Security

Last updated: April 2, 2026

Prefolio handles sensitive client portfolio data, business cases, and financial models. We treat security as a core product requirement, not an afterthought. This page outlines how we protect your data.

Data Encryption

  • In transit — All connections are encrypted using TLS 1.2+ with strong cipher suites. HSTS is enforced across all domains.
  • At rest — All data is encrypted using AES-256. Database backups are encrypted with separate key management.
  • Key management — Encryption keys are managed through dedicated key management services with automatic rotation.

Infrastructure

The Prefolio platform is hosted on secure cloud infrastructure with:

  • Geographically distributed hosting for redundancy and low latency
  • Automated daily backups with point-in-time recovery
  • Network-level isolation between tenants
  • DDoS protection and web application firewall (WAF)
  • Continuous infrastructure monitoring and alerting

Tenant Isolation

Prefolio is a multi-tenant platform serving consultancies with multiple client organisations. Data isolation is enforced at the application and database level:

  • Row-level security ensures client data never crosses organisation boundaries
  • Each client organisation's data is logically isolated within the database
  • API access is scoped to the authenticated user's organisation and permissions

Access Control

  • Authentication — Secure authentication with support for multi-factor authentication (MFA)
  • Role-based permissions — Granular roles control access to features and data at the organisation level
  • Internal access — Prefolio employees follow the principle of least privilege. Production data access requires MFA and is logged
  • Session management — Sessions expire after inactivity and tokens are rotated regularly

Compliance

Prefolio is designed to support compliance with:

  • GDPR — Data processing agreements available on request. Data subject rights are supported through the platform and via [email protected]
  • Data residency — Contact us for data residency requirements specific to your organisation

Application Security

  • Secure software development lifecycle (SDLC) with code review for all changes
  • Dependency scanning for known vulnerabilities
  • Input validation and output encoding to prevent injection attacks
  • Regular penetration testing by independent security assessors

Incident Response

We maintain a documented incident response plan that includes:

  • 24/7 automated monitoring and alerting for anomalous activity
  • Defined escalation procedures and response timelines
  • Post-incident reviews with root cause analysis
  • Notification to affected customers within 72 hours of a confirmed data breach, in accordance with GDPR requirements

Vendor Security

All third-party services are assessed against our security requirements before integration. We maintain an inventory of sub-processors and review their security posture on a regular basis. A list of sub-processors is available on request.

Responsible Disclosure

If you believe you have discovered a security vulnerability in Prefolio, we encourage responsible disclosure. Please report it to [email protected]. We will acknowledge receipt within 24 hours, investigate promptly, and keep you informed of progress.

Questions

For security-related questions or to request documentation for your procurement or compliance review, contact [email protected].