Security & Compliance — Built In, Not Bolted On

Data centre controls

Tier‑1 facilities with 24/7 guards, CCTV, mantraps, visitor logs, and biometric access. Redundant power & environment.

Device & office

• Managed endpoints with full‑disk encryption
• Auto‑lock, screen privacy, and secure media handling
• Asset tracking & visitor management where applicable

People security

Background checks where lawful, role‑based onboarding, NDAs, continuous security awareness & phishing simulations.

Perimeter & segmentation

• Private subnets & security groups by function
• WAF, rate limiting, anti‑bot, and TLS enforcement

Patching & hardening

Baseline images, CIS‑aligned hardening, staged updates, config drift alerts, and vulnerability management.

Secrets & keys

Managed KMS/HSM, key rotation, short‑lived credentials, and secret scanning in CI.

Secure‑by‑design

Threat modeling, dependency pinning, code review, and unit/integration tests on every change.

Testing & scanning

SAST/DAST, IaC scanning, secret detection, and periodic third‑party testing where scoped.

Release & rollback

Signed builds, protected branches, staged rollouts, canary/feature flags, and fast rollbacks.

MFA & SSO

SSO across core systems with enforced MFA, including phishing‑resistant factors where supported.

Least privilege

Role‑based access, time‑bound elevation (Just‑in‑Time), and quarterly access reviews.

Account lifecycle

Automated provisioning/deprovisioning tied to HR events; immediate revocation on exit.

Encryption

• TLS 1.2+ in transit
• AES‑256 at rest (provider‑managed)
• Key rotation via KMS policies

Data minimisation

Collect only what’s needed; configurable redaction and defined retention windows by dataset.

Customer controls

DPAs, SCCs where required, and access logs/audit support on request.

Backups

Automated, encrypted backups with multi‑AZ/region options and periodic restore tests.

Immutability

Write‑once retention (where supported) and checksum verification on critical artefacts.

Resilience

Health probes, autoscaling, and graceful degradation to preserve core functions.

Retention policies

Dataset‑specific schedules with legal holds. Authenticated deletion requests supported via secure channels.

Destruction

Cryptographic erasure or provider‑certified media destruction. Certificates available upon request.

Telemetry

Centralised logs with retention & integrity controls; time‑synced systems for reliable forensics.

Alerting

Threshold & anomaly alerts for auth, config drift, data exfil patterns, and resource spikes.

Detection

Endpoint protection on managed devices, vulnerability management, and periodic external scanning.

IR playbooks

Documented runbooks for containment, eradication, recovery, and customer communication. PIRs drive improvements.

BCP / DR

Defined RTO/RPO targets by service tier; tabletop or live failover exercises performed on cadence.

Risk management

Due diligence, DPAs, security addenda, and continuous monitoring for critical vendors; least‑privilege data sharing.

Data residency

Region selection options where available. Sub‑processor list available on request with change notifications.

Privacy by design

Data minimisation, purpose limitation, and transparency embedded into product decisions.

Agreements

Mutual NDAs, DPAs, and standard contractual clauses (where applicable).

Requests

Support for data subject requests via authenticated channels and verifiable controls.

We handle

• Platform security (infrastructure, SDLC, monitoring)
• Encryption, backup, and secure deletion mechanisms
• Incident response and business continuity

You control

• End‑user account hygiene (passwords/MFA)
• Authorisation choices (who sees what)
• Local device and network protections