As a managed security provider, we hold ourselves to the same standards we recommend for our clients. This document describes how we protect client data, our internal security practices, and our vendor requirements.
Access Control
- •Multi-factor authentication (MFA) required for all internal systems and client environments
- •Role-based access control, staff access is scoped to what their role requires
- •Client portal access is provisioned and deprovisioned through a controlled process
- •Privileged access is logged and reviewed
Data Protection
- •Client data is encrypted in transit (TLS 1.2+) and at rest
- •We do not store sensitive client credentials in plain text
- •Client environments are logically isolated from each other
- •Data retention policies are defined and enforced
Vendor Security
We carefully vet the vendors and platforms we use to deliver services. Key criteria include:
- •SOC 2 Type II compliance or equivalent security certifications
- •Documented incident response and breach notification procedures
- •Data processing agreements (DPAs) in place where applicable
- •Regular security assessments and penetration testing
Incident Response
In the event of a security incident affecting client data, we follow a documented incident response process: contain, assess, notify, remediate, and review. Clients are notified promptly when an incident may affect their data, in accordance with our Master Services Agreement and applicable law.
Questions
If you have questions about our security practices or want to discuss specific requirements for your organization, contact us at [email protected].