Thousands of users entrust Changefirst with their data, and we make it a priority to take our users’ security and privacy concerns seriously. We strive to ensure that user data is kept securely, and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner.

This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure that customer and user data is protected.

Information Security

As part of Changefirst’s continuing improvement for the confidentiality, quality and availability of the information assets we may store and process, Changefirst maintain an Information Security Management System (ISMS) and are ISO 27001 certified; externally audited. The Changefirst Information Security Policy provides further information in this area.

Personal Data

Personal information a user enters in online services provided by Changefirst is used for contacting users should they have a support query. Changefirst collects the following Personal Data from users for us to provide our service:

  • First Names
  • Last Names
  • Email address
  • Location (Country)
  • IP address

Further details can be found in the following Changefirst policy documents:

Changefirst provide some Q&As relating to data protection towards the end of this document.

Technical and organisational security measures

Changefirst document a set of technical and organisational security measures in the following areas: access control to premises/facilities/systems/data, disclosure control, input control, job control, availability control and segregation control. This information can be provided to our potential/existing customers upon request.



Online services provided by Changefirst are hosted on secure servers located in the European Union using Amazon Web Services (AWS). Only authorized Changefirst personnel have access to these servers.

  • SSL/TLS encryption: The service uses SSL/TLS protocol during transmission over public networks such as the internet. This ensures that user data in transit is safe, secure, and available only to intended recipients.
  • User authentication: User data is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user accesses the services. Changefirst authorises users through OAuth (open authentication), through the application of OAuth tokens to authenticate the user. (Legacy user account holders are authenticated through the issuing of a session cookie (see the Changefirst Cookie Policy for more information) to record encrypted authentication information for the duration of a specific session.
  • User passwords: User application passwords have minimum complexity requirements. Passwords must meet the following guidelines:
    • be at least eight characters and no more than 20 characters in length
    • contain at least one lowercase letter [a-z]
    • contain at least one uppercase letter [A-Z]
    • contain at least one number [0-9] or contain special characters: ! @ # $ % ^ & * ( ) + ?
  • Data encryption: Certain sensitive user data such as account passwords are stored in an encrypted format. Client data is encrypted at all times when in transit.
  • Data portability: users can export your data from our system in a variety of formats so that you can back it up, or use it with other applications.
  • Privacy: The Changefirst Privacy Policy aims to provide transparency of how Changefirst handle customer and user data.

Data Hosting

Changefirst uses the Amazon Cloud Computing Platform ‘Amazon Web Services’ (AWS) to provide customers with secure, reliable and high-performance experience when using Changefirst online services. The AWS infrastructure includes facilities, network, and hardware as well as some operational software that supports the provisioning and use of these resources. This infrastructure is designed and managed according to security best practice as well as a variety of security compliance standards. More information can be found at

Software development practices

Our engineers use best practices and industry-standard secure coding guidelines and procedures to ensure secure coding. These are outlined in the Changefirst SDLC Security Policy.

User responsibilities

Keeping user data secure also depends on maintaining the security of user accounts by using sufficiently complicated passwords, stored securely. Users of the services should also ensure that they have sufficient security on their own systems, to keep any data downloaded to a local device away from prying eyes.

Question & Answer examples

Data Protection

Please read our Data Protection Policy. Some sample questions we have been asked in the past:

  1. Does your organization have documented processes and procedures to receive and respond to privacy complaints and inquiries in a timely manner (including those from regulatory authorities)? Yes
  2. Does your organization have documented processes and procedures for handling individual rights requests (e.g., access, correction, portability, erasure) and processing them in a timely manner? Yes
  3. Does your organization collect the minimum necessary/minimum amount of personal information required to fulfil services of the contract? Yes
  4. Does your organization have an organizational privacy policy which is regularly reviewed for compliance with applicable laws and regulations? Yes,
  5. Does your organization have a designated privacy official (e.g. Chief Privacy Officer, Data Protection Officer) or office responsible for privacy compliance, including the development of enterprise-wide policies and procedures to safeguard the privacy of individuals consistent with laws and regulations? Yes, a Data Protection lead – contact
  6. Does your organization have documented processes and procedures to consider privacy requirements in the design of new or updated systems, software, hardware or business processes (e.g., privacy by design/privacy by default/Data Protection Impact Assessments)? Yes
  7. Where required, does your organization have written records representing personal information processing activities in accordance with regulatory requirements? Yes
  8. When required, has your organization completed registrations (e.g., database registrations, data controller registrations) with applicable Data Protection Authorities? Yes
  9. When required, does your organization execute contract agreements and/or certification processes to facilitate cross-border transfers of personal information? Yes, organizations can enter into a data processing agreement (DPA) with Changefirst, please view the Data Protection Policy section 11.2 Contracts for further details and to sign the DPA.

Last updated: 22 February 2022.