Ellipse Project

Security

Security at Ellipse Project

We take the security of our own operations and client data as seriously as our clients take theirs. Our ISO 27001 certification covers all operational scopes; the certificate is available on request.

Certifications and frameworks

  • ISO 27001:2022 (certified, DEKRA)
  • GDPR-aligned data processing posture (formal DPIA on file for engagement workflows)
  • Tier-1 European hosting (AWS Frankfurt, primary; AWS Ireland, secondary)
  • No cardholder data — PCI DSS not applicable

Data protection

Client data is processed in line with the EU GDPR. Engagement-related personal data is hosted on AWS infrastructure in Frankfurt (primary) and Ireland (secondary), both EU jurisdictions. We retain client data only for the duration of the engagement plus the contracted retention window (typically six years for engagement records to satisfy professional-indemnity obligations).

Vulnerability disclosure

We welcome reports of security issues affecting our systems. To report a vulnerability, see our security.txt file or write to security@ellipseproject.com. We commit to acknowledging reports within two working days and to a coordinated disclosure timeline of up to 90 days, extendable by agreement.

Penetration testing

Our infrastructure is independently tested annually by a CREST-accredited assessor. The latest assessment was completed in Q4 2025 (assessor: CREST-accredited UK firm); an executive summary is available to prospective clients on request under NDA.

Subprocessors

A current list of our subprocessors is available on request to clients under NDA. Updates to the list are notified by email with 30 days' notice.