Built for regulated trade operations
Our customers trust us with position books, counterparty data, trade documents, and payment rails. Security is a daily discipline — not a compliance checkbox — and we document it in the same detail we expect from any serious software partner.
How we keep your data safe
Six control families — documented, implemented, and reviewed against the ISO 27001 Annex A framework.
Data protection
Customer data encrypted at rest and in transit across opsPhlo, finPhlo, tradePhlo, customs-compliance.ai, and xPhlo. Tenant data is logically partitioned; keys are managed centrally and rotated on a schedule.
Access & identity
SSO via Microsoft Entra ID (delivered for Sunbeth, SFI, and others), MFA, role-based access control, and granular audit logging. Guest access is time-boxed and fully auditable.
Monitoring & response
Security event logging across platform and infrastructure. Anomaly detection on sensitive workflows (payments, document changes, user provisioning). Defined incident-response playbook with stakeholder notification SLAs.
Secure development
Every change is peer-reviewed, CI-tested, and deployed through audited pipelines. Secrets live in managed vaults — never in code. Dependency and container scanning run on every build.
Data residency & retention
UK and EU data residency options. Documented retention and deletion policies aligned to UK GDPR. Customer-owned data is exportable at any time, in standard formats.
Business continuity
Automated backups with tested restore. Multi-region failover for hosted production workloads. Documented RPO and RTO targets shared with enterprise customers under NDA.
Certifications & roadmap
What's live today and what we're adding, with honest dates.
ISO 27001 implementation
Working with an external implementation partner since April 2026. Scope covers opsPhlo, tradePhlo, finPhlo, and xPhlo — a full Stage-1/Stage-2 audit is targeted for mid-2026.
Regulated-environment heritage
Selected for the UK FCA regulatory sandbox and the Deutsche Bank trade-finance accelerator. Our core workflows have been built and stress-tested under direct regulatory and institutional oversight.
Enterprise SSO & tenant controls
Microsoft Entra ID SSO is in production for customers including Sunbeth and SFI. Tenant administrators own their own user provisioning, role assignment, and audit export.
Third-party penetration testing
Annual independent pen-test cadence starts alongside the ISO 27001 audit. Summary report available to enterprise customers under NDA.
SOC 2 Type II readiness
Assessment scoped for 2027 for US enterprise customers that require SOC 2 in addition to ISO 27001. Tracking ahead of committed customer deadlines.
Responsible disclosure
If you believe you've found a vulnerability in any Phlo product, email security@phlo.io. We aim to acknowledge reports within one business day and will keep you informed through triage, fix, and disclosure.
We don't currently run a paid bug-bounty programme, but we credit researchers who follow responsible disclosure in our release notes and on request in LinkedIn posts. We will not pursue legal action against good-faith security research that stays within scope.
Running security due diligence?
We're used to SIG Lite, CAIQ, and bespoke enterprise questionnaires. Get in touch and we'll route you to the right contact and the latest document pack.
Talk to our security team