Data Security and Data Storage Overview

Data Security and Data Storage

Insightech is committed to protecting customer data through a security-by-design approach that aligns with industry best practices and recognised assurance frameworks. 

This article outlines how Insightech secures data across the platform, from architecture and hosting through to access controls, compliance, and incident management.

1. Platform Architecture

The Insightech platform is built as a cloud-native Software-as-a-Service (SaaS) solution with security embedded at every layer of the system architecture.

Data is collected through a lightweight tracking implementation on customer websites and securely transmitted to Insightech’s backend services for processing and analysis. The platform is architected with strict logical separation between customer environments to prevent cross-tenant data access.

Key architectural principles include:

• Security by design – security controls are incorporated throughout the software development lifecycle.
• Isolation – customer data is logically isolated to ensure confidentiality between clients.
• Resilience and availability – systems are designed to be highly available, with redundancy and monitoring to support continuity of service.
• Controlled data flow – data collection, processing, and storage are governed by defined policies and monitored controls.

All production infrastructure is hosted in secure cloud environments and protected by network-level controls, logging, and continuous monitoring.

2. Data Storage Locations

Insightech stores customer data in Google Cloud Platform (GCP) data centres.

Data residency can be aligned with customer security, regulatory, or compliance requirements. Where required, customers may request regional data storage options to support local data residency obligations.

Google Cloud data centres provide:

• Physically secure facilities with strict access controls
• Built-in redundancy and fault tolerance
• Industry-leading certifications and compliance standards

Data Storage Location Options Include:

If your preferred data location is not listed, it may still be possible to store data there. If this is the case, please enquire with us to find out.

3. Data Collection and Processing

Insightech collects behavioural and technical data so that it can provide analytics and experience insights across the digital environments. 

Data collection is intentionally limited to what is necessary to provide the services, and is also governed by internal data management policies.

Data processing activities are performed within controlled production environments and follow documented procedures to ensure data accuracy, integrity, and confidentiality.

Customers retain ownership of their data at all times.

4. Data Encryption and Access Controls

How Insightech Encrypts Data

• Data is encrypted in transit using industry-standard encryption protocols.
• Data is encrypted at rest within Insightech’s cloud infrastructure.

Access Controls

Insightech enforces strict access control policies, including:

• Role-Based Access Control (RBAC) to ensure users only have access required for their role
• Principle of least privilege applied across systems and environments
• Multi-Factor Authentication (MFA) for privileged and production access
• Unique user accounts with no shared credentials

Access to customer data is also limited to authorised personnel with a legitimate business need.

5. Data Retention and Deletion

Customer data stored within Insightech is only retained for as long as needed to provide the platform services, and to meet contractual and legal obligations.

When a contract is terminated, or upon customer request (subject to legal requirements), data is securely deleted in line with Insightech’s data retention and disposal policies.

6. Penetration Testing and Security Audits

Insightech undergoes regular security assessments to validate the effectiveness of its controls.

• Independent audits are performed against recognised standards
• Vulnerability management and remediation processes are in place
• Security controls are reviewed as part of ongoing risk management activities

Insightech regularly completes SOC 2 Type II audits covering Security, Availability, and Confidentiality.

8. Incident Management and Disaster Recovery

Insightech maintains a formal incident response plan to ensure security events are identified, assessed, and managed in a timely manner.

Key elements include:

• Defined incident escalation and response procedures
• Logging and monitoring to detect anomalous activity
• Post-incident reviews to drive continuous improvement

Business continuity and disaster recovery plans are in place to support service availability and data protection in the event of a major disruption.

9. Access and Authentication

Authentication mechanisms are designed to protect against unauthorised access and credential compromise.

Controls include:

• Strong password requirements and rotation policies
• Account lockout after repeated failed login attempts
• Timely provisioning and deprovisioning of user access
• Quarterly access reviews for privileged accounts

10. Third-Party Security and Subprocessors

Insightech uses trusted third-party service providers to deliver parts of its service, including cloud hosting.

All third parties are subject to due diligence and ongoing risk assessment. Where applicable, complementary controls are defined to ensure shared responsibility for security and compliance.

If you have additional questions about Insightech’s security practices or require documentation to support your internal reviews, please contact your Insightech representative.