Homeaboutteamnews
HomeTimetableABOUTTEAMNEWSContact

we take Security and data privacy seriously

Security and Compliance

‍

‍IMIN LTD is registered with the ICO under the Data Protection Act.  Our registration number is ZA264932. We are an IASME Gold and Cyber Essentials certificated company, which includes a GDPR self-assessment, and use ISO 27001 compliant technical infrastructure.

Evidence of audit and certification can be found at https://www.iasme.co.uk/certified-organisations/

‍

External Audit

imin is an IASME Gold Certified Company through continuous self-assessment and independent annual audit. The most recent annual audit was completed on 19 November 2017.

‍

‍

IMIN LTD is registered with the ICO under the Data Protection Act. Our registration number is ZA264932. We use ISO 27001 compliant technical infrastructure.

Wherever personal details are collected as part of the Service these will only be accessible to those who need to use them. They will only be used in other contexts if the data subjects explicitly opt in. We do not share personal details further without permission.

‍

Data Centre Locations

Where possible all core platform infrastructure and peripheral cloud services reside within the European Economic Area (EEA). Where services reside outside of the EEA, the EU Standard Contractual Clauses or equivalent are used as the data transfer mechanism. This ensures that "appropriate safeguards" are in place for GDPR compliance (see Art 46 of the GDPR). Our list of sub-processors and their data processing locations can be found here.

‍

E-mail and Productivity Tools

imin’s core e-mail, productivity and collaboration tools are provided by Google Workspace, which is run within Google’s global infrastructure (https://workspace.google.com/intl/en_uk/security/). When sharing a e-mail and documents with imin using this medium, data may be transmitted outside of the EEA. Google provides capabilities and contractual commitments for their customers designed specifically to help address EU data protection requirements and the guidance provided by the Article 29 Working Party. Google Workspace offers EU Model Contract Clauses and a Data Processing Amendment, which imin have accepted on 17 October 2017. Additionally, Google Workspace has been assessed as appropriate for use with the UK government's Cloud Security Principles "OFFICIAL (including OFFICIAL- SENSITIVE)". Google also complies with ISO 27001, SOC 2 and SOC 3.

‍

Content Distribution Network

imin's infrastructure is secured by Cloudflare's Web Application Firewall and accelerated by its Content Distribution Network, which are run within Cloudflare's global infrastructure (https://www.cloudflare.com/en-gb/network/). If Cloudflare transfers any Personal Data outside of the EEA or UK, Cloudflare always ensures that a legal mechanism to achieve adequacy in respect of that processing is in place (https://www.cloudflare.com/en-gb/gdpr/introduction/). Cloudflare also complies with ISO 27001, SOC 2, and PCI DSS 3.2.1.

‍

Infrastructure Accreditations

imin’s core platform infrastructure, provided by Heroku (https://www.heroku.com/policy/security) and Amazon Web Services (https://aws.amazon.com/compliance/), hold ISO 27001, FISMA, SOC 2, SOC 3 certifications. All other sub-processors use infrastructure that is certified to ISO 27001, SOC 2 Type II, or PCI Service Provider Level 1.

imin do not store credit card information directly, and instead use a tokenisation mechanism via secure SSL connection to defer this storage to Stripe, which assures PCI DSS compliance using the “Pre-filled SAQ A” method (https://stripe.com/docs/security).

‍

Organisational Measures

All of the following organisational measures are included in imin’s Information Security Policy, which each member of staff strictly adheres to.

  • All data and services are classified according to documented data classification criteria, and access to personal and confidential data is only provided for the period which it is required.
  • Browser extension and cloud service whitelists are regularly reviewed.
  • Information assets are logged and controlled.
  • Risks are logged against key assets and regularly reviewed.
  • All users do not use accounts with administrator-level access for business as usual.
  • Data is not stored on devices longer than is necessary.
  • We use platform-as-a-service infrastructure for all internet-facing product components, which outsources the reliability and security of the underlying infrastructure to compliant global leaders in these fields.
  • Use of USB sticks are not permitted except under exceptional circumstances.
  • We have mechanisms in place which make it easy for any data subject to remove consent for data processing, ensuring that it is as easy to remove consent as it was for them to give it.

‍

Technical Measures

All of the following technical measures are centrally controlled, enforced, managed and monitored.

  • Full disk encryption is enforced on all devices, and data on core cloud-infrastructure is encrypted at rest.
  • All accounts are protected via two-factor authentication with strong passwords, either directly for high classification data and services, or indirectly through the use of a centrally managed password manager.
  • A mobile device management solution is used across laptops and mobile devices, which enforces device encryption and password strength, and allows devices to be remotely wiped if lost or stolen.
  • Application whitelisting is enforced on all mobile devices, ensuring only approved apps access have company data, and those apps are isolated from the rest of the device. Devices can be remotely wiped if lost or stolen.
  • Access to cloud-based infrastructure is restricted to a specifically configured, heavily controlled and restricted browser profile.
  • Browser security including browser extension whitelisting is centrally controlled.
  • Anti-virus software is installed on all laptops, and is centrally managed and monitored.
  • An external service regularly scans the  product codebase for third-party components with known vulnerabilities using sources which include the NIST NVD (https://nvd.nist.gov/) database.
  • An external service runs continuous penetration testing and monitoring across all products, which includes scanning for the Open Web Application Security Project (OWASP) list of the ten most common vulnerabilities.
  • All product services use HTTPS.
  • All laptops have their firewalls enabled, and are equipped with a permanently enforced VPN that secures traffic sent over the local network.
  • Use of removable media (including USB sticks) is disabled on all laptops.

‍

CONTACT

Questions, comments and requests regarding our security are welcomed and should be sent to our trading address at IMIN LTD, 124 City Road, London, EC1V 2NX, or emailed to hello@imin.co.

‍

Proudly Supported By:
Copyright 2025 © IMIN LTD, a company registered in England & Wales. Company No. 07716450
VAT NO. GB 209 8429 86
PRIVACY POLICY
Cookie Preferences
SECURITY AND COMPLIANCE
OUR COMMITMENT TO NET ZERO 2050
All icons and pictures used are licensed under CC BY 3.0 with attribution required