Trust Guide


We take security seriously, our success depends on it.

We need to make sure your data is secure, and protecting it is one of our most important responsibilities. We’re committed to being transparent about our security practices and helping you understand our approach. We understand you may have some questions, so we've highlighted some of the answers below.


Whilst we have a team of people working on network security and someone solely responsible for driving forward compliance, our culture means that when it comes to security - everyone here at Assemble plays a part. We ensure everyone understands and adheres to our strict Information Security Policy. Before gaining access to Assemble, all workers must agree to confidentiality terms, pass a background screening, and attend security training.


Assemble holds an ISO 27001:2013 certification. The internationally recognised information security standard certificate - assessed by BSI - ensures the appropriate controls and policies are in place to safeguard data. Our practices also ensure compliance with the information security and privacy elements expressed in the EU General Data Protection Regulations (GDPR).

Assemble currently complies with a range of other requirements, policies and controls, including Cyber Essentials. Cyber Essentials is a Government-backed and industry supported scheme that helps businesses to protect themselves against the ever growing threat of cyber attacks.

We’re also a proud G-Cloud 12 supplier to the government via The Digital Marketplace. This framework lists trusted providers of technology for digital projects in the public sector.

We are registered with the information commissioner (ico) under registration number Z9806829.


All of our services run in the cloud. Our operations run on hosted Amazon Web Services (AWS) facilities in Ireland, Europe.

All of our servers are within our own virtual private cloud (VPC) with network access control lists (ACL’s) that prevent unauthorised requests getting to our internal network.

Physical Security

Our infrastructure runs inside data centres designed and operated by Amazon Web Services (AWS). AWS data centres feature state of the art environmental security controls to safeguard against fires, power loss, and adverse weather conditions. Physical access to these facilities is highly restricted and they are monitored by professional security personnel.


All customer data is stored in the EU.

By default, customer data is stored in multi-tenant datastores for speed. Strict privacy controls exist in our application to ensure data privacy and prevent one customer from accessing another customers data. Tests are in place to ensure these privacy controls work as expected. If preferred, the option does exist for Enterprise customers to have individual dedicated resource pods.

Authentication & Access control

Assemble is 100% served over a https connection, and our application implements zero-trust policies for all network requests.


Encryption keeps your data private while in transit. Providing a higher level of security and privacy to our service. We protect this data with multiple layers of security, including leading encryption technology like HTTPS and Transport Layer Security.

Your controls

Our custom permissions give you control over users who have Assemble access, allowing you to keep data separated and permissions restricted. With privacy, visibility and sharing settings, users can manage the level of access so sensitive information remains private.

We offer two-factor authentication for logins - the optional but highly recommended security feature adds an extra layer of protection to user accounts. Two-factor authentication requires users to input a six-digit security code to sign in or connect a new device.

Internal Security

Assemble requires all employees to use an approved password manager. Password managers generate, store and enter unique and complex passwords. Use of a password manager helps avoid password reuse, phishing, and other behaviours that can reduce security.

All workstations are to be properly configured, kept updated, run monitoring software, and be tracked by Assemble’s endpoint management solution. Assemble sets up workstations to encrypt data, have strong passwords, and lock when idle. Workstations run up-to-date monitoring software to report potential malware and unauthorised software.

Application Health

We use multiple monitoring services to check the health and uptime of our application, storing historical logs for application performance and error details. We regularly audit access to all key services.

We’re proud to maintain an excellent uptime record, and you can view our current status below:

System Status >

Penetration testing

Assemble and its supporting infrastructure is frequently reviewed for potentially harmful vulnerabilities. We use industry-recognised, third-party security specialists who hold CREST and CHECK and credentials, enterprise-class security solutions, and custom in-house tools to regularly analyse the application and production infrastructure to ensure that any vulnerabilities are identified and swiftly mitigated. Results of these tests are shared with Assemble management. Assemble’s Security Team reviews and prioritizes the reported findings and tracks them to resolution.

Threat detection

Our team are always watching. We continuously monitor our services and underlying infrastructure to protect them from threats, including spam, malware, viruses and other forms of malicious code.

Disaster recovery

Our Disaster Recovery (DR) program ensures that our services remain available or are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and regular testing. We take a risk and impact based approach with continual improvement.


Take the first step

The volunteer journey starts here. Ease the role of management, strengthen volunteer relationships.

Watch 4-minute demo