← Back to Home

Security

Here is exactly how we protect your data and our platform. We have kept this page factual and specific — if something is not listed here, we have not done it yet.

Infrastructure

Hosted on AWS — all infrastructure runs in AWS eu-west-2 (Ireland). AWS holds its own SOC 2, ISO 27001, and GDPR certifications at the infrastructure level; we run on top of that foundation.
Encryption in transit — all traffic is served over HTTPS via AWS CloudFront. TLS is enforced; unencrypted HTTP connections are rejected.
Encryption at rest — data stored in DynamoDB is encrypted at rest using AWS-managed keys via AWS KMS.
Web Application Firewall — AWS WAF sits in front of our API and front-end, providing protection against common attack patterns.
Isolated environments — production, staging, and development environments are deployed in separate AWS accounts with no shared credentials.

Authentication

Amazon Cognito — user authentication is handled by Amazon Cognito, which manages tokens, session expiry, and credential storage. Passwords are never stored in plain text.
Password requirements — minimum 8 characters with complexity requirements enforced by Cognito.
Short-lived tokens — access tokens expire after 1 hour. Refresh tokens expire after 30 days.

Monitoring

AWS CloudWatch — application and infrastructure metrics are collected in CloudWatch with automated alerting on anomalies and errors.
Sentry — application errors are captured in real time via Sentry for rapid diagnosis.
24/7 human on-call — we do not currently have a staffed security operations centre. Automated alerts notify the team, but response times outside business hours are not guaranteed.

Certifications & Standards

UK Cyber Essentials

The UK government-backed certification covering the five core technical controls: firewalls, secure configuration, access control, malware protection, and patch management. We are currently working towards certification.

In progress

ISO 27001

Information security management certification. This is on our longer-term roadmap; we will pursue it once Cyber Essentials is complete and the business has scaled to a point where the full ISMS process is warranted.

Planned

GDPR (UK & EU)

We process personal data in accordance with UK GDPR and, where applicable, EU GDPR. Data is stored in AWS eu-west-2 (Ireland). See our Privacy Policy for full details of what data we hold and how we use it.

Active

Security Incidents

In the event of a security incident that affects your data, we will notify affected customers as soon as we are able to, and within 72 hours where required under UK GDPR. Notifications will be sent to the email address on your account.

To report a vulnerability or suspected security issue: engage@djinnsix.com

Questions?

If you have questions about our security posture, need documentation for a vendor assessment, or want to discuss specific requirements, get in touch.

Contact us