Question 1

Where are your services hosted?

Accepted Answer

All our SaaS solutions run in Microsoft Azure's Northern Europe region (Ireland). This is a multi-availability zone region, which means at least three independent data centres with separate power, cooling, and networking. If a disaster occurs, we can restore services to the paired West Europe region (Netherlands).

Question 2

How do you ensure resilience and avoid single points of failure?

Accepted Answer

We design all production systems to avoid single points of failure. Virtual machines and Kubernetes nodes are deployed across multiple availability zones, and PaaS services such as Azure SQL are configured in multi-zone mode. Data is continuously replicated, and automated backups can be restored cross-region if needed.

Question 3

What network protections do you use?

Accepted Answer

Every client-facing service is protected by: Web Application Firewalls configured against the OWASP 3.1 rule set. Strict Virtual Network separation of application and data layers. DDOS protection at the perimeter and inside VNets. IDS/IPS via Azure Defender for Cloud with advanced threat detection.

Question 4

How do you handle encryption?

Accepted Answer

We enforce encryption everywhere: In transit: TLS 1.2 or higher. At rest: AES-256 for all data and backups. Keys are securely managed and rotated to protect against compromise.

Question 5

How do you manage updates and vulnerabilities?

Accepted Answer

All virtual machines are enrolled in Azure’s automated patch management system. Updates are rolled out weekly across test, then production. On-demand patching is available for urgent fixes. We also run continuous vulnerability assessments via Azure Security Center, which monitors compute, storage, network, and databases — alerting us to anomalies in real time.

Question 6

What kind of monitoring and logging do you have in place?

Accepted Answer

All infrastructure and services are enrolled into Azure Log Analytics and Azure Monitor. Administrative activity is logged, alerts are generated on suspicious behaviour, and logs are retained for 365 days. This provides full visibility for detection and forensic analysis.

Question 7

Do you follow hardening standards?

Accepted Answer

Yes. All systems are hardened against CIS benchmarks (Azure CIS 1.1.0), ISO 27001, and SOC TSP. Configuration drift is prevented using Active Directory Group Policy and Azure Desired State Configuration.

Question 8

How do you manage privileged access?

Accepted Answer

Access to production systems is tightly controlled. Requirements include: Authentication via Azure Active Directory. Role-based authorisation. Multi-factor authentication. Cappfinity-owned devices on trusted networks. Just-in-time / time-limited access to test and production environments.

Question 9

What about backups and disaster recovery?

Accepted Answer

Backups: Transactions every 10 minutes, daily differential, weekly full backups. Retained for 35 days and encrypted with AES-256. DR Objectives: Recovery Time Objective (RTO) 24 hours, Recovery Point Objective (RPO) 15 minutes. Testing: Automated monthly database restores plus annual full disaster recovery simulations.

Question 10

Do you test your applications against real-world attacks?

Accepted Answer

Yes. All client-facing applications undergo annual third-party penetration testing, or earlier if a major architecture change occurs. Findings are logged, risk-assessed, and addressed by the engineering team. These reports are available for you in the Trust Centre. Web Application Firewalls protect the services up to layer 7.

Question 11

How do you ensure scalability and performance?

Accepted Answer

We continuously track capacity for compute, storage, and networking. Alerts trigger at 80% utilisation or when Azure's learning algorithms detect anomalies. This allows us to scale proactively and maintain performance for you.

Question 12

How often are your security standards reviewed?

Accepted Answer

Architecture and network diagrams are kept current and reviewed on an ongoing basis. Disaster Recovery impact analyses are performed every 6 months. Disaster Recovery tests run annually on a rolling basis. Security standards are embedded in our DevOps pipeline to ensure all new infrastructure complies automatically.

Question 13

Do you use subprocessors?

Accepted Answer

Yes, like all modern technology stacks, Cappfinity uses subprocessors to support our technology services with best-in-class solutions from other market-leading providers. All subprocessors meet stringent information security and data protection controls. The list of Cappfinity subprocessors is maintained here.

Question 14

What is Infrastructure as Code (IaC) and why does it matter?

Accepted Answer

IaC means our entire infrastructure — servers, networks, databases, and security policies — is defined and managed in code. This allows us to deploy, configure, and scale systems consistently and automatically, without manual intervention. For you, this means greater reliability.

Question 15

How does IaC improve security?

Accepted Answer

By codifying infrastructure and policies, security standards are enforced automatically during every deployment. This removes the risk of “human error” misconfigurations, ensures encryption, firewalls, and controls are always in place, and provides a clear audit trail for compliance.

Question 16

How does IaC reduce risk of downtime?

Accepted Answer

Infrastructure is version-controlled, tested, and repeatable. If something fails, we can redeploy a known-good configuration in minutes. This eliminates configuration drift and ensures disaster recovery steps are reliable and predictable.

Question 17

What does IaC mean for scalability?

Accepted Answer

Because everything is defined in code, we can scale resources up or down automatically based on demand. This means you get the performance you need during peak periods.

Question 18

Do you use AI in your products and services?

Accepted Answer

Cappfinity offers the optional use of AI in products and services on a case-by-case basis as is appropriate for client requirements. As a general principle, we support using AI for process efficiency but are wary of the implications of using AI for decision making, particularly given the ‘high risk’ categorisation and resulting requirements of EU Artificial Intelligence Act.

Question 19

Do you use statistical algorithms in your products and services?

Accepted Answer

Yes, Cappfinity uses and has used statistical algorithms in our products and services for many years. These statistical algorithms ensure the consistent, reliable, repeatable scoring of online assessments at scale and without bias. These statistical algorithms are the automated processing of statistical calculations that can be overseen and reviewed by a human being (thus meeting the requirements of Article 22 of GDPR); they are not machine learning whereby the outputs can change depending on the evolution of the algorithm as it learns from its inputs. This ensures a consistent, reliable and comparable scoring outcome for all users.

Question 20

Can Cappfinity clients choose whether or not AI is used in their products and services?

Accepted Answer

Yes, Cappfinity products and services, where relevant, include optional AI. Clients are able to determine, on a case-by-case basis, whether they wish to use AI in their process, depending on the client's own internal compliance and risk processes.

Question 21

What are the types of products and services where Cappfinity may use AI?

Accepted Answer

AI use cases within Cappfinity products and services include predominantly data processing and process efficiency. Data processing may use AI models in relation to detecting patterns of user behaviour and anomalous behaviour detection. Data processing may also include determining insights from benchmarking and comparisons across internal and external datasets. Process efficiency may include automating progression through the stages of a process or flagging a potential data set for human review or further investigation. This may also include the use of avatars to support candidates with questions through the assessment process. Any Cappfinity use of AI is always subject to human review, determination and intervention wherever needed.

Question 22

Are you compliant with VPAT and WCAG 2.2 AA / AAA requirements?

Accepted Answer

Yes. Cappfinity assessments are accessible by design, supported by external independent audits from partners including Lexxic and the Digital Accessibility Centre. We have independent, external VPAT (Voluntary Product Accessibility Template) completion, and work extensively with clients to meet their needs for WCAG 2.2 AA / AAA compliance as is appropriate within the context of our assessments.

Question 23

Do you use external expertise for disability audits and advice?

Accepted Answer

Yes, Cappfinity works with disability specialists, the Digital Accessibility Centre, to provide independent, external audits of our assessments and solutions - audited by people with disabilities to deliver their first-hand experience, feedback and recommendations.

Question 24

Do you use external expertise for neurodiversity audits and advice?

Accepted Answer

Yes, Cappfinity works with neurodiversity experts, Lexxic, to provide independent, external audits of our assessments and solutions – audited by people with neurodiverse conditions to deliver their first-hand experience, feedback and recommendations.

Question 25

How do you support assistive technologies, including screen readers, keyboard navigation, and dictation?

Accepted Answer

Cappfinity designs for compatibility with assistive technologies wherever possible, including screen readers, keyboard navigation and the use of dictation software.

Question 26

How do you ensure visual design is assessed for usability and legibility?

Accepted Answer

Cappfinity designs for enhanced layouts to provide clear information hierarchies, improved proximity of related actions, and the progressive disclosure of information as people move through the user experience.

Question 27

How do you ensure the clarity of font and labelling?

Accepted Answer

Cappfinity uses clear and consistent labelling for buttons and navigation elements, with minimum font sizes and accessible font styles.

Question 28

How do you ensure the clear and distinct presentation of information?

Accepted Answer

Cappfinity uses high contrast colours, clear differentiation and strong borders, to ensure that people can easily and naturally distinguish between information types, whether they have a visual impairment, or any variant of colour-blindness, or not.

Question 29

Do you support closed captions text for video and auditory resources?

Accepted Answer

Yes. Cappfinity provides closed captions text and subtitles for video and auditory resources, allowing people to access the content they need to in whatever way is right for them.

Question 30

How do you ensure the accessibility of assessment user interfaces?

Accepted Answer

Cappfinity employs a range of different UIs and user interactions throughout the assessment, to ensure candidates need to remain focused and engaged, and so are unable to access an AI assistant. This has the added benefit of supporting accessibility through being a significant positive for diverse learning styles.

Question 31

How do you use item type variety to support accessibility and inclusion?

Accepted Answer

By intentional design, Cappfinity uses a variety of item response types, to recognize, reward and celebrate the diversity of learning styles that exist in the world. This ensures that every user has the opportunity to resonate with the content being presented to them, and to respond in the best way.

Question 32

Do you employ continuous accessibility testing?

Accepted Answer

Yes. Cappfinity uses Playwright for continuous accessibility testing, to ensure that our products meet web accessibility standards and guidelines wherever appropriate.

Question 33

How do you support the accommodation of Reasonable Adjustments?

Accepted Answer

Cappfinity offers a variety of alternative assessment formats and solutions to accommodate the range of reasonable adjustments that candidates may need, depending on their specific circumstances and requirements. These may include additional time, different response formats, or different assessment formats or modalities. Working with our clients, there is always a solution.

Question 34

Do you use diverse delivery teams to ensure diversity and accessibility are embedded in the core of your solutions?

Accepted Answer

Yes. Cappfinity's assessment, data science, design and engineering teams are all diverse by reference to gender, ethnicity, disability and neurodiversity. Our own first-hand experiences ensure we have empathy.

Question 35

Has Cappfinity been recognised externally for its work in diversity and inclusion?

Accepted Answer

Yes. Cappfinity are proud to have won numerous awards with our clients for diversity and inclusion, from Race for Opportunity, the Institute of Student Employers, Target Jobs and the CIPD.

For Technology Leaders

Cappfinity makes that easy.

Cloud Hosting Protection

Cloud-grade security

Data protection

Access control

Monitoring & response

Resilience

Independent validation

Frequently Asked Questions