Compliance and certifications
TeamFeePay maintains an information security programme aligned with ISO/IEC 27001, ISO/IEC 27018, and PCI DSS. Independent auditors assess our controls on a recurring basis and the latest reports are available below to authenticated parties.
ISO/IEC 27001:2022
Information security management system standard, certified annually with surveillance audits.
ISO/IEC 27018:2019
Code of practice for protection of personally identifiable information (PII) in public clouds acting as PII processors.
PCI DSS Level 2
Payment Card Industry Data Security Standard — Level 2 service provider. Our PCI compliance is generated and maintained through our payment processor Stripe, who handle card data on our behalf so we never store, process or transmit cardholder data directly.
Reports and documents
Public collateral is available immediately. Confidential reports are released after a quick NDA acceptance.
Open downloads
Backup Policy
How we back customer data up, how often, where backups are stored, and how restore procedures are tested.
ISMS Scope
Defines what is in scope of our ISO/IEC 27001 ISMS — the products, the people, the locations and the infrastructure.
Information Classification Policy
How we classify information and what handling, storage and transmission controls apply at each classification level.
Information Security Policy
Executive-level statement of how we manage information security, the objectives we hold ourselves to, and the controls we operate.
NDA-gated downloads
Access Control Policy
Rules governing access to systems, equipment, facilities and information — role profiles, joiner/mover/leaver, privileged access and review cycles.
Change Process
How changes to production systems are proposed, reviewed, approved, deployed and rolled back.
Communications Policy
Internal and external communication channels, escalation paths, and how regulatory bodies and customers are kept informed.
Disposal & Destruction Policy
Secure disposal of media, devices and printed material — including standards followed and evidence retained.
HR Security Policy
Pre-employment screening, onboarding, security awareness training, role changes and termination procedures.
Incident Management Process
How we detect, triage, contain, recover from and learn from security incidents — including customer notification SLAs.
Information Security Encryption Policy
Standards for data at rest and in transit, key management, certificate handling and cryptographic algorithm allow-list.
Physical & Environmental Security Policy
Controls protecting our offices, equipment and supporting infrastructure from physical and environmental threats.
Procedure for Document Control
How ISMS documentation is authored, reviewed, approved, version-controlled and retired.
Risk Assessment & Risk Treatment Methodology
The methodology used to identify, assess, treat and accept information security risk across the organisation.
Secure Development Policy
Secure SDLC practices — threat modelling, code review, dependency scanning, secrets handling and pre-release security gates.
Supplier Policy
How we evaluate, onboard, manage and offboard suppliers, including cloud service providers and sub-processors.
Vulnerability Management Policy
How vulnerabilities are identified (scanning, pentests, intelligence feeds), prioritised, remediated and verified.
Controls Register
Operational view of every implemented control: owner, frequency, last review, next review and supporting evidence.
ISO 27001 Statement of Applicability
Per-control mapping of all 93 ISO/IEC 27001:2022 Annex A controls — inclusion decision, justification, implementation and evidence.
Legal, Contractual & Regulatory Requirements
Register of the laws, regulations and contractual obligations the ISMS is designed to satisfy — UK GDPR, PCI DSS, and others.