How we secure your information, who can access it, and the rights you have over it. Plain English. Specific. No vague reassurances.
All data in transit is protected with TLS 1.3 and 256-bit AES encryption. Data at rest is encrypted in our UK and EU data centres using AES-256 with hardware-managed keys.
Your data is stored exclusively in the United Kingdom and European Economic Area, in facilities certified to ISO 27001 and ISO 27018. We do not transfer personal data to third countries without appropriate safeguards.
Every customer account is protected by two-factor authentication. We support SMS, authenticator apps, and FIDO2 hardware keys. Sign-in attempts from new devices trigger an additional verification step.
Our systems are monitored 24/7 by our internal security operations team and an external incident response partner. Unusual activity is flagged for review within minutes, and customers are notified of any account-impacting event.
Access to customer data is restricted to staff whose role explicitly requires it. All access is logged and reviewed monthly. Least-privilege principles apply — relationship managers see only the customers assigned to them.
Our information security controls are audited annually under ISO 27001. We commission penetration testing twice a year by an independent CREST-certified firm. The summary of findings is published in our annual report.
Under UK GDPR, you have specific rights over your personal data. Here is what each one means in practice — and how to exercise it with us.
You can ask us at any time what data we hold about you, why we hold it, who we share it with, and how long we keep it. Our full Privacy Notice is available in your customer area; a summary version is sent with every loan offer.
You can request a complete copy of the personal data we hold about you, free of charge, in a portable format. We respond within one calendar month, often sooner.
If anything we hold about you is inaccurate or incomplete, you can correct it directly via your dashboard, or by contacting us. We update affected systems and notify any third parties (e.g. credit bureaus) where appropriate.
You can ask us to delete your personal data, subject to our regulatory obligations to retain certain records (typically 6 years for closed accounts). We will explain what we can and cannot delete, and confirm what action we have taken.
If you contest the accuracy of data, or believe processing is unlawful, you can ask us to pause processing while we investigate. You retain access; we simply stop further actions until the matter is resolved.
You can ask us to export your data in a machine-readable format (JSON or CSV) and, where technically feasible, to transmit it directly to another regulated provider of your choice.
You can object to specific uses of your data — particularly direct marketing (which we don't conduct via shared lists) and automated decision-making (which we don't use for credit decisions). We honour all valid objections.
Our Data Protection Officer is reachable directly at dpo@asafl.co.uk and aims to respond within 5 working days. You also have the right to complain to the Information Commissioner's Office.