Security + Governance
General information about our company, our registrations and our data protection officer contact.
DropTo (formerly Connect Mix Share) is a product of AM Data Limited. Registered in England and Wales. Company number: 12914020
AM Data Ltd is registered with the Information Commissioner’s Office (ICO). Registration number: ZB037387. All data protection officer enquiries to [email protected]
AM Data Ltd is certified to Cyber Essentials Plus and complies with the requirements of the scheme. Certificate ID: c443d5ab-da83-41ab-af32-b484c1172d81
DropTo completed an independent, CREST-accredited penetration test in November 2025. There are no outstanding findings at any severity level requiring remediation.
Our core application and database infrastructure is hosted in a London, UK data centre with SOC 1 Type II, SOC 2 Type II, ISO 27001 and PCI-DSS certifications.
Biometric, proximity card, and/or personal identification number (PIN) reader systems are used to restrict data centre access. Hardware is monitored, destruction is certified and policies are documented.
Our servers are highly configured at deployment for their specific role. All default access is removed, automatic updates are enabled and servers are actively monitored by trusted server management solutions.
We use a Virtual Private Cloud (VPC) to secure traffic between internal resources and isolate them from the public internet. Public access is limited to only essential services and routed through a firewall.
Our managed databases provide automated failover and highly scalable services. They are regularly updated, patched and monitored. Data is encrypted in transit using TLS and encrypted at rest using disk-level encryption.
Resources are virtualised to ensure scalability, flexibility and high availability. Rigorous permission protocols, device configurations, and comprehensive data isolation are integral components.
Access to infrastructure resources and controls are limited and protected by SSH keys, firewall policies, multi-factor authentication and layered permissions. Access is logged and monitored.
Key resources are monitored 24/7 for performance, availability and security. We use a combination of automated and manual monitoring to ensure our systems are always available.
All data stored within our managed databases are automatically backed up daily, encrypted and stored off-site. Backups are tested regularly to ensure data integrity.
The security of your data is our top priority. We've integrated leading industry-standard security measures directly into our development processes. With these robust safeguards, you can confidently rely on our platform's security.
We employ email-password authentication combined with optional two-factor authentication. Email addresses must be verified, and passwords are hashed and salted. Security-relevant authentication events are logged and monitored.
Each customer has a dedicated database for their chosen data. Only the data selected by the customer is transferred and stored. Furthermore, data transfer jobs run in isolation.
Credentials provided for external data sources are encrypted using OpenSSL with AES-256 at the application layer and further encrypted at the database level.
We protect at multiple levels against threats like DDoS, XSS, and SQL Injections with a robust WAF and CSP. All traffic runs strictly over HTTPS, ensuring secure interactions.
Our code is tracked and reviewed via a version control system. Combining automated and manual testing, we ensure our code remains secure and stable.
Through multiple layers of error logging and performance monitoring, we detect anomalies promptly, enabling swift identification and resolution of issues.
Automatic updates and reviews of our server services, core frameworks, and code dependencies help us maintain supported, patched versions.
Access to our administrative interface is restricted to authorised individuals and safeguarded with strong passwords, keys, and two-factor authentication.
We regularly perform over 18,000 checks and tests on our infrastructure and web applications to guard against known and emerging vulnerabilities.
We scan our servers, development software, network monitoring, networking systems, content management systems and other well-known weaknesses.
We check for multiple OWASP Top Ten issues, SQL injection, cross-site scripting, XML external entity injection, local/remote file inclusions, web server misconfigurations, directory/path traversal, and more.
We check for publicly exposed databases, administrative interfaces, sensitive services and network monitoring software that could be used to gain access to our systems.
We check for any private information that should not be exposed to the public, such as local directory path information and internal IP addresses.
We look for weaknesses in SSL/TLS implementations, such as Heartbleed, CRIME, BEAST and ROBOT, weak encryption ciphers and protocols, SSL misconfigurations, unencrypted services and more.
We check for VPN configuration weaknesses, exposed git repositories, unsupported operating systems, open mail relays, DNS servers allowing zone transfer and more.
We are committed to protecting the privacy of our customers and their clients. Our shared responsibilities are important to us, and we are here to help you meet your GDPR obligations.
The (UK) GDPR and Data Protection Act 2018 (DPA18) set out the rules that apply to handling personal data in a fair and lawful way. We are committed to complying with the law and helping you to comply too.
Data we handle and store for customer work is hosted on infrastructure supported by appropriate technical, organisational and contractual safeguards.
As the ‘Controller’ of personal data about individuals, you are responsible for working with ‘Processors’ that protect that data properly. ‘Processors’ are organisations that provide a service involving personal data that you control.
We process customer personal data as a processor on your behalf, in accordance with our Terms of Service and your use of our services.
Our policies are designed to ensure transparency, security, and responsibility when using our services. They underscore our commitment to protecting user data and setting clear expectations for our users.
Our privacy policy on the data we control and how we process it can be found here: Privacy Policy
Our Terms of Service, including our customer’s responsibilities, can be found here: Terms of Service
We use the third-party subprocessors listed below to provide our services. We require appropriate data protection terms and security measures from each subprocessor.
DigitalOcean is our cloud infrastructure provider. All services are located in their London (UK) data centre and are used to host our web services and database. Further information about DigitalOcean’s security can be found here
SendGrid is used to send emails from our systems and used by our optional Survey service. Further information about SendGrid’s security can be found here
Mailgun is used to send emails from our systems and used by our optional Survey service. Data is processed in the EU. Further information about Mailgun’s security can be found here
Intercom is used to provide support and communication services to our users. We use Intercom’s EU hosting to meet our GDPR requirements. Further information about Intercom’s security can be found here
Live data sharing for charities, funders & social enterprises
DropTo (formerly Connect Mix Share) is a product of AM Data Limited. Registered in England and Wales. Company No. 12914020
