Built for enterprise

The security, resilience, and governance that large financial institutions demand, backed by 30 years of delivery.

A small group of people in an atrium

CREDENTIALS

Enterprise credentials

14 yrs

Strategic partnership with NFU Mutual

9 yrs

Strategic partnership with Santander

7 yrs

Strategic partnership with Skipton Building Society

15 yrs

Zero unplanned downtime since 2010

ISO 27001

Certified information security

£15m

Continuous platform investment

23

Public API domains, 352 routes documented

23

Microservices, independently scalable on Azure

300k+

End customers served through our clients

Security and compliance

We treat information security as a core product capability, not an afterthought.

ISO 27001:2022 certified

Our information security management system is independently audited and certified to ISO/IEC 27001:2022. We retained the rigorous FTSE-listed processes from our time as part of abrdn, and they continue to govern how we operate. Comprehensive policies cover information security, network and endpoint protection, user and access management, and secure development.

Penetration testing and red team exercises

Independent third-party penetration testing is carried out annually against all production systems, complemented by cyber attack simulations and red team exercises. Findings are remediated on a risk-prioritised basis and tracked to closure.

Continuous monitoring and SOC

Real-time security monitoring across all environments with automated alerting. Our 24/7/365 Security Operations Centre monitors organisational and technical threats around the clock, not just during office hours. Azure Application Insights runs automated health checks across all services, integrations, and APIs, and we actively monitor keys, secrets, and certificates to act before they expire.

Regulatory alignment

Built to support Consumer Duty, MiFID II, and FCA requirements. Our advice engines produce deterministic, auditable outputs that your compliance team can trust.

Encryption and access control

Data is encrypted at rest and in transit across all environments. Enterprise-grade authentication with role-based access control and data loss prevention (DLP) policies. Hierarchy management across offices, teams, and departments ensures data is only visible to authorised users. Client data is strictly separated and never used in non-production testing.

Full audit trail

Every data change and user action is audited. Any data change can trigger a task or workflow, giving your compliance team complete visibility of system activity.

Azure-hosted, API-first architecture

Our platform runs on Microsoft Azure with a shared-service architecture designed for scale and tenant isolation. Every customer has segregated storage with dedicated data partitions, your data never mixes with another tenant's.

Requests route through Azure Front Door to our API Gateway, which handles authentication, security, and token management before dispatching to a cluster of 23 independently scalable microservices. All APIs follow the OpenAPI specification — 23 domains, 352 routes, 633 endpoints — and are automatically documented at docs.focusadvice.tech.

The front-end is a React-based micro-frontend (MFE) architecture, delivered via CDN. You can replace or extend any MFE with your own components, or let our team build custom dashboards optimised for your specific roles and workflows.

Data flows out through webhooks fired on every data change, supporting integration with Power BI, Power Automate, and any system that can consume HTTP events.

Ae casestudy engine in use

Resilience and business continuity

Fifteen years of zero unplanned downtime is not an accident. It is engineered.

Geographically separated data centres

Production workloads run across geographically separated data centres with mirrored infrastructure and automatic failover. A fully capable secondary site is maintained and tested. High-availability infrastructure includes UPS and backup power with layered physical and digital security controls.

Disaster recovery: 2–4 hour RTO

A mature BC/DR framework with defined recovery targets: RTO of 2–4 hours and RPO of 0–15 minutes. Cosmos DB provides continuous backup with point-in-time restore. Blob storage and queues are geo-replicated across regions. Regular scenario testing validates that recovery procedures work, not just that they exist on paper.

Auto-scaling infrastructure

Every microservice runs in auto-scaling App Service plans that respond to demand in real time. You pay for what you use, and the platform scales seamlessly from hundreds to thousands of concurrent users.

Release management

A dedicated Release API manages deployment channels and system updates. Zero-downtime deployments ensure your advisers are never interrupted during a release cycle.

Performance monitoring

Application-level telemetry via Azure Application Insights provides complete observability. Automated health checks run continuously across services, integrations, and APIs. Exception and error monitoring triggers immediate alerts to our support team, not a dashboard someone checks once a day.

Operational support

Defined SLAs with a 99.5% service availability commitment, proactive monitoring, and structured incident management across P1–P4 priorities. Keys, secrets, and certificates are monitored and actioned before expiry. Fifteen years of continuous availability across all production environments.

Enterprise tenant isolation

Tenant isolation and data sovereignty

Every customer tenant has its own segregated storage area with permanent, isolated data partitions. Your client data, configuration, and documents are completely separated from other tenants at the infrastructure level.

Shared configuration across all services provides storage connection strings, while each tenant's data resides in dedicated Cosmos DB containers with auto-scaling throughput. This architecture gives you the cost benefits of a shared platform with the data isolation of a private deployment.

Focus can act as master or slave for each of your key entities. If you want to retain your existing data lake or warehouse, our platform integrates without forcing a rip-and-replace — we flex to suit your architecture, not the other way around.

Governance, privacy and supply chain

Transparent operational controls across data protection, risk management, and third-party oversight.

Data protection and privacy

Registered with the UK Information Commissioner's Office as a Data Processor. We comply with the UK Data Protection Act 2018 and EU GDPR. Policies cover data handling and retention, DSARs, privacy by design, staff training, and breach detection with client notification within 48 hours.

Anti-bribery and conflicts of interest

Policies aligned to the UK Bribery Act 2010 with documented prevention and reporting processes. Regular risk assessment and senior-level oversight ensure we operate with integrity across all client and supplier relationships.

Operational risk management

A formal risk framework including control testing, event escalation, board reporting, and SLA compliance controls. Risks are assessed, tracked, and reported at board level, not buried in a spreadsheet.

Whistleblowing and H&S

A confidential whistleblowing process supporting anonymity and protection for reporters, with root cause analysis. Documented Health & Safety policies with measurable targets and training ensure a safe working environment.

Supply chain management

Stringent controls over subcontractors and suppliers including due diligence, financial monitoring, data breach and incident processes, BC/DR alignment, and audit rights. Key suppliers include Microsoft and ANS Group, all UK-based.

Modern slavery and compliance

Modern Slavery compliance expectations are built into all supplier checks. We monitor leadership representation and implement measures that reflect our commitment to responsible business practices across the supply chain.

Our people and practices

Enterprise technology needs enterprise discipline. Our team operates to the standards you would expect.

Staff screening

All employees undergo background checks, including DBS screening, right-to-work verification, and reference checks. We maintain the same rigorous hiring standards established during our time as a FTSE-listed subsidiary.

Security training

Mandatory information security awareness training for all staff, refreshed annually. Our engineering teams receive additional training on secure development practices, OWASP guidelines, and data handling procedures.

Experienced delivery team

Over 30 years of delivering complex enterprise programmes for some of the UK's largest financial institutions. We have an impressive delivery track record and will recommend phased approaches when it helps ease adoption.

In-house UCD practice

Our user-centred design team follows a research-based iterative design process. They work with real end users — not just business analysts — to ensure the software works for everyone in the value chain.

Agile delivery

We operate in four focused squads with a hub-and-spoke design model. Each squad has embedded design capability, ensuring user needs are considered throughout the development cycle, not bolted on at the end.

Industry recognition

Winners of the Systems in the City "Customer Choice" award for best digital kit. FTRC 5-star rated. Best in Show 2024. Our track record is validated by the industry and by our customers.

Quality assurance and route to live

Every change to the platform follows an automation-first route to live. Our testing pipeline covers acceptance testing, integration testing, UI testing, API testing, and unit testing — all automated wherever possible.

Security scanning tools check code integrity before anything reaches production. Our Gatekeeper framework runs both safe and unsafe tests — covering destructive and non-destructive scenarios, to verify that changes behave correctly under normal conditions and fail safely under abnormal ones.

Twice-weekly Change Advisory Board (CAB) meetings review and approve all changes before they go live. Nothing reaches production without explicit approval from the CAB, giving you confidence that every release has been assessed for risk, impact, and readiness.

This is not a tick-box exercise. It is an engineered quality gate that has contributed to fifteen years of zero unplanned downtime.

Fe pim laptop senior

AI controls and responsible innovation

We use select AI technologies with appropriate safeguards, and clear boundaries on what we will not do with your data.

Controlled AI adoption

We use select AI technologies including biometrics, computer vision, speech recognition, and virtual agents, each with encryption, access controls, and human oversight. Every AI capability goes through the same rigorous route-to-live process as any platform change.

Bias testing and transparency

AI models are subject to bias testing before deployment. We maintain transparency about where AI is used and how it influences outcomes. Our advice engines remain deterministic — mathematical models, not AI predictions — because regulated financial advice demands explainable, auditable results.

Your data is never used for training

Customer data is never used to train AI models. This is a firm policy, not a configuration option. Your clients' data is used to serve them, nothing else.

Human oversight

AI outputs are subject to human review. We do not deploy autonomous AI decision-making in regulated advice processes. Where AI assists, a human validates, maintaining the accountability chain that regulators and your clients expect.

Environmental and social responsibility

We take our environmental and social responsibilities seriously. 98% of our electricity consumption comes from renewable sources, and we continue to implement measures to reduce energy use and waste across our operations.

We support community initiatives and monitor leadership representation. Modern Slavery compliance expectations are built into all supplier checks, and we actively assess our supply chain for ethical and environmental standards.

These are not statements we make once a year in a report. They are operational commitments reflected in how we procure, how we build, and how we run our business day to day.

Common enterprise questions

Ready to talk enterprise?

We have extensive experience of large-scale collaborative programmes and can refer you to current clients if you would like to speak with them.

Trusted by leading financial institutions

The institutional receipts

A handful of numbers that keep being true at enterprise scale.

Up to 50%

Reduction in adviser journey times

14 yrs

Partnership with NFU Mutual

9 yrs

Partnership with Santander

7 yrs

Partnership with Skipton Building Society

ISO 27001

Certified information security management

10M+

Calculations powered every month