Security at Layer Systems

Useful information to help customers understands how we keep your data secure

Security for control, visibility, and flexibility

Our Security Pillars

Identity Management - We ensure that only the right people (and approved devices) can access tenant data in The Layer, with features such as single sign-on, IP safe-listing and user access control via roles & user and tenant level customisations. We also offer two-factor authentication as an option to secure customer data further, and ensure only authorised users can access accounts.

Data Protection - By default, Layer Systems encrypts sensitive data at rest and in transit for all our customers. We further protect your data with tools such as encrypted fields and user access control for sensitive areas such as reports.

Information Governance - Layer Systems offers generous data retention policies that should suit most organisations needs. Archiving policies can be customised upon request.

Security Information

We use the best-in-class security tools and practices to maintain the highest level of security at Layer Systems.

Network Design

Our network has been developed with security and visibility at its heart. Through managed network security policies and frequently reviewed firewall configurations, we open only endpoints required for users to access our service. In addition, we can share our network diagrams on request to demonstrate that through secure network design, we mitigate the most common security threats experienced by SaaS organisations.

Additionally, our hosting partner, Microsoft, has some of the world's most rigorous security and compliance standards, adhering to security controls for ISO 27001, ISO 27018, SOC 1, SOC 2, SOC3, FedRAMP, HITRUST, MTCS, IRAP, and ENS. You can learn more about this on Microsoft Security Centre.

Rate Limiting

We impose rate limiting on our network to prevent DDoS attacks. Details of rate limiting are available upon request.

Penetration, Security + Stress Testing

We carry out periodic internal testing on our network, including stress tests, penetration tests and general security testing + auditing. Through rate limiting and allow lists, we mitigate the potential impact of DDoS (and other) attacks against our network.

Test are carried out on the following security measures regularly:

  • Rate limiting on all endpoints mitigates the risk of brute-force attacks.
  • Tenant-level security mitigates the risk of cross-tenant forgery attacks.
  • Abstraction, safe use of URL routes & advanced subnetting mitigates the risk of database-level attacks.
  • Encrypted credentials at rest, with keys stored in key vaults, in addition to password policies and 2FA mitigates unauthorised access.


We audit all requests to our platform, from the network level down to record access, and perform daily reviews for unauthorised access requests, and apply mitigation where necessary. API requests are logged and attributed to tenant accounts to provide accountability. A variant of OAuth 2.0 secures tenant data in API, and API safe-listing is possible upon additional configuration.

Data Storage

We do not currently transfer or store data out with the European Economic Area nor do our sub-contractors (sub-processors). Should we change our data transfer or storage arrangements, or if our sub-contractors do so, we shall ensure that adequate safeguards are in place in accordance with the UK Data Protection Legislation and We will notify you of any such change.

Secure Client Connections

The Layer forces HTTPS connections for all services using TLS (SSL), including our public website and the applications forming The Layer, to ensure secure connections.

Security Protocols

We regularly audit the details of our implementation, including the certificates we serve, the certificate authorities we use, and the ciphers we support.

The Layer now uses LS 1.2 protocol exclusively. Layer Systems removed support for TLS 1.0 + TLS 1.1 in January 2023, in line with industry guidance.

Sensitive Data

Sensitive data is encrypted at rest. Decryption keys are stored on key vault stores. None of Layer Systems internal servers can obtain plain text credentials for internal services.

Data Access

User credentials are encrypted at rest, with decryption keys stored on a separate key vault store in SOC2-accredited data centres, and access to API is via a token-based delivery system.

Further Information

For further information, don't hesitate to get in touch with us on 03333 222000.