Home Security & Trust
Security & Trust

Enterprise-grade security for
your most sensitive data.

CSP Software handles UBO registers, beneficial ownership data, and fiduciary information on behalf of some of the world's most demanding corporate service providers. Our security posture reflects that responsibility.

SOC 2 Type II Certified
ISO 27001 Aligned
AES-256 Encryption
GDPR Ready
99.98%
Uptime SLA — financially backed
AES-256
Encryption at rest and in transit (TLS 1.3)
Zero
Security breaches since founding in 2021
Certifications & Standards

Every major standard. No exceptions.

We pursue certifications as a discipline, not a sales tool. Every standard below reflects operational reality, not marketing copy.

SOC 2 Type II
AICPA SOC 2 Type II certified. Annual third-party audits verify security, availability, and confidentiality controls. Report available to enterprise clients under NDA.
GDPR Compliant
Full compliance with EU General Data Protection Regulation. Data sovereignty options available for UK and EU clients. DPA available on request.
ISO 27001 Aligned
Information security management aligned to ISO 27001 standards. Full certification in progress for Q4 2026.
CCPA Compliant
California Consumer Privacy Act compliance for US-based clients and data subjects. Privacy-by-design implementation throughout the platform.
PCI DSS Aware
Payment card industry standards observed for invoice and payment processing flows handled through certified payment processors.
UK GDPR
Full compliance with UK GDPR post-Brexit. Separate UK data residency available for clients requiring UK-only data storage.
FATF Alignment
AML and counter-terrorist financing controls aligned with FATF recommendations for CSPs and trust service providers operating across member jurisdictions.
MAS TRM
Monetary Authority of Singapore Technology Risk Management guidelines observed for Singapore-based operations and clients requiring MAS-compliant hosting.
Infrastructure

Built for the demands of regulated financial services

Every architectural decision is made through the lens of a CSP's regulatory obligations — not a generic SaaS deployment checklist.

Data Encryption
AES-256 at rest.
TLS 1.3 in transit.
All data is encrypted at rest using AES-256 and in transit using TLS 1.3. Database-level encryption ensures that even in the event of physical media compromise, your data remains protected. Encryption keys are managed via a dedicated Key Management Service with automated rotation on a defined schedule — no manual key management, no single point of compromise.
AES-256 at rest TLS 1.3 in transit Automated key rotation KMS-managed
Encryption
Access Controls
Granular RBAC with full
audit trail.
Role-based access control (RBAC) with multi-factor authentication enforced across all user accounts. Granular permissions allow you to control exactly what each staff member can see, edit, and export. Every action is logged in an immutable audit trail — who accessed what, when, and from where. Audit logs are tamper-evident and retained for the duration required by your jurisdiction's regulatory framework.
MFA enforced Granular RBAC Immutable audit log SSO support
Access Control
Infrastructure Resilience
N+1 redundancy.
99.98% uptime SLA.
Hosted on ISO 27001-certified cloud infrastructure with N+1 redundancy across multiple availability zones. Real-time replication with automatic failover ensures that no single infrastructure failure affects platform availability. 99.98% uptime SLA is backed by financial credits — not marketing language. 15-minute RPO and 1-hour RTO for disaster recovery scenarios, with annual DR tests conducted and results shared with enterprise clients.
Multi-AZ redundancy Auto-failover 15-min RPO 1-hour RTO
Resilience
Penetration Testing
Annual CREST-certified
pen tests.
Annual independent penetration tests conducted by CREST-certified firms with no prior access to source code or architecture documentation. Continuous vulnerability scanning with immediate patch deployment cycles runs alongside annual tests. All critical vulnerabilities are addressed within 24 hours of identification and independently verified. Reports are available to enterprise clients under NDA as part of the security review process.
CREST-certified firms Annual pen test 24-hr critical patch SLA Reports under NDA
Pen Testing
Data Handling & Residency

Your data. Your jurisdiction. Your control.

We give you full control over where your data lives, how long it's kept, and what happens when you leave.

UK & EU Residency
Data stored in UK and EU-based data centres by default. Compliant with UK GDPR and EU GDPR data residency requirements. Geographic isolation available on request for Enterprise clients requiring jurisdiction-specific storage.
Data Portability
Full data export in standard formats (CSV, JSON, PDF) at any time. No lock-in. Your data belongs to you and can be exported completely within 24 hours of a request, with no data remaining in our systems unless legally required.
Retention & Deletion
Configurable data retention policies aligned to your regulatory obligations. Secure deletion of personal data within 30 days of client offboarding. Deletion certificates available for enterprise clients requiring documented proof of data removal.
Responsible Disclosure

Security Disclosure

If you believe you have found a security vulnerability in CSP Software, please report it to our security team immediately. We take all reports seriously and commit to responding within 24 hours. We follow responsible disclosure principles and work collaboratively with researchers to resolve issues before any public disclosure.

All valid reports are acknowledged, investigated, and resolved within our published SLA windows. We do not pursue legal action against researchers who disclose in good faith and in accordance with our policy.

info@cspsoftware.com
Response Commitment
We respond to all security disclosures within 24 hours of receipt. Critical vulnerabilities are escalated immediately to our security engineering team with a patch target of 24 hours from verification.
Responsible Disclosure Policy
We ask that researchers give us reasonable time to investigate and remediate before public disclosure. We will not take legal action against researchers acting in good faith within the scope of our policy.
Bug Bounty Programme Q3 2026
A formal bug bounty programme with defined scope, reward tiers, and rules of engagement is scheduled for launch in Q3 2026. Researchers who disclose before launch will be recognised in our hall of fame.
Request a Demonstration

Move your entity portfolio to infrastructure built for regulated financial services.

Request a demonstration and we will walk you through our security architecture, data residency options, and compliance posture in detail.

Request a Demonstration About Us
SOC 2 report available under NDA  ·  Security review calls available for enterprise prospects