Security statement.

vspry builds and delivers secure software solutions applying internationally recognised security methodologies and best practices throughout the software development lifecycle.

Secure software development

We build and deliver secure software solutions applying OWASP security methodologies and best practices throughout the software development lifecycle (SDLC). Our teams undertake combinations of dynamic application security testing and manual penetration testing to identify and remedy potential security vulnerabilities in applications, products or enhancements. Rigorous security testing is performed on external-facing interfaces and APIs.

Security testing

We monitor external security vulnerability awareness sites. As part of the routine vulnerability management process, our security team evaluates exposure to these vulnerabilities and takes swift action as necessary.


We maintain vigilant security monitoring to prevent, detect and respond to vulnerabilities and security events. A range of security tools monitor environments, providing defence-in-depth and ensuring that security is monitored and managed at multiple tiers of the architecture.

Immutable logging

We adopt an immutable architecture, for accurate logging and auditing in all system processes. Immutability provides a tamper-resistant hardening of comprehensive Identity and Access Management policies and procedures.

Deployment segregation

Software deployed is segregated on a per-client basis in client-dedicated cloud projects and client-dedicated infrastructure, so there is no data co-mingling. Each deployment is designed to be fully independent and specifically configured for the client, their jurisdiction, and their compliance framework.

Data access

Access to databases and file storage is only accessible to internal services and an explicit white list of computers for support and management. Access control levels are set to explicit for authorised management users. Any other attempts to access the data from different computers or users is blocked. Firewall rules are used by both the server and the database to reject connection attempts from IP addresses that have not been explicitly whitelisted.

Data in transmission

All connections to web applications and databases require transport-level encryption.

Data in storage

Customer data is stored in a database that employs data encryption to help protect against the threat of malicious activity. This technology performs real-time encryption and decryption of the database, associated backups, and transaction log files at rest. Transparent data encryption protects data and helps meet compliance requirements by encrypting databases, associated backups, and transaction log files at rest.

Data loss protection

Data is backed up at frequent intervals and distributed across multiple servers and data centres to prevent or minimise loss in disaster scenarios.


The public is encouraged to report security vulnerabilities by emailing security@