We occasionally get asked generic security questions related to our hosted/SaaS provision - to speed the process of answering these we have taken a selection of the typical questions that we are asked and have posted them below.

This should be viewed in conjunction with our Company Policy Statements page, which has more detailed information on specific areas.

Basic System Overview

We have produced a support page that covers, in broad terms, the architecture and flow of the SaaS system. This isn't a 'deep dive' into technology, but should give a good overview of the principles in play. The page also takes you through a basic User Journey of the system - Click here to view. For a slightly more technical description of the operation, click here.

Data Centre

Is the data encrypted at restYes, all data is stored on a encrypted storage device(s) and replicated up to another encrypted storage device (HPE Nimble storage device encryption)
Where is the primary data centre?Our primary data centre is managed by Equinix, details can be found here
Secure data deletionData can be purged within the application or by PAS on request. As standard, data is retained until the end of the then current tax year for legislative reasons
Data centre hardwareAll hardware is owned and maintained by PAS specifically for this provision
Data centre complianceAll data centres in use are ISO 27001 accredited - Click here to access the data centre information
Data centre tenancyCustomer data is stored on shared storage devices (HPE Nimble devices)
Data centre location (country)Data centres are UK based and no data is ever transferred outside of the UK
Data centre providersPrime and redundant facilities are with different suppliers - Equinix & ioMart
Is the data encrypted in transitYes, all communications to and from the data centre are conducted under an HTTPS/TLS connection
Data segregationAll customer data is segregated based on unique serial numbers, Active Directory and NTFS permissions
Data centre accessData centres are access controlled - only pre-authorised visitors are allowed access and need to present ID (passport/driving licence) to gain access. Data centres all have CCTV and 24 hour supervision
Data centre securityAll data centres are covered with secure access, CCTV and authorised only access


Is there 2FA (two factor authorisation) supportYes - please see the guide here. This can be set up for any account - please contact support@p11dorganiser.co.uk for more information
System Access by PAS LtdOnly the specific customer has access to their data. Any access by PAS would require management clearance and customer authorisation
API integrated servicesAll software and services in use are created and administered by PAS only
Penetration testingPenetration tests are conducted on regular basis, and customers are encouraged to commission their own tests if required. As our reports also detail internal data security elements, these reports are not available to customers/prospects, although the latest summary sheet can be accessed here.
Business continuityPAS has a formal Business Continuity plan that is tested at regular intervals - Business Continuity Management
Segregation of dutyAccess to client data is only permitted via management and customer request
Data BackupData is both replicated and backed-up. Customers can request a restore of specific data (charges may apply)
SubcontractorsNo subcontractors are involved in the provision of the service
Data controlNo customer data is used for any other purposes
Data subject rightsIndividuals can't request data deletion directly, only via their business entity
Secure codingPAS work to a secure coding practice
Server updatesPAS work to a published update schedule to ensure all servers are fully patched.
ICO RegistrationOur ICO registration is Z2118265
System diagram/descriptionSystem schematic is available here
Hosted P11D Organiser SLASee support article: Hosted P11D Organiser Uptime SLA
Performance and uptimePlease see published document
Outgoing mail encryptionAll outgoing mail from the hosted P11D Organiser if TLS encrypted
Data deletion policyPlease see  our Data Handling and Disposal of Sensitive Data documents
Development access to live environmentThe development team DO NOT have access to the live environment outside of specific maintenance windows
Customer specified encryptionCustomer's can't request a specific encryption to be used on their storage
Information security policyPlease see published policy
Policy reviewsAll company policies are reviewed at least on an annual basis
GDPRAll PAS Ltd terms & conditions contain relevant clauses for GDPR - click here to see the current hosted terms and conditions
How is email sent?Emails from the SaaS solution are sent via the PAS Ltd SMTP server located in our data centre. To ensure there are no issues with 'spoofing' all email are sent from "donotreply@myp11d.com".
How is data transferred within the system?See this document that describes the workflow process
What are the password requirements for the site?We supply a standard set of password requirements and enforcement (as below), however these can be adjusted on a per customer basis:
  • Minimum password length of 7 Characters
  • Maximum password length of 32 Characters
  • 30 Days before password expiry
  • A maximum of 5 invalid password attempts
  • No reuse of the previous 5 passwords
  • Passwords must include special characters
  • Passwords must be mixed case
  • Passwords must include numeric values


What is the main address/URLhttps://www.myp11d.com - we would suggest that IT teams ensure *.myp11d.com (wildcard) is allowed on firewalls to ensure connectivity
What port does communicate over443
Other informationIf you are running ZScaler, you may need to add the SSL exceptions: p11d.co and *.myp11d.com

Company Specific

Do PAS Ltd have employers' / product / public / professional / cyber indemnity insurance?Please see our Insurances Page for details.

Yes, we are covered for the following amounts:
  • Employers' - £10m
  • Public - £5m
  • Product - £5m
  • Professional - £1m
  • Cyber - £2m
Non Disclosure AgreementsAll employees are required to sign a non-disclosure agreement when commencing employment
Training & awarenessAll staff are required to complete annual training in security and data management/handling
Pre-employment screeningAll staff are run through a third party pre-employment screening process
Do PAS Ltd have a Business Continuity Plan?Yes, it is available here
Is PAS Ltd ISO 27001 accredited?Both data centres that we use are ISO 27001 accredited - please see this site regarding our main Manchester data centre, and here for the certification.