Security & Compliance

Platform guide

Because both Fourthline and our business partners operate in strictly regulated environments, we recognize the importance of upholding high security standards.

All our policies are available on request.

Platform security

Fourthline uses cloud computing solutions provided primarily by Amazon Web Services (AWS) as the core building block of our platform. All our production systems and data are hosted on the AWS cloud platform in Ireland within the European Union.

AWS manages security and compliance for the infrastructure and Fourthline for software and data operations within the infrastructure, in line with AWS’s shared responsibility model.

Fourthline is a member of the AWS Partner Network in the Financial Services Competency program. AWS has audited our architecture to ensure we employ security best practices. These include encryption in transit and at rest, identity and access management, and other measures available on AWS's platform.

Fourthline performs thorough due diligence assessments of any potential third-party services and systems. We take reasonable steps to only select and retain providers that follow practices consistent with our security requirements and policies, including our commercial terms & conditions, and confidentiality and privacy policies. During implementation, we include risk-based contractual, organizational, and technical controls. In addition, we perform critical vendor assessments every year.

Access control

Fourthline applies strict access control and encryption protocols to all data and assets to protect them from unauthorized access. Our access control framework is governed by the principles of zero trust and least privilege, on a need-to-know basis.

The framework includes conditional access for authentication and role-based access control (RBAC) for authorization. It also uses mandatory multi-factor authentication for accessing confidential information for all applications. We periodically review the framework to ensure it is up to date with business and security requirements.

Fourthline uses an RBAC matrix that defines user permissions based on their role(s) and enables the minimum necessary privileges required to perform the functions of each role. We periodically review the matrix and its implementation and have established a re-certification process to align it with business uses.

Fourthline’s automated re-certification process cross-checks data objects between our HR and Identity Management systems daily. If any inconsistencies are detected, tickets are automatically created and assigned to the appropriate staff member.


Fourthline manages encryption keys via the AWS Key Management Service, which is designed to prevent access to plaintext keys, even by AWS staff. The service uses hardware security modules validated under FIPS 140-2 to ensure the confidentiality and integrity of the keys. Locally, the service uses a 256-bit AES data key to protect users' content in API requests.

Vulnerability management

Vulnerability management is a continuous part of our software development lifecycle. Regular updates and patches form a core part of our security strategy.

We adopt the immutable infrastructure principle. Therefore, every month we rebuild all our application servers using the latest available operating system and image (AMI), which AWS continuously tests and optimizes.

Business continuity

Fourthline has a business continuity and disaster recovery plan that we test regularly. We can share testing evidence on request. The plan covers the failover of Fourthline application processing from one AWS region to another. This ensures case processing can continue even if a whole AWS region becomes unavailable or is severely impacted.

Certifications, attestations, and audits

Fourthline's Internal auditing department has established an Audit Year Plan. The plan consists of internal and external audits of Fourthline’s processes and systems to ensure controls are meticulously designed and operate effectively.

External audits include:

  • An annual ISO/IEC 27001 certification
  • Monitoring audits by a certification body
  • External penetration tests multiple times a year
  • The ISAE3000 attestation

Internal audits include:

  • Compliance audits of our information security management system in line with ISO/IEC 27001 standards
  • Supporting audits to ensure the effectiveness of internal controls, policies, and compliance with legal and regulatory requirements
  • Monthly penetration tests across applications, networks, and other architectural components

SDK security

For our SDKs, we follow the latest guidelines as described in the OWASP Mobile Application Security Verification Standard, which covers aspects such as:

  • Architecture, design, and threat modeling requirements
  • Data storage and privacy requirements
  • Cryptography requirements
  • Authentication and session management requirements
  • Network communication requirements
  • Environmental interaction requirements
  • Code quality and build setting requirements
  • Resilience to reverse engineering requirements

We also continually improve security measures to strengthen our SDKs against misuse or attacks.


Fourthline developers don't have access to API keys. Our human agents process cases in a secure environment where no phones, pens, or paper are allowed. No staff have direct access to production data. We have monitoring systems in place to detect unusual behavior.

Data protection

At Fourthline, it is our priority to safeguard the confidentiality, integrity, and security of data relating to your clients and any third parties in line with the GDPR.

For more information, see Trust at Fourthline.


At Fourthline, we prefer to only share sensitive data such as financial information, usernames, passwords, and personal data via our APIs. We also understand that it is sometimes necessary to share such data via other channels.


Your contract with Fourthline specifies how long we store the case zipfiles of your clients after the contract ends.


Fourthline can delete data for GDPR reasons on request free of charge. You cannot delete data via our API.

For any questions, contact your implementation manager.

Top of page