Our Money Exchange Platform Security

At Rally Invest we take the security of your data and money very seriously. We are ISO/IEC 27001:2013 compliant and consistently review and enhance our processes and systems to ensure that we remain secure.

Physical security

Our service operates on Amazon Web Services (AWS) which is certified under a number of global compliance programmes which underlines best practices in terms of data centre security.

  • ISO 27001 Information Security Management Controls
  • PCI-DSS Level 1 Payment Card Standards
  • ISO 27018 Personal Data Protection
  • SSAE16/SOC 1, SOC2 and SOC 3
  • FIPS United States Government Security Standards

For the full list of AWS compliance programs see: https://aws.amazon.com/compliance/pci-data-privacy-protection-hipaa-soc-fedramp-faqs/

More information about AWS data centre controls may be found here: https://aws.amazon.com/compliance/data-center/controls/

Network security

We have dedicated systems in place to protect against Distributed Denial of Service (DDoS) attacks as well as man-in-the-middle attacks. We use reputable registrars to protect against domain hijacking and “phishing” attacks.

Our platform undergoes regular penetration testing and has protection in place against common vulnerabilities like code injection attacks and cross-site scripting attacks.


All network traffic is encrypted at a transport level and confidential information is encrypted at rest. We use best practices in terms of encryption key storage and security.

Information security

Our platform and operational security is certified under ISO/IEC 27001:2013, the international best practice standard for Information Security Management Controls which is independently audited.

We also comply with best practices and regulations pertaining to the management of personal data under the UK Data Protection Act (DPA), as well as the upcoming European Union General Data Protection Regulation (GDPR).

Strong access control

Our platform provides a role based, hierarchical security model with two-step authentication and multi-factor authentication for sensitive systems. All access is logged and audited for suspicious behaviour.

Use Rally Invest with confidence

Your money and your data is as important to us as it is to you. Here are some of the things we do to make sure that you can use our services with peace of mind.

Authorized by the FCA

Our backend service is authorized by the Financial Conduct Authority  for issuing of electronic money and the provision of payment services.

Our backend service is registered with FinCEN and is authorized in 22 states to transmit money.

Trusted by more than a million people

Our backend service processes over $1bn a month on behalf of hundreds of thousands of people and companies.


We comply with best practices and regulations pertaining to the management of personal data under the UK Data Protection Act (DPA), as well as the European Union General Data Protection Regulation (GDPR).

Secure Platform

We are ISO/IEC 27001:2013 compliant and have robust processes to protect our systems.

Funded by high quality investors

Our backend service is backed by some of the leading names in the investment community, including GV (Google Ventures), Sapphire Ventures, Anthemis, Notion Capital.

Safeguarded bank accounts

Your money is held in separate accounts with tier one banks. In the unlikely event of backend service ceasing to exist, your money remains protected.

Two-factor Security

Two-factor authentication (or 2FA) is an extra layer of security to make sure someone trying to access their online account is who they say they are. By enabling this we are therefore able to provide better security and protection of our clients’ data and money.

When using 2FA at the point of log in it will ensure that our users have a smooth log in experience, without the need to answer a security question. 2FA will also become necessary for all users logging into the platform as part of our plans to meet regulatory requirements and security standards.

 If a user has not registered, at the point of login they will be prompted to register for 2FA using their mobile phone number by taking the following steps:
  • Download the Authy mobile application when prompted and start the simple registration process. Using the app is the most secure and easiest way of enabling 2FA. At the point of registration, a user can choose to receive a 2FA code via SMS instead if they prefer.
  • Once registered, users will be asked to identify themselves by providing a second factor whenever they log in to Direct from a new device, or every 15 days from an existing device.