Data privacy and security is embedded in every part of our business.
Protecting our customers data is one of our most important responsibilities.
Extra360 applies layered security and privacy controls across infrastructure, applications, and access management to protect customer data and support reliable operation at scale.
These controls govern how data is collected, processed, stored, and protected, and how access is granted across environments.
They define how services operate, how risk is managed, and how the platform scales securely across customers and markets.
Security controls at a glance
- Network and Encryption security
- 24/7 support for critical incidents
- GDPR compliance
- Regular external security reviews
- Enforced privacy policies
Security built into every rollout
- Unique identifiers on every API call and response
- Granular permissions and user management
- SAML 2.0 Single Sign-On (SSO)
- API testing, logging and monitoring
- Global and per profile limits
Global Data Security
Data minimisation and privacy controls
Privacy controls are applied at the data and platform level to reduce risk, limit unnecessary data processing, and enforce consistent handling across environments.
Data is limited to what is required
Avoid collecting or retaining data that is not required to operate the platform.
01
Personally identifiable information is restricted
Personally identifiable information (PII) is not shared with external vendors.
02
Customers are identified through secure identifiers
Track customer records using unique identifiers rather than full names, email addresses, or any other PII.
03
Governance and security management framework
Extra360 operates under a formal information security and quality management framework aligned with internationally recognised standards for information security, privacy, service management, and business continuity.
These include ISO/IEC 27001 and ISO 9001, supported by ISO 27701, ISO 22301, and ISO/IEC 20000-1.
These frameworks govern how security, privacy, quality, and operational controls are defined, implemented, monitored, and continuously improved across the organisation.
Compliance is maintained through documented policies, defined roles and responsibilities, and ongoing internal governance processes.
Ongoing assurance and review
Extra360’s security, privacy, and operational controls are reviewed on an ongoing basis through internal governance processes and regular independent third-party assessments.
Findings from audits, testing, and reviews are tracked and addressed as part of Extra360’s security and risk management lifecycle, supporting operation in regulated and multi-market environments.
Extra360’s security and operational controls operate within formal, independently audited management systems. Further details on certifications, audits, and independent assurance are available in Extra360’s Trust & Assurance section.
Extra360 applies security and privacy measures across technology and policy to protect customer data and support secure operation.
Governance & Accountability
Extra360 establishes formal security, privacy, and risk governance through defined roles, documented policies, and executive accountability.
Security and privacy oversight is embedded at the organisational level, with clear ownership for decision-making, escalation, and compliance across all environments.
Governance is supported through independent oversight functions, regular management review, and alignment with internationally recognised management system standards.
Extra360 maintains executive-level responsibility for information security through a dedicated Chief Information Security Officer (CISO).
The CISO is accountable for the organisation’s information security posture, including oversight of security strategy, risk management, and the protection of personal and confidential data in line with applicable regulatory and contractual requirements.
Extra360 appoints an independent Data Protection Officer (DPO) responsible for monitoring compliance with applicable data protection regulations.
The DPO provides independent oversight of personal data processing activities and ensures alignment with regulatory obligations across jurisdictions.
Security and privacy governance is supported through documented policies, defined roles, and clear accountability structures.
Governance mechanisms ensure consistent decision-making, escalation, and oversight across environments and operating regions.
Privacy and Data Protection
Extra360 applies privacy and data protection controls by design to ensure lawful, transparent, and purpose-limited processing of personal data.
Controls are implemented to minimise data collection, restrict access, and ensure personal data is processed in line with applicable data protection regulations across jurisdictions.
Privacy governance covers how personal data is collected, processed, stored, shared, and retained, supporting customers’ rights and regulatory obligations globally.
Extra360’s software and conduct is in full compliant with the GDPR and guarantees that customers are able to retain their right to control their data.
Extra360 maintains strict internal data privacy and data handling policies that define how customer data is accessed, processed, and managed.
These policies establish clear rules for employee access, handling, and accountability across the organisation.
Detailed data controls are applied to minimise the risk of unintended data leakage and ensure that only necessary information is processed and transmitted through APIs and system interfaces.
Technical and Platform Security
Extra360 implements layered technical and platform security controls across infrastructure, applications, APIs, and access management.
These controls protect the confidentiality, integrity, and availability of systems and data, and are designed to scale securely across customers, regions, and use cases.
Technical safeguards govern authentication, encryption, access control, monitoring, and secure system interaction across the platform.
Extra360 implements encryption and network security controls to protect data in transit and at rest.
Encrypted communication channels are enforced for system interactions and data transmission.
APIs transmitting personal or sensitive data are protected using encrypted channels and integrity controls designed to prevent unauthorised modification, replay, or tampering of requests and responses.
These controls include request validation, authentication mechanisms, and integrity checks applied across API interactions. API signatures and validation mechanisms are implemented to ensure data is not altered in transit.
Access to systems and APIs is governed through defined permission models and user management controls.
Extra360 supports granular permissions, role-based user management, and SAML 2.0 Single Sign-On (SSO) to control access to platform resources.
System interactions are secured through unique identifiers on API calls and responses, enforced limits, and logging mechanisms to support secure operation and monitoring.
Extra360 applies encryption controls to protect data during transmission and while stored within platform environments.
All API endpoints enforce encrypted connections for data in transit. Data at rest is encrypted within Extra360’s cloud infrastructure hosted on Microsoft Azure.
Operational Resilience
Extra360 maintains operational resilience through defined continuity, availability, and incident response practices.
Operational controls are designed to support service availability, recoverability, and reliability in the event of incidents, system failures, or external disruptions.
Business continuity and disaster recovery capabilities are established to ensure services can be restored within defined objectives and service levels.
Extra360 supports service availability through defined service level arrangements and operational controls.
Multiple service level options are available to align with differing enterprise operational requirements across customer environments.
Availability objectives are established and managed as part of ongoing service operations.
Extra360 maintains a documented disaster recovery and business continuity framework designed to support service continuity across contingency, emergency, and disruption scenarios.
The framework defines structured response, recovery, and restoration procedures to enable controlled recovery and minimise operational impact.
Business continuity and recovery capabilities are reviewed and maintained as part of ongoing operational resilience planning.
Extra360 operates continuous operational support processes to identify, escalate, and respond to critical incidents.
Defined escalation paths and response procedures support timely incident resolution and coordinated service restoration.
Assurance, Testing and Continuous Improvement
Extra360 validates the effectiveness of its security and privacy controls through independent testing, ongoing assurance activities, and continuous improvement processes.
Controls are regularly reviewed, tested, and enhanced to address evolving threats, regulatory expectations, and operational risk.
Assurance activities support audit readiness, risk transparency, and long-term alignment with internationally recognised standards.
Extra360 maintains a dedicated Quality Assurance function responsible for testing all software updates and changes prior to release. Testing processes are designed to identify defects and vulnerabilities before deployment.
Our technology is subjected to an independent external penetration testing bi-annually to identify potential vulnerabilities and validate the effectiveness of security controls and ensure that our platform provides flawless protection.
Security and privacy controls are reviewed through independent assessments and audits.
Findings are used to inform corrective actions and continuous improvement initiatives.
