Why It Matters
In today’s digital world, your data is more valuable than ever. You can trust Eppione to ensure that world-class security protocols protect your sensitive information.
We take this responsibility seriously — not just to meet compliance requirements, but to give you peace of mind.
Highlights
| Certification / Feature | Details |
|---|---|
| ISO 27001:2022 | Certified and independently audited (Certificate #24130) |
| Choose Your Data Residency | Hosted with AWS |
| Multi-Layer Encryption | AES-256 at rest, TLS 1.3 in transit, BCrypt password hashing |
| GDPR Compliant | All 8 data subject rights are supported |
| 24-Hour Breach SLA | Customer notification within 24 hours (exceeds GDPR 72 hours) |
| Regulated Adviser | Authorised by the FCA and the Central Bank of Ireland |
A Step Forward in Trust & Transparency
At Eppione, security isn’t just a feature — it’s a foundation.
ISO 27001:2022 Certified
Eppione maintains ISO 27001:2022 certification, the international gold standard for information security management. Our certification is issued by Alcumus ISOQAR, a UKAS-accredited certification body, and covers our entire enterprise operations, including platform development, cloud infrastructure, and customer data processing.
Our Information Security Management System (ISMS) undergoes annual surveillance audits and full recertification every three years, ensuring our security controls remain effective and continuously improve.
Choose Your Data Residency
Your data never leaves trusted jurisdictions. Our infrastructure is hosted entirely within Amazon Web Services (AWS), providing enterprise-grade reliability with full data sovereignty.
Eppione utilizes the Amazon Web Services platform (AWS), the world leader in cloud infrastructure technology, with its 20 geographic regions. Eppione is implemented in the main AWS regions around the world to provide its clients with the greatest application availability and scalability.
For example, to properly serve the customers located in Europe, Eppione is deployed in the EU. This specific setup allows Eppione to keep European client data and backups within the European Union.
Multi-layer Security Encryption
We employ defence-in-depth encryption across all layers of our infrastructure to ensure your sensitive employee benefits data remains protected at all times.
Access Control & Authentication
We implement strict access controls to ensure only authorised personnel can access your data, with comprehensive audit trails for all activity.
GDPR Commitment
GDPR compliance is fundamental to how we operate. We support all data subject rights and provide the tools you need to meet your own regulatory obligations.
To learn more, email our Data Protection Officer: dataprotection@eppione.com
Regulated Financial Services
Eppione operates as a regulated financial adviser, providing an additional layer of accountability and oversight beyond standard technology providers. Our regulated status means enhanced due diligence, fit and proper requirements for all staff, and ongoing regulatory supervision.
Security Testing & Monitoring
We continuously test and monitor our systems to identify and remediate vulnerabilities before they can be exploited.
- Penetration Testing
Including annual comprehensive testing by an independent CREST-certified security firm - Vulnerability Management
Ranging from critical to low severity, we have patching timeframes between 24 hours and 90 days. - Continuous Monitoring
Including real-time threat detection and audit logging
Security Incident Response
Our documented incident response programme ensures rapid detection, containment, and communication in the unlikely event of a security incident. Ranging from critical to low priorities, we have response times between 1 hour and 48 hours.
Customer Notification SLA: Within 24 hours for incidents affecting your data (exceeding GDPR’s 72-hour requirement)
Business Continuity & Disaster Recovery
Our cloud-native architecture provides inherent resilience, backed by tested disaster recovery procedures.
Subprocessor Management
We carefully vet all third-party processors and maintain contractual controls to ensure your data remains protected throughout the supply chain.
Reporting Security Issues
If you discover a vulnerability in Eppione or have a security incident to report, please contact us immediately.
We ask that you provide a reasonable time for remediation before any public disclosure.
By submitting a report, you agree not to disclose your findings or submission contents to third parties without Eppione’s prior written approval. Detailed and quality reporting is important to us.
Security Documentation & Requests
The following security documentation is available upon request:
- ISO 27001:2022 Certificate
- Penetration Test Executive Summary
- Data Processing Agreement (DPA) template
- Subprocessor List
- Security Policies (summary)
To request documentation:
Contact your account manager or us
Last updated: February 2026