Security Policy

Thousands of users entrust Changefirst with their data, and we make it a priority to take our users’ security and privacy concerns seriously. We strive to ensure that user data is kept securely, and that we collect only as much personal data as is required to provide our services to users in an efficient and effective manner.

Changefirst uses some of the most advanced technology for Internet security that is commercially available today. This Security Statement is aimed at being transparent about our security infrastructure and practices, to help reassure you that your data is appropriately protected.

As part of Changefirst’s continuing improvement for the confidentiality, quality and availability of the information assets we may store and process, we are ISO 27001 certified and externally audited annually. You may view our Information Security Policy, which describes our objectives in this area.

Application and user security

  • SSL/TLS encryption: e-change uses SSL/TLS protocol during transmission over public networks such as the internet. This ensures that user data in transit is safe, secure, and available only to intended recipients.
  • User authentication: User data on our database is logically segregated by account-based access rules. User accounts have unique usernames and passwords that must be entered each time a user logs on. e-change issues a session cookie (see our Cookie Policy for more information) only to record encrypted authentication information for the duration of a specific session. The session cookie does not include the password of the user. We have recently enabled OAuth (open authentication). If a user is using OAuth then tokens are used to authenticate the user.
  • User passwords: User application passwords have minimum complexity requirements. Passwords must meet the following guidelines:
    • be at least eight characters and no more than 20 characters in length
    • contain at least one lowercase letter [a-z]
    • contain at least one uppercase letter [A-Z]
    • contain at least one number [0-9] or contain special characters: ! @ # $ % ^ & * ( ) + ?
  • Data encryption: Certain sensitive user data such as account passwords are stored in an encrypted format. Client data is encrypted at all times when in transit.
  • Data portability: e-change enables you to export your data from our system in a variety of formats so that you can back it up, or use it with other applications.
  • Privacy: We have a comprehensive Privacy Policy that provides a very transparent view of how we handle your data, including how we use your data, who we share it with, and how long we retain it.

Data Centre

Changefirst uses the Amazon Cloud Computing Platform ‘Amazon Web Services’ (AWS) to provide customers with secure, reliable and high-performance service. The AWS infrastructure includes facilities, network, and hardware as well as some operational software that supports the provisioning and use of these resources. This infrastructure is designed and managed according to security best practice as well as a variety of security compliance standards. 

Physical security

AWS data centers are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Authorized staff must pass two-factor authentication a minimum of two times to access data center floors. All visitors and contractors are required to present identification and are signed in and continually escorted by authorized staff.

AWS only provides data center access and information to employees and contractors who have a legitimate business need for such privileges. When an employee no longer has a business need for these privileges, his or her access is immediately revoked, even if they continue to be an employee of Amazon or Amazon Web Services. All physical access to data centers by AWS employees is logged and audited routinely.

Fire Detection and Suppression

Automatic fire detection and suppression equipment has been installed to reduce risk. The fire detection system utilizes smoke detection sensors in all data center environments, mechanical and electrical infrastructure spaces, chiller rooms and generator equipment rooms. These areas are protected by either wet-pipe, double-interlocked pre-action, or gaseous sprinkler systems.


The data center electrical power systems are designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week. Uninterruptible Power Supply (UPS) units provide back-up power in the event of an electrical failure for critical and essential loads in the facility. Data centers use generators to provide back-up power for the entire facility.

Climate and Temperature

Climate control is required to maintain a constant operating temperature for servers and other hardware, which prevents overheating and reduces the possibility of service outages. Data centers are conditioned to maintain atmospheric conditions at optimal levels. Personnel and systems monitor and control temperature and humidity at appropriate levels.


  • Connectivity: Fully redundant IP network connections with multiple independent connections to a range of Tier 1 Internet access providers.
  • Environment: Our data is located at two data centres. Data Centres are physically separated and located in lower risk flood plains. In addition to discrete Uninterruptable Power Supply (UPS) and onsite backup generation facilities, they are each fed via different grids from independent utilities to further reduce single points of failure. Data Centres are all redundantly connected to multiple tier‐1 transit providers.
  • Uptime: Continuous uptime monitoring, with immediate escalation to Changefirst staff for any downtime.

Network security

  • Uptime: Continuous uptime monitoring, with immediate escalation to Changefirst staff for any downtime.
  • Third party scans: Weekly security scans are performed by Qualys.
  • Testing: System functionality and design changes are verified in an isolated test “sandbox” environment and subject to functional and security testing prior to deployment to active production systems.
  • Firewall: External access to firewall is restricted to all ports except 443 (https).
  • Patching: Latest security patches are applied to all operating system and application files to mitigate newly discovered vulnerabilities.
  • Access control: Secure VPN, multifactor authentication, and role-based access is enforced for systems management by authorized engineering staff.
  • Logging and Auditing: Central logging systems capture and archive all internal systems access including any failed authentication attempts.

Storage security

  • Backup frequency: Backups occur 2 hourly and daily to a centralized onsite backup system. Backups are retained for a six month period.

Organizational & administrative security

  • Employee screening: We perform routine background screening on all employees.
  • Training: We provide security and technology use training for employees.
  • Service providers: We screen our service providers and bind them under contract to appropriate confidentiality obligations if they deal with any user data.
  • Access: Access controls to sensitive data in our databases, systems and environments are set on a need-to-know / least privilege necessary basis.
  • Audit logging: We maintain and monitor audit logs on our services and systems.
  • Information security policies: We maintain internal information security policies and regularly review and update them.

Software development practices

  • Stack: We code in Java and React JS, and run on SQL Server 2008 and Windows 2008 Server.
  • Coding practices: Our engineers use best practices and industry-standard secure coding guidelines to ensure secure coding.

Handling of security breaches

Changefirst has an Information Security Incident Management Policy to ensure an effective mechanism is in place to promptly identify, report, investigate and resolve information security incidents affecting the services that we provide.

Your responsibilities

Keeping your data secure also depends on you ensuring that you maintain the security of your account by using sufficiently complicated passwords and storing them safely. You should also ensure that you have sufficient security on your own systems, to keep any data you download to your own computer away from prying eyes.


Last updated: 18th October 2019