Security has always been a priority for businesses, but the importance of ensuring that systems and data remain secure has never been more critical. The impacts of cybercrime are estimated to cost $10.5 trillion annually, with the average data breach costing businesses $4.4 million – and reputational impacts can be incalculable. With 2.12 million data records confirmed to have been breached in one month alone in 2025, firms must take every step to ensure both data and systems are secured.
Global Relay understands the increasingly high importance of security, and firms needing assurance from partners and providers that they prioritize data and system security. Below, we’ve broken down the due diligence we steps conduct and addressed the most frequently asked questions from potential partners.
What procedures and controls are in place to enable prompt detection and response to security incidents?
Our approach to security begins at the foundational level, starting with employee training and clearly outlined procedures. In case of a security incident, our employees are trained to report these to the Cyber Security Operations Center (CSOC), which then assess, classifies, and escalates these to the Information Security Response Team (ISIRT). The Information Security Response Team is comprised of the CSOC, Chief Information Security Officer (CISO), Director of Technology, Director of IT Infrastructure, and Executive Board.
The incident response process is as follows:
- Identification and detection of information system security incidents.
- Assessment of the severity level of the information security incident.
- Management of the incident and application of the escalation process.
- Recovery or restoration of the information system to normal operations.
- Closing of the information security incident.
Are there any dependencies on critical third-party service providers?
Something we pride ourselves on is that we do not utilize subcontractors or sub-processors. This allows Global Relay greater control over operations, and enhanced security, as it minimizes potential points of failure, ingress, or “weak links” in supply chain.
Who can access customer data and metadata and under what circumstances?
All data held by Global Relay is uniformly classified as confidential, and our employees do not generally access archived data to provide services. Confidentiality and data protection are paramount to the our ethos and operating practices, therefore, data is only accessed when it is:
- Necessary to conduct troubleshooting or provide requested support.
- Approved in writing by an authorized customer representative for every instance.
- Logged and monitored.
Are audit logs reviewed on a regular basis for security events?
In short, yes.
Firewalls, network devices, production servers, corporate directories, intrusion detection/prevention systems, and other systems are configured to send logs to a central logging system. A Security Information and Event Management (SIEM) application, which is monitored by the CSOC, handles log aggregation, correlation, and alerts.
Does Global Relay conduct risk assessments associated with data governance requirements?
Yes, and the risk assessment program complies with ISO 27001 requirements, which includes risk registering, scoring, ownership, and treatment. In terms of risk management, we continually identify and track existing and emerging risks and launch software to document and manage risks for each product release.
Do you conduct network penetration tests of your cloud service infrastructure regularly as prescribed by industry best practice and guidance?
Global Relay employs an independent auditor to conduct annual penetration tests on our internet facing systems and applications. Internal security testers run penetration tests on software release candidates.
Is there a physical security program?
Yes, our physical security controls include security patrols, key card and biometric access systems, dedicated cages and server rooms, and visitor procedures. Our programs also ensure environmental protection in case of fire, temperature monitoring, and HVAC systems.
Has Global Relay implemented an approved Security Awareness program for all employees, contractors, and engaged third parties that ensures all such stakeholders are kept informed of company Information Security Policy, standards, and processes?
All employees are required to complete mandatory security training. This includes in depth training around privacy leading, phishing attacks, and secure coding, with a final exam. We provide all employees and partners year-round access to information around security updates and notices.
Is there a patch management program in place?
Patch management refers to the detection of security vulnerabilities and software deployments to correct bugs and improve performance.
Global Relay follows documented Software Development Life Cycle (SDLC), referring to the essential written material created when building software, QA testing, and release management procedures to patch proprietary software. When a vulnerability is classified as critical, it must be patched within 48 hours.For third party software, we identify available patches through regular scanning and subscriptions to relevant operating system, application and security announcement lists.
Our Security team reviews weekly vulnerability scan results to address findings, and workstations are patched monthly, and as needed to address potential vulnerabilities.
Is the role of Information Security formally documented?
Yes, our information security management system (ISMS) is ISO 27001, and is made up of a security team including the (CISO), CSOC and software security analysts. The ISMS Forum is a cross-functional committee of representatives from our development, operations, customer support, and business teams. The forum provides feedback on security policies and initiatives and reviews security KPI. They also assist with risk assessment.
To correctly carry out security due diligence at Global Relay we strive to cover all bases and ensure airtight security practices. We do not turn a blind eye to the continuing increase in data breaches and cloud outages – instead we learn and innovate to produce more secure systems to prevent incursions by malicious actors.
To learn more about our security-first ethos visit our security strategy page now.
