Thousands of users entrust Changefirst with their data, and we make it a priority to take our users’ security and privacy concerns seriously. We strive to ensure that user data is kept securely, and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner.

This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure that customer and user data is protected.

Information Security

As part of Changefirst’s continuing improvement for the confidentiality, quality and availability of the information assets we may store and process, we are ISO 27001 certified and externally audited annually. The Changefirst Information Security Policy provides further information in this area.

Personal Data

Personal information a user enters in online services provided by Changefirst is used for contacting users should they have a support query. Changefirst collects the following Personal Data from users for us to provide our service:

  • First Names
  • Last Names
  • Email address
  • Location (Country)
  • IP address

Further details in the Changefirst Privacy Policy.

Technical and organisational security measures

Changefirst document a set of technical and organisational security measures in the following areas: access control to premises/facilities/systems/data, disclosure control, input control, job control, availability control and segregation control. This information can be provided on request to our potential/existing customers upon request.



Online services provided by Changefirst are hosted on secure servers located in the European Union using Amazon Web Services (AWS). Only authorized Changefirst personnel have access to these servers.

  • SSL/TLS encryption: The service uses SSL/TLS protocol during transmission over public networks such as the internet. This ensures that user data in transit is safe, secure, and available only to intended recipients.
  • User authentication: User data is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user accesses the services. Changefirst authorises users through OAuth (open authentication), through the application of OAuth tokens to authenticate the user. (Legacy user account holders are authenticated through the issuing of a session cookie (see the Changefirst Cookie Policy for more information) to record encrypted authentication information for the duration of a specific session.
  • User passwords: User application passwords have minimum complexity requirements. Passwords must meet the following guidelines:
    • be at least eight characters and no more than 20 characters in length
    • contain at least one lowercase letter [a-z]
    • contain at least one uppercase letter [A-Z]
    • contain at least one number [0-9] or contain special characters: ! @ # $ % ^ & * ( ) + ?
  • Data encryption: Certain sensitive user data such as account passwords are stored in an encrypted format. Client data is encrypted at all times when in transit.
  • Data portability: users can export your data from our system in a variety of formats so that you can back it up, or use it with other applications.
  • Privacy: The Changefirst Privacy Policy aims to provide transparency of how Changefirst handle customer and user data.

Data Hosting

Changefirst uses the Amazon Cloud Computing Platform ‘Amazon Web Services’ (AWS) to provide customers with secure, reliable and high-performance experience when using Changefirst online services. The AWS infrastructure includes facilities, network, and hardware as well as some operational software that supports the provisioning and use of these resources. This infrastructure is designed and managed according to security best practice as well as a variety of security compliance standards. More information can be found at

Software development practices

Our engineers use best practices and industry-standard secure coding guidelines and procedures to ensure secure coding. These are outlined in the Changefirst SDLC Security Policy.

User responsibilities

Keeping user data secure also depends on maintaining the security of user accounts by using sufficiently complicated passwords, stored securely. Users of the services should also ensure that they have sufficient security on their own systems, to keep any data downloaded to a local device away from prying eyes.


Last updated: 12th December 2019.