For information security teams

An infosec review is not a checkbox. Neither is the record underneath it.

Data architecture, encryption standards, access controls, test results. The technical evidence a reviewer needs to decide whether candidate data will move safely through this environment: laid out in the order an infosec team actually reads it.

Security framework
ISO 27001:2022
SOC 2 attested
Type II
VAPT testing cadence
Annual + quarterly
Encryption standard
AES-256 at rest

Full certification roadmap in progress. Attestation documentation, auditor references, and most recent test summaries available under NDA on request.

Incident response posture

Incidents are detected, contained, and escalated per documented response policy. The policy and supporting procedures are reviewed and enhanced on a continuous basis as the threat surface evolves, the regulatory baseline shifts, and operating lessons accumulate.

We make no claim of zero incidents. Operational maturity in this domain is measured by mean time to detection, containment quality, the rigour of the post-incident review cycle, and the rate at which lessons learned are codified back into operating procedure. Each incident is an input to the next review cycle, not a one-off event to be closed out.

Clients with active programmes receive incident notifications per the contractual SLA. Programmes operating under heightened regulatory regimes (financial services, healthcare, fit-and-proper jurisdictions) receive a tailored notification protocol with regulator-specific timelines.

Technology stack and data architecture

Here's the full technology stack we use to handle candidate data, with security boundaries clearly defined:

Cloud infrastructure
Microsoft Azure (US East, EU West primary + DR)
Network isolation, DDoS mitigation, WAF at edge
Application layer
Containerized microservices (Kubernetes)
Multi-tenant isolation at container level
Zero trust networking (mTLS between services)
Data storage
PostgreSQL with AES-256 encryption at rest
Tenant-isolated schemas with row-level security
Independent backup encryption (separate key vault)
Azure Blob storage with immutable audit copies
Communication
TLS 1.3 for all data in transit
Certificate pinning for critical API endpoints
Perfect forward secrecy enabled
Identity and access
Azure Entra ID (AD) for internal access
SAML 2.0 and OIDC for client portal SSO
Hardware key and TOTP MFA mandatory
Just-in-time access for privileged operations

Data residency: We comply with data residency requirements by jurisdiction. EU candidate data is processed and stored in EU regions only (Azure EU West 2). Cross-border transfers use Standard Contractual Clauses and Transfer Impact Assessments per GDPR.

Data flow and encryption

Walk through the complete candidate data journey from ingest to retention, with encryption applied at every stage:

1
Ingest: Candidate uploads documents and identity data

Data uploaded via client portal or API is transported over TLS 1.3. Validation rules are applied immediately (file type, size, content checks). Data is encrypted at rest using AES-256 before storage. Encryption keys are stored separately in Azure Key Vault with role-based access.

2
Processing: Verification tasks run in isolated containers

Data is decrypted only within secure processing containers. Candidate PII is never decrypted outside the container boundary. Encryption keys are rotated automatically every 90 days. Key rotation does not trigger data re-encryption (we use envelope encryption and rotate the envelope key only). Sub-processor access to data is scoped to specific fields and time-limited (tokens expire after task completion).

3
Sub-processor access: Ephemeral, scoped tokens issued per task

Each sub-processor (database query provider, identity verification API, credit bureau) receives a one-time, time-limited access token valid for the specific verification task only. Tokens expire automatically after 24 hours. Sub-processors cannot retain or persist candidate data. Access is logged with timestamp, IP, data fields accessed, and purpose. No persistent data copies are made at the sub-processor level.

4
Reporting: Encrypted delivery via secure dataroom

Reports are generated and encrypted at generation time using a client-specific encryption key. Reports are never sent via email. Instead, they're uploaded to our secure dataroom (Azure Blob), and clients access via authenticated portal session. Client portal sessions are SAML-authenticated and IP-restricted for enterprise clients. Downloads are logged and watermarked.

5
Retention: Time-limited encryption keys, automatic destruction

Candidate data is retained per jurisdiction minimums (typically 12-24 months). Encryption keys used to protect retained data are themselves encrypted and stored in a separate key vault. At retention end-date, the data encryption key is destroyed (cryptographic erasure). This renders the candidate data inaccessible without recovery, even if the encrypted data remains on disk. Periodic key destruction events are logged and audited.

Key management: All encryption keys are managed by Azure Key Vault with Hardware Security Module (HSM) backing for critical keys. Key generation, storage, rotation, and destruction are all audit-logged and reviewed quarterly.

Access controls and privilege management

We enforce a multi-layered access control strategy based on the principle of least privilege:

RBAC: 12 role definitions

System administrator, security engineer, audit analyst, support tier 1/2, operations, data analyst, legal, and read-only roles. Each role has explicitly defined permissions. Roles are reviewed quarterly.

Least privilege enforcement

Users are provisioned with the minimum permissions required for their role. Permissions are granted per client/project scope, not globally. Cross-client access is prevented at the database level using row-level security (RLS) policies.

Mandatory MFA

All internal staff and client admin users must use MFA. We support TOTP (Time-based One-Time Password) and hardware keys (YubiKey, Windows Hello). SMS-based MFA is not permitted due to SIM-swap risks.

SSO for client portal

Clients can enforce SAML 2.0 or OIDC SSO on their team. This ties portal access to the client's identity provider. SSO access logs are retained for 12 months and available in audit reports.

Just-in-time access (JIT)

Sensitive operations (e.g., database backups, encryption key access, data deletion) require just-in-time elevation. Users request access with a reason, an approver must authorize (via out-of-band notification), and access is granted for a limited time window (typically 30 minutes). All JIT sessions are recorded.

Access reviews: quarterly

Every quarter, we conduct access reviews. Role managers verify that users still require their assigned permissions. Unused access is revoked automatically after 90 days of inactivity. All access changes are logged.

Privileged access monitoring

All administrative and sensitive operations are session-recorded (video + keystrokes). Recordings are retained for 6 months. Anomalous access patterns trigger alerts (e.g., access outside business hours, access from new IP, mass data export).

Separated duties

Critical functions are split across roles: approval vs. execution, audit vs. administration, etc. A single user cannot both approve and execute a sensitive change.

Audit trail: All access control events (login, privilege grant, resource access, JIT requests/approvals) are logged to an immutable audit log and reviewed for anomalies weekly.

Vulnerability assessment and penetration testing (VAPT)

We conduct rigorous testing to identify and remediate security vulnerabilities:

Testing type Frequency Scope Latest result
External VAPT (independent third party) Annually Full application stack, APIs, cloud infrastructure, network 0 critical, 0 high
Internal penetration testing Quarterly Network, systems, social engineering Compliant
Automated vulnerability scanning Continuous (daily) Dependencies, container images, infrastructure-as-code 0 critical
Code security scanning (SAST) Per commit Source code analysis, secrets detection In pipeline
Dependency updates Weekly Third-party library and package vulnerability monitoring Auto-patched

Remediation SLAs:

Bug bounty programme: We maintain a responsible disclosure programme via HackerOne. Security researchers who discover vulnerabilities can report confidentially. We respond within 48 hours and offer bounties for valid, unreported findings ($500 to $5,000 depending on severity and impact). The latest VAPT summary and executive report are available under NDA.

Network security and isolation

Our network is designed to prevent unauthorized access and lateral movement:

Endpoint and operational security

We secure the systems our team uses and the code we deploy:

Incident response and breach notification

If a security incident occurs, we have a rapid, documented response process:

Certifications and attestations

We maintain industry-standard security certifications to demonstrate compliance with best practices:

ISO 27001:2022

Information security management system certification. Current certificate valid through 2026. Scope includes all operational systems.

SOC 2 Type II

Annual audit by Big Four firm covering security, availability, integrity, confidentiality, and privacy. Latest report covers 12-month test period.

ISO 27701 (in progress)

Privacy Information Management standard. Extends ISO 27001 with privacy-specific controls. Expected certification by Q3 2026.

Cloud Security Alliance STAR

STAR Level 2 registered. We maintain Level 2 compliance through annual attestation and self-assessment updates.

Industry questionnaires

CAIQ 4.0 (CSA), SIG Lite and SIG Core (Shared Assessments) pre-completed and available for auditors.

Compliance matrix

One-page matrix showing alignment with GDPR, CCPA, LGPD, PDPA, and other major data protection laws.

What you'll receive in the InfoSec pack

The security whitepaper and supporting documentation includes:

Next step

Next: run the InfoSec readiness assessment

Share this