Security & Compliance

Application Level Security

We prevent single points of failure. Even if there is an interruption to one system, the rest of our services stay up and secure. We physically separate the database instances from application servers. All login pages pass data via SSL/TLS for public and private networks, and only support certificates signed by well­ known Certificate Authorities (CAs). All personally identifiable information (PII) is encrypted while in transit as well as at­ rest using military grade encryption to ensure the security of user IDs and passwords. Intuo application passwords are hashed and even our own staff can’t retrieve them. A lost password must be reset.

ISO27001 and GDPR Readiness

The European Union’s General Data Protection Regulation (GDPR) is an unprecedented privacy regulation in terms of its breadth, depth, and impact. The GDPR will take effect on May 25, 2018, and we’re already compliant. In addition to being compliant, we've conducted a thorough Data Protection Impact Assessment (DPIA) of all our external suppliers and vendors. The GDPR extends the reach of the European Union’s data protection laws and establishes many new requirements for organizations that fall under its scope. Intuo have already undergone the necessary steps for an ISO27001 certification and is an ISO/IEC 27001:2013 certified organisation. Our public ISO27001 certificate can be found here. Our privacy team is well ahead of this deadline to meet and exceed these new requirements.

A few of the major GDPR changes:

  • The GDPR gives EU residents the "right to be forgotten" by controllers and processors. If a data subject requests their data to be removed, controllers are responsible for securely deleting the data from their systems and ensuring processors delete data as well.
  • The GDPR outlines specific requirements for notifications in the event of a data breach. Organizations who experience a data breach must notify data protection authorities, and in certain cases, they must also notify the data subject.
  • The GDPR now extends to organizations who monitor the behavior of EU residents online. This includes e-mail tracking as well as tracking of user behavior on an organization’s website.
  • The GDPR centralizes the regulation of processing of EU resident data. All processing of personal data belonging to residents of the EU will be governed by the GDPR, regardless of the member state in which the data subject resides.

Data centers

Intuo’s products run on world­ class infrastructure hosted at Amazon data centers running on Amazon Web Service (AWS) technology. Our data centers are located in Frankfurt, Germany and data never leaves Europe. Amazon data centers provide physical security 24/7, state­ of­ the­ art fire suppression, redundant utilities and biometric devices to ensure that our customers’ data is safe and secure. Amazon continually reviews and refines their procedures to comply with the latest security standards. Our data and services are housed in the same physically secure AWS facilities as Netflix, Expedia, AirBnB and Yelp. Amazon maintains security certifications with:

  • SOC 1 / ISAE 3402
  • SOC 2
  • SOC 3
  • CSM Levels 1­5
  • PCI DSS Level 1
  • ISO 9001 / ISO 27001

Customer data is stored in multi-tenant datastores, we do not have individual datastores for each customer. However strict privacy controls exist in our application code to ensure data privacy and prevent one customer from accessing another customers data. We have many unit and integration tests in place to ensure these privacy controls work as expected. These tests are run every time our codebase is updated and even one single test failing will prevent new code being shipped to production.

Network Security

Your data is protected between you and our systems. We take multiple steps to prevent eavesdropping between you and our systems, as well as within our infrastructure. All network traffic runs over SSL/HTTPS, the most common and trusted communications protocol on the Internet. Internal infrastructure is isolated using strict firewalls and network access lists. Each system is designated to a firewall security group by its function. By default, all access is denied and only explicitly allowed ports are exposed. Persistence and storage layers are encrypted and secured behind VPN & VPC firewalls.

Restricted Access

Only people who need access, get access. Production system access is limited to key members of the Intuo engineering team and use of passwords are expressly forbidden. We solely use public/private key pairs to authenticate with our servers.


Logging is a critical component to Intuo infrastructure. Logging is used extensively for application troubleshooting and investigating issues. Logs are streamed in real­time and over secure channels to a centralized logging service. This also allows our technical support and development teams to view logs without gaining access to the production systems.

Data Protection, Continuity and Retention

We backup and test our systems, just in case. Production data is automatically backed up daily. We test our recovery procedures regularly by restoring from backup and simulating recovery of a production database. Our backup retention for all systems is seven (7) days. Our production applications are deployed in multiple availability zones and leverage AWS Multi­AZ technology which can sustain the loss of an entire data center in a region. In case of termination of the contract with a customer, we delete all customer and personal data within 30 days.