Trust Center


At IFS, your trust is important to us. Our commitment to trust is built into every hire, every employee appraisal, every process and every solution we deliver to our customers.

Trust, that as a market-leading, customer-led company, we strive not just to stay compliant with data and security regulations, but instead maintain high standards that help protect our company and our customers who rely upon us. 

The IFS Trust Center is your hub for learning about how IFS approach information security, ensuring that our products are secure by design and by default, our services are delivered securely and your information protected at all times.



Cloud production service availability 

(rolling 90 day average) 

Explore how we deliver security, privacy and compliance

  • Certifications & audits
  • Security built through trust
  • Customer information security
  • Customer security in the cloud
  • Keeping your data private

Certifications & audits

As a business that provides support and developmental growth for customers, we comply with all required legal and regulatory requirements relating to the operation of the company, as well as the delivery of our products and services to our customers.

Our information security practices are subject to external independent reviews. These reviews are conducted against internationally recognized security standards

Explore IFS certifications

  • Trusted independent review

    We use external accredited organizations to independently validate our compliance with internal and external policies, regulations, and best practices.


    We adopt and measure our internal policies, processes and controls against globally recognized standards, frameworks and best practices. And as part of our commitment to continuous improvement, we use external accredited organizations to regularly audit and review our management systems. At IFS, we hold both ISO/IEC 27001:2013 Information Security Management certification and SOC 1 Type II and SOC 2 Type II reports certified to SSAE18/ISAE3402 and AICPA/ISAE3000 standards for our IFS Cloud and IFS Success services.
  • IFS SOC reporting
    SOC reporting demonstrates our commitment to following security best practice.


    To achieve independent, third-party validation of our security controls, we engaged a major accounting firm to produce an Independent Service Auditor Report covering the description of Controls Design for our IFS Cloud and IFS Success services.

    The activity was conducted in accordance with attestation standards established by both the American Institute of Certified Publica Accounts (“AICPA”) Statement on Standards of Attestation Engagements number 18 (SSAE18) and Internation Standards on Assurance Engagements (ISAE) 3402 and 3000, Assurance Reports on Controls at a Service Organiszation, issued by the International Auditing and Assurance Standards Board.  These standards include verification of the common criteria controls along with the trust services criteria relevant to security, availability, confidentiality and privacy as applicable to both IFS Cloud and IFS Success services.
  • Third-party certifications

    We expect our suppliers to apply the same high security standards that we do, evidenced through globally recognized certifications.

    At IFS, we work hard with our suppliers to ensure the highest security standards are applied at every stage in the supply chain. From compliance with GDPR and applicable privacy, modern slavery prevention measures and more, we rigorously assess all our suppliers using a formal supplier management process.

    To keep up with the changing landscape of global security, privacy and compliance, we regularly review our supplier’s performance and maintenance of their certifications.

View our current certifications

Security built through trust

At IFS we set a high bar for our global security policies, standards and procedures. By using industry best practice security frameworks including ISO 27001, NIST 800-171, SSAE18/ISAE3402/ISAE3000 to create and maintain our Information Security Management System (ISMS), we stay aligned with or even ahead of industry best practices.


Explore IFS information security

  • Information security policy

    We set strict, industry qualified information security policies across all business procedures and strategies.

    IFS information security policies form part of our global Information Security Management System (ISMS) which is maintained in accordance with numerous internationally recognized security frameworks including ISO 27001. 

  • Managing information security

    How we use detailed, trusted security practices to manage and secure your information. 

    At IFS we follow industry best practice, taking a risk-based approach, and putting particular emphasis on a range of trusted practices.

    Security Operations Center (SOC) 
    We invest continually in our platform and network security, co-ordinated by our Security Operations Center (SOC). By using a combination of world-class conventional and Artificial Intelligence based tools and regular penetration testing, we ensure that our business operations are monitored and protected around the clock.

    Access control 
    Our approach to access control ensures that our users, partners and suppliers have just the necessary level of access required to perform their roles efficiently and effectively.

    Single sign-on (SSO) and multi-factor authentication (MFA) are also active across our entire estate. Cryptography is used in transit and at rest to ensure the highest levels of data security whenever information is shared.

    Business continuity 
    Through thorough business continuity planning, we have established a strong backup and recovery policy which sits at the heart of our disaster recovery plan. We have implemented resilient systems and processes capable of supporting us in the event of a business continuity event at one or more of our operating locations.

    Our employees 
    We carry out extensive pre-employment checks and rigorous induction training, followed up with an ongoing annual security training program, to help maintain a safe physical and digital working environment. We follow formal employee on- and off-boarding processes to ensure that access to our IT domains are strictly controlled at all times and that information confidentiality is maintained through to post-employment.

  • Security for third party suppliers

    We ensure that all third-party suppliers who support the delivery of our services apply the same high standards we set ourselves.

    At times it may be necessary for third-parties to access sensitive and confidential information. Whether its information that belongs to IFS or IFS Customers, all third-parties with access are required to follow our information security policies, standards and practices. Our Supplier Management and Partner Management processes ensure that the services and deliverables provided by our third-party eco-system meet the same high standards that we set for ourselves.

ifs_content_block_79_Solutions EOI Tab 3

Customer information security

Whether our customers choose the IFS Cloud service, on-premise hosting or their own Cloud environment, they can be assured that our products have been developed to the best security standards. All IFS products are routinely tested throughout the development lifecycle in order to identity and address any potential vulnerabilities.

In accordance with our Secure Product Development Lifecycle (SPDLC), segregation of environments, formal change management, independent test and validation and tightly controlled release and distribution processes all help assure product security and integrity of our customer solutions.

Since security threats are constantly evolving, we continuously monitor for new vulnerabilities and ensure that our customers are notified without delay should action be required to mitigate any new risks. 

Explore customer information security

  • Secure delivery
    From development to deployment, our products are managed securely and consistently.

    IFS Lifecycle Experience (LE) is our set of processes covering the entire implementation and production lifecycle. Spanning from initial discovery and exploration of solutions through to continued solution optimization years after go-live, security is an integral part of our processes and includes environment segregation, formal change management, strictly controlled software release and distribution overlayed with strict access control and data protection.

    IFS Lifecycle Experience provides the above security controls regardless of whether the customer has chosen to host the solution themselves or taken advantage of our IFS Cloud service.

  • Secure through development
    We use industry best practice and external specialist penetration testers to validate the security of our products.

    Using secure coding practices and globally recognized guidelines, such as OWASP Top 10, we ensure the risk of product vulnerabilities are minimized.

    To further validate product security throughout the development lifecycle, we employ external specialist penetration testers. Any potential vulnerabilities are remediated prior to product release.

  • Secure through-life
    We ensure our products remain secure by providing security patches to evolving vulnerabilities.

    Security is not a “one-shot” activity and we continue to test our products after they’ve been released to protect against evolving security threats and any associated vulnerabilities. This includes checking for potential vulnerabilities not just in IFS developed products, but also within third-party products upon which the IFS product is based.

    We provide security patches for any identified vulnerabilities discovered in our products and provide guidance on necessary patches of third-party products not supplied by IFS. IFS Cloud service customers benefit from such patches being applied by IFS as part of the service.

Customer security in the cloud

For customers choosing our IFS Cloud service, IFS take care of routine security activities associated with the IFS products. Starting with a secure deployment environment, we perform day-to-day security housekeeping including backups, security patching and monitoring the solution 24x7.

Our Cloud service is hosted in Microsoft Azure, providing industry leading, enterprise-grade security with the added protection that each solution is single tenant, thereby holding it completely isolated from other customer solutions. In addition to providing an extra layer of security, this enables greater flexibility and control for our customers who are able to align routine maintenance and upgrade activities with their own business schedules.

Additional to the security testing performed throughout the product development lifecycle, IFS Cloud service customers have the benefit of knowing that their solution resides in an environment that has been extensively penetration tested by an independent security specialist organization. 


Explore IFS Cloud service information security

  • Implementing industry best practice
    We implement industry recognized best practice as part of our cloud service delivery.

    By choosing our IFS Cloud service, customers have the advantage of knowing that Cloud security best practices are being implemented for them, including:

    • Secure, fully segregated single-tenant architecture to ensure separation between customer environments
    • Data encryption both at rest and in transit
    • Virus and malware protection
    • 24x7x365 Monitoring, Detection and Remediation services using advanced, enterprise grade toolsets operated by experienced practitioners
    • Platform-level DDoS detection and protection
    • Multi-level backups with geographically separated backup storage and multi-level restoration capability
    • Disaster recovery capability to a geographically separate location
  • Penetration testing by external specialists
    We perform regular penetration tests of our services so our IFS Cloud service customers don’t have to.

    We engage an independent 3rd party specialist organization to run regular security penetration tests against our Cloud Service in addition to security testing performed earlier in the product lifecycle. These tests cover all software versions current at the time of testing and include all IFS core product modules.

    Testing takes place from the internet towards a dedicated, production-grade environment, which is built and maintained using the same architecture, design standards, tooling and processes as all customer environments run by IFS in our cloud.

    A formal report is compiled as an output of this testing process, detailing any issues found and assigning an associated risk rating, based on the industry standard CVSSv2 scoring system. Any issues identified are fully analyzed and mitigation and remediation plans produced and implemented. The summary of findings and remediations is available to all IFS Cloud customers upon request.

  • Recognizing customer-specific security needs
    We offer choice to enable customers to meet their specific requirements.

    Customers with data residency requirements can select from a number of supported geographies. This determines the physical location from which the service will be hosted, and by implication the physical location within which their data will be stored and processed.

Service Controls


Keeping your data private

We understand the importance of being transparent when it comes to the use of your data, including personal data. We maintain a global privacy programme and our global policies and process are compliant with applicable laws and regulations including the General Data Protection Regulation (GDPR).

Depending on the service we provide, we may act as a data processor, sub-processor or data controller. Each customer contract incorporates a data processing addendum which sets out clearly how we process personal data.


Our commitment to data privacy includes ongoing staff training, comprehensive privacy policies and procedures and an active compliance program overseen by our Global Privacy Officer. We keep up to date with the latest changes in data privacy laws and regulations and adapt our privacy program accordingly.

  • Privacy program
    We operate a comprehensive global privacy program, ensuring compliance with a broad array of laws across the globe.

    To ensure we maintain a robust set of policies, practices and procedures, we complement the data privacy expertise of our internal team with the outside perspective of external data protection specialists. This also separates the first and second lines of defense effectively, in accordance with best practice.

    We build security into every product, no matter how it’s hosted. This all begins with our secure product development processes, which ensure our products are designed with security in mind and configured to provide security by default.

  • Ensuring safe transfers post Schrems II
    Through our supplier management process, we ensure all partners and suppliers consistently meet high standards for business ethics, information security and privacy.

    At IFS, we monitor supplier performance diligently, ensuring all contractual, quality, and information security requirements are complied with. This includes agreements we have in place to audit supplier security processes and practices. Through our global privacy program, we ensure compliant data transfers from the EEA to sub-processors (including IFS Affiliates) in other countries. We have implemented a range of standard contractual clauses and other lawful transfer mechanisms with each sub-processor and ensure that suitable technical and organizational measures are in place to safeguard our customers’ data.

  • IFS data processing and transfer agreement
    We help our customers meet their data privacy obligations relating to our products and services by providing template agreements.

    We supply a pre-signed Data Processing Addendum that covers IFS processing of customer-controlled data in accordance with data privacy regulations. This includes a description of all processing performed by IFS while executing the services defined in our customer agreements. Data privacy regulations covered include the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA). We also supply a Standard Contractual Clauses only addendum.

back to top back to top Back to Top