomalies
• Transaction anomaly detection — flags unusual financial patterns for fraud and safeguarding indicators on wallet top-ups and payments

24/7 Threat Detection

• Continuous monitoring around the clock
• Security team response to identified threats
• Proactive threat hunting

🔄 Business Continuity

Recovery Objectives

Objective	Target	Description
RTO (Recovery Time Objective)	< 4 hours	Maximum time to restore full service following a critical failure
RPO (Recovery Point Objective)	< 1 hour	Maximum acceptable data loss window; backups run at least hourly
Uptime Target	99.99%	Equates to less than 52 minutes downtime per year

Backup & Recovery

• Automated backups with geographic redundancy within UK regions
• Backup data encrypted with the same AES-256-GCM standard as live data
• Backup access restricted by IAM policy — separate from production access roles
• Regular disaster recovery procedure testing with documented results
• Environment restoration from Infrastructure as Code within minutes

Incident Response

• Documented incident response plan tested quarterly
• Defined severity classifications with escalation paths and SLA response times
• Transparent customer communication protocols — affected schools notified within 72 hours for data incidents
• ICO notification within 72 hours where required under UK GDPR
• Root cause analysis and lessons learned processes for every P1/P2 incident

♿ Accessibility – WCAG 2.2 AA

We are committed to making Payments by iAntz accessible to everyone, including users with disabilities. Our platform is designed and developed to meet WCAG 2.2 Level AA standards, ensuring an inclusive experience for all parents, school staff, and administrators.

Our Accessibility Commitments

Principle	What We Do
Perceivable	Text alternatives for images, captions for media, sufficient colour contrast, and content that adapts to different screen sizes
Operable	Full keyboard navigation, no time-limited interactions, clear focus indicators, and skip navigation links
Understandable	Clear language, consistent navigation, predictable behaviour, and helpful error messages with suggestions
Robust	Semantic HTML, ARIA attributes, compatibility with assistive technologies including screen readers

Key Accessibility Features

• Fully keyboard-navigable interface with visible focus states
• Screen reader compatible with appropriate ARIA labels and landmarks
• Colour contrast ratios meeting WCAG AA minimum requirements
• Responsive design adapting to zoom levels up to 400%
• Respects user preferences for reduced motion
• Descriptive alt text for all meaningful images
• Form inputs with clear labels, instructions, and error identification
• Consistent and predictable navigation across all pages

👥 Staff Security

• Security awareness training for all team members
• Enhanced Disclosure and Barring Service (DBS) checks for all personnel with access to school or children's data
• Strict confidentiality agreements
• Regular security updates and briefings
• Admin accounts enforced to use strong MFA
• Insider threat controls — user behaviour analytics flagging anomalous data access patterns

🏫 Safeguarding & Children's Data

iAntz processes data relating to children, including identities, financial transaction history, and potentially sensitive inferences such as Free School Meal status. We treat this data with the highest level of care.

• Data Protection Impact Assessments (DPIAs) conducted for all high-risk processing activities, particularly those involving children's data
• Transaction anomaly detection for fraud indicators and financial safeguarding signals
• Sensitive inferred data (e.g. FSM status) handled with additional access restrictions and audit controls
• Parental consent flows and age-appropriate data minimisation built into product design
• Regular safeguarding reviews with school DPO guidance considered in policy design
• No behavioural profiling of minors for commercial purposes

Enhanced Safeguarding Logging

Automated alerts are triggered by patterns that may indicate insider misuse or data boundary violations:

• Bulk export or mass download of pupil or parent records
• Repeated access to individual pupil records outside normal usage patterns
• Staff accessing data beyond their school, year group, or role scope
• Access attempts outside normal working hours or from unrecognised locations
• All alerts routed to the security SIEM with mandatory review and documented outcome

School Role Design & Least Privilege

Roles are pre-modelled around how schools actually operate — not generic IT roles:

• Purpose-built roles for Finance Officer, Class Teacher, School Admin, and MAT Central Team
• All roles are least-privilege by default — access is scoped to the minimum required for each function
• MATs can enforce central access policies across all schools in their trust, including MFA requirements and role ceilings
• School-level data is isolated per school; cross-school access requires explicit MAT-level authorisation
• Role assignments logged and subject to periodic access review

Data Sharing Boundaries

• We never sell, rent, or share pupil or parent data with third parties for commercial purposes
• No third-party advertising trackers in the application — verified by design and reviewed at each release
• Pupil and parent data is used solely to deliver and improve the iAntz service for that school
• No data is shared with other schools, trusts, or public bodies without explicit consent or lawful basis
• Analytics used internally only, on aggregated and anonymised data, never at individual pupil level

🗑️ Data Retention & Secure Deletion

• Defined retention schedules aligned with UK education sector guidance and GDPR requirements
• Secure deletion using cryptographic erasure — encryption keys destroyed, rendering data permanently inaccessible when it reaches end of life
• Parent and guardian data deletion requests fulfilled within statutory timeframes
• Account closure triggers immediate data minimisation and scheduled deletion workflow
• Backup data subject to the same retention and deletion policies as live data
• Deletion audit trail maintained in immutable logs for regulatory evidence

📊 Summary Table

Category	Measures
Standards & Frameworks	ISO 27001, ISO 42001, NIST CSF 2.0, GDPR, Cyber Essentials Plus, WCAG 2.2 AA
Data Residency	Core platform on AWS UK (London); third-party processors contractually restricted to UK/EU regions via DPAs and SCCs; full subprocessor list disclosed on this page
Infrastructure	AWS Well-Architected, Infrastructure as Code, Drift Monitoring, Environment Segregation
Encryption	AES-256-GCM at rest; TLS 1.3 enforced in transit; HSTS; Perfect Forward Secrecy
Key Management	AWS KMS with automatic rotation; IAM separation of duties; per-environment key isolation
Secrets Management	AWS Secrets Manager; no secrets in code repositories; runtime injection only
Access Control	RBAC, Least Privilege, Just-in-Time Access, Default-Deny
Authentication	SSO (SAML 2.0 / OIDC), TOTP, SMS; FIDO2/WebAuthn via SSO IdP when configured; magic links; email recovery only; rate limiting; WAF; short-lived tokens with refresh rotation; device binding; risk-based auth; strong MFA for privileged roles
Payments & PCI-DSS	No card data stored; tokenised workflows via PCI-DSS Level 1 providers; immutable transaction ledger; automated reconciliation; velocity limits; top-up anomaly detection; chargeback monitoring; duplicate prevention; segregated refund authorisation
Audit & Logging	Immutable Audit Logs; full action tracking; transaction anomaly detection
Development Security	OWASP Top 10, CI/CD Security Scanning, Secure Coding, Secrets Detection
Vulnerability Management	Annual + change-triggered independent pen testing; external retest on critical findings; continuous automated scanning; dependency monitoring
Monitoring & Detection	SIEM, 24/7 Threat Detection, Real-time Alerting, Behaviour Analytics
Business Continuity	RTO <4h, RPO <1h; Automated Backups; Disaster Recovery Tested Quarterly
Safeguarding & Children's Data	DPIAs; enhanced insider-access logging; school role pre-modelling; MAT central policy enforcement; no ad trackers; no data sold or shared commercially
Data Retention & Deletion	UK education-aligned schedules; cryptographic erasure; GDPR deletion request fulfilment
AI Governance	ISO 42001; no PII used to train models; prompts anonymised; DPIAs for AI use cases
Responsible Disclosure	Public policy; compliance@iantz.com; 2-day acknowledgement SLA
Accessibility	WCAG 2.2 AA, Keyboard Navigation, Screen Reader Support, Reduced Motion
Staff Security	DBS Checks, Security Training, Confidentiality Agreements, Insider Threat Controls

Our Data Processors

At iAntz, we are committed to transparency about how we handle your data. We work with carefully selected third-party service providers (data processors) to deliver our platform securely and efficiently. All processors are vetted for their security practices and compliance with UK data protection regulations.

Cloud Infrastructure

Processor	Purpose	Data Processed	Location	Compliance
Amazon Web Services (AWS)	Cloud infrastructure, database hosting, secure storage, AI services, and application delivery	Application data, encrypted backups, system logs	UK (London region)	ISO 27001, SOC 2, GDPR compliant with UK data processing agreement in place
Google Cloud Platform	Cloud infrastructure, compute services, and AI services	Application data, system logs	EU/UK data processing	ISO 27001, SOC 2, GDPR compliant with data processing agreement in place
Microsoft Azure	Cloud infrastructure, business productivity, collaboration, identity services, and AI services	Application data, internal business communications and documents	UK data centres	ISO 27001, SOC 2, GDPR compliant with UK data processing agreement

Authentication & Identity

Processor	Purpose	Data Processed	Location	Compliance
Google	Secure user authentication and identity management	Authentication credentials, user identifiers	EU/UK data processing	GDPR compliant with data processing agreement in place
Apple	Social sign-in authentication	User identifiers, email address (may be anonymised by Apple)	EU/UK data processing	GDPR compliant
Facebook (Meta)	Social sign-in authentication	User identifiers, email address, profile information	EU/UK data processing	GDPR compliant with data processing agreement in place

Payment Processing & PCI-DSS Scope

Processor	Purpose	Data Processed	Location	Compliance
Adyen	Secure payment processing for transactions	Payment information, transaction records	UK/EU	PCI-DSS Level 1 certified, GDPR compliant
Square	Secure payment processing for transactions	Payment information, transaction records	UK/EU	PCI-DSS Level 1 certified, GDPR compliant
Stripe	Secure payment processing for transactions and wallet top-ups	Payment information, transaction records	UK/EU	PCI-DSS Level 1 certified, GDPR compliant
PayPal	Secure payment processing and alternative payment methods	Payment information, transaction records	UK/EU	PCI-DSS certified, GDPR compliant
Worldpay	Secure payment processing for transactions	Payment information, transaction records	UK/EU	PCI-DSS Level 1 certified, GDPR compliant
Ozone API	Open banking platform for account-to-account payments and secure data sharing	Payment information, transaction records, account data	UK/Global	Open banking standards compliant (UK, PSD2, FDX, CDS), GDPR compliant

Payment Integrity & Fraud Controls

Immutable ledger & reconciliation:

• Every payment event (initiation, authorisation, settlement, refund, dispute) is written to an append-only, tamper-evident transaction ledger — records cannot be modified or deleted after creation
• Automated reconciliation runs on every settlement cycle, comparing internal ledger balances against provider statements; discrepancies trigger immediate alerts and hold for manual review
• Full double-entry audit trail: every wallet credit and debit is traceable to its originating payment event, payer, and authorising user
• Schools and MATs can export immutable transaction records at any time for their own financial governance

Fraud & abuse controls:

• Velocity limits — configurable per-wallet, per-user, and per-school caps on spend and top-up amounts within defined time windows
• Unusual top-up detection — anomalous top-up patterns (frequency, amount, device, or payment method changes) trigger step-up verification or temporary hold
• Chargeback monitoring — chargebacks and disputes are tracked across providers; elevated rates for any school or payment method trigger a review and tighter velocity controls
• Duplicate payment detection — idempotency keys prevent accidental double charges; duplicate submission within a time window is rejected automatically
• Refund authorisation controls — refunds require a separate authorised role; a Finance Officer cannot both initiate and approve a refund above a configurable threshold
• All fraud signals feed into the SIEM alongside security events for correlated alerting

Sales, Marketing & Customer Service

Processor	Purpose	Data Processed	Location	Compliance
HubSpot	Customer relationship management, marketing communications, and customer support	Contact information, communication history, support enquiries	EU data hosting	ISO 27001, SOC 2, GDPR compliant with data processing agreement in place

Website & Network Security

Processor	Purpose	Data Processed	Location	Compliance
Cloudflare	Website hosting, content delivery, DDoS protection, and Zero Trust network access	Web traffic data, access logs	UK/EU with data localisation	ISO 27001, SOC 2, GDPR compliant

Our Commitments

• ✅ UK Data Residency – All personal data is processed and stored within the United Kingdom wherever possible
• ✅ Data Processing Agreements – We maintain formal agreements with all processors ensuring your data is protected
• ✅ Regular Reviews – We periodically review our processors to ensure they continue to meet our security and privacy standards
• ✅ Minimal Data Sharing – We only share the data necessary for each processor to perform their specific function

🔍 Responsible Disclosure

We believe in working with the security community to protect our users. If you believe you have discovered a security vulnerability in our platform, we encourage responsible disclosure.

• Report vulnerabilities to compliance@iantz.com
• We commit to acknowledging receipt within 2 business days
• We commit to providing a resolution timeline within 10 business days
• We will not take legal action against researchers acting in good faith
• We ask that you do not access, modify, or exfiltrate user data during research