Our security practices
We apply the same rigor to our own environment that we recommend to clients. Here's a summary of how we protect the systems and data we're trusted with.
Organisational security
All employees and contractors undergo background checks where legally permitted, sign confidentiality agreements, and complete security awareness training during onboarding and annually thereafter. Access to client systems and data is granted on a least-privilege, need-to-know basis and reviewed on a regular cadence.
Data protection
Data is encrypted in transit using TLS 1.2 or higher and at rest using industry-standard encryption. Production environments are logically separated from development and staging, and access to production data is restricted and logged.
Infrastructure & monitoring
- Continuous monitoring of internal systems and endpoints
- Centralized logging with defined retention periods
- Regular vulnerability scanning and periodic third-party penetration testing of our own environment
- Documented incident response and escalation procedures
Vendor & third-party risk
We maintain an inventory of subprocessors and third-party vendors that touch client data, and we review their security posture before onboarding and on an ongoing basis.
Business continuity
We maintain documented business continuity and disaster recovery procedures, including regular backups and periodic recovery testing, to minimize disruption in the event of an incident.
Questions about our practices
Enterprise customers and prospects can request additional detail, including summaries of recent assessments, through our Contact page.
