Our Approach to Security
At InCrowd, protecting customer information is our priority. A risk driven Information Security & Data Protection Programme has been established to ensure that measures are in place to safeguard data and maintain secure, resilient products.
We acknowledge that cyber threats change rapidly, with situational awareness and continuous improvement being key to our supporting our posture. Information Security has management level commitment and dedicated resources.
InCrowd processes personal data in many of its products, and such services are a core component of our offering. We recognise this data is a prime target for attack, and regularly review policies and controls to ensure we comply with Data Protection obligations. A Data Processing Agreement is included in our Terms and Conditions. You can find our Privacy Notice at: https://www.incrowdsports.com/privacy-notice
The systems involved in the build and development of InCrowd services are certified to Cyber Essentials Plus, with the most recent external audit taking place in April 2025.
Frequently asked questions
Do you have security policies in place?
- Information Security Policies, including Acceptable Use and Data Protection are in place, and shared with staff. Policies are reviewed at a minimum on a yearly basis.
Are Information Security roles & responsibilities assigned?
- A Senior Risk Owner for the enterprise has been assigned, alongside trained staff supporting governance, compliance, application and operations security responsibilities. Regular governance meetings are held to monitor effectiveness of our programme.
Do you assess and monitor your key 3rd party suppliers?
- Key suppliers are tracked and are reviewed throughout the year.
- New suppliers are onboarded following a risk assessment, including a Data Protection Impact where appropriate.
Are plans in place to respond to security incidents?
- A comprehensive Incident Response Plan is in place, with supporting playbooks for more detailed activities. A cross business response team is responsible for managing any major incident.
Do you have a process in place to manage user accounts and access to resources?
- Joiners and Leaver activities are tracked and authorised via our ticketing system, with leavers access being promptly removed at the end of employment. An access review takes place as a compensating control to reduce the likelihood of anything falling through the gaps.
- Role based access control is applied in respect of access to resources, with privileged rights being restricted to only those with a business justification to require them.
- Personal Data for both Customers and their users is only accessible by InCrowd staff whose roles require access to that data to perform their job duties.
Do your Employee contracts include non-disclosure agreements?
- All employees are subject to a contract of employment and staff handbook with requirements regarding compliance with non-disclosure and internal policies. All employees are subject to a probationary period, during which an onboarding process is carried out.
Do you provide Information security awareness and training to employees?
- All staff have a mandatory yearly data protection training.
- Guidance is provided on security topics such as remote working, social engineering and on handling Subject Access Requests
- Regular reminders are provided to employees throughout the year on pertinent security news and emerging threats.
- Employees are advised how to report security concerns.
How do you protect user endpoints?
- User endpoints are fully managed, with vulnerability scanning, anti-malware agents and event monitoring.
- Modern Anti-Malware controls are in use, with any detection alerts sent to our Security Operations function.
- Devices have full disk encryption, USB storage devices are restricted, and screen lock timeouts enabled.
Do you use multi-factor authentication (MFA)?
- MFA is used extensively in key services, and in place for all remote access.
How do you manage technical vulnerabilities?
- Regular vulnerability scanning takes place throughout the technology stack.
- Vulnerability tickets are assigned to respective teams to address within the parameters directed in our standards.
- All 3rd party software must be under vendor support, including the release of security updates.
- We subscribe to vulnerability disclosure alert lists.
Do you purge data securely at the end of a customer engagement?
- We will delete or destroy such data immediately following 30 days post termination. Within that 30-day period, a customer may request the return of that data in a common readable format.
Do you segregate data between your customers?
- Data is logically separated by tenant.
Is data backed up?
- Customer databases are backed up.
- Scheduled restore testing takes place to verify integrity.
Do you monitor for security?
- Protection against malware
Do you encrypt data?
- Data is encrypted within database instances at rest.
- TLS encryption is used for data in transit.
- User endpoints have full disk encryption.
Do you separate development, test and production environments?
- Data is encrypted within AWS RDS instances at rest. TLS encryption for data in transit.
How do you secure data centers?
- Data is encrypted within AWS RDS instances at rest. TLS encryption for data in transit.
Monitoring
HVAC, Power
Do you dispose of hardware securely?
At the end of its life, all hardware is disposed of in line with our disposal standard, requiring secure overwriting or destruction, ensuring no data is recoverable.
How do I report a security concern?
You can contact compliance@incrowdsports.com
