01
Defense in depth
Multi-layer controls across network, identity, application, and data planes. No single bypass takes down the security posture; every breach assumption is modeled and mitigated.
Loading…
Trust · Security
How we protect your systems.
Defense-in-depth architecture, least-privilege identity, encryption everywhere, continuous testing, and a documented incident-response plan. Audit pack available under NDA.
- SOC 2 Type II
- In flight
- ISO 27001
- Aligned
- Pen test
- Annual + on demand
- IR rehearsal
- Quarterly
Six pillars
The operating posture, in summary.
These are the principles. The detailed controls below are how we live them on each engagement.
- 02
Least privilege identity
Role-based access enforced at the IdP, scoped IAM policies for engineers, time-bounded elevated access via change tickets, and quarterly access reviews per workload.
- 03
Encryption everywhere
TLS 1.2+ in transit, AES-256 at rest, customer-managed keys (CMK) for ePHI and PCI workloads, envelope encryption for application secrets, KMS rotation on documented schedules.
- 04
Continuous testing
Annual third-party penetration testing, quarterly internal red-team exercises, daily SCA / SAST / DAST in CI, dependency vulnerability scanning with auto-remediation PRs.
- 05
Incident response
Documented IR plan rehearsed quarterly. Named on-call, escalation tiers, customer-notification SLA published. Post-incident reviews shared with affected customers under NDA.
- 06
Subprocessor governance
All subprocessors flow through CITADEL vendor-risk review. BAA / DPA / SCC executed before data flows. Subprocessor list maintained publicly and updated quarterly.
Controls in detail
Across 4 planes.
Network, identity, application, and data. The control set applies to every engagement; the depth scales to the regulatory frame the workload sits in.
Network
- Private VPCs with explicit egress allow-lists per workload
- WAF with managed rule sets + custom rules tuned to the application
- DDoS mitigation at the cloud edge (AWS Shield Advanced / Cloudflare)
- Service-to-service mTLS where data sensitivity warrants it
- Bastion-free engineering — SSM / IAM-authenticated session manager
Identity
- SSO via OIDC / SAML for all internal and customer-facing apps
- MFA enforced on every workforce account, hardware-key options
- Just-in-time elevated access via change ticket, time-bounded
- Quarterly access reviews; off-boarding under 4 hours
- Service-account credentials short-lived, rotated programmatically
Application
- Threat modeling on every new feature touching customer data
- Static analysis (SAST), dependency analysis (SCA), container scanning in CI
- Code review required, with security review for sensitive paths
- Pre-deployment DAST against staging clones of production
- Production deployment gated behind change review for regulated workloads
Data
- Encryption at rest with customer-managed keys for ePHI and PCI
- TLS 1.2+ on all transport, HSTS preload on customer-facing surfaces
- Tokenization / pseudonymization for analytical workloads
- Backup encryption + integrity verification + restoration drills
- Data classification policy enforced at the storage layer where possible
Incident response
What we do when something happens.
IR plan rehearsed quarterly. Named on-call, customer-notification SLA published, post-incident reviews shared under NDA.
- 01
Detection
Continuous monitoring across infra, identity, application, and data planes. Alerts route to a 24×7 on-call rotation with documented runbooks per signal class. Mean time to acknowledge: < 15 minutes for P0/P1.
- 02
Triage & containment
On-call engineer assesses scope and triggers containment within the first hour for confirmed incidents. Containment may include credential rotation, network isolation, or rolling back a deploy. Customer impact assessment in parallel.
- 03
Customer notification
Affected customers notified within 72 hours of confirmed material impact, often sooner per contract. Notifications include scope of impact, affected data classes, remediation status, and a named point of contact for follow-up.
- 04
Eradication & recovery
Root cause identified, mitigations deployed, monitoring tuned to prevent recurrence. Production restored under documented health checks. Customer-facing services validated end-to-end before resuming normal operations.
- 05
Post-incident review
Blameless post-mortem within two weeks. Affected customers receive the review summary under NDA, with our remediation timeline and any compensating controls. Quarterly review of all incidents at the leadership level.
Security review
Need our pack for procurement or InfoSec?
SOC 2 Type II report (under NDA), pen-test summary, subprocessor list, security questionnaire response, BAA / DPA templates. Most requests filled the same business day.