An infosec review is not a checkbox. Neither is the record underneath it.
Data architecture, encryption standards, access controls, test results. The technical evidence a reviewer needs to decide whether candidate data will move safely through this environment: laid out in the order an infosec team actually reads it.
Full certification roadmap in progress. Attestation documentation, auditor references, and most recent test summaries available under NDA on request.
Incident response posture
Incidents are detected, contained, and escalated per documented response policy. The policy and supporting procedures are reviewed and enhanced on a continuous basis as the threat surface evolves, the regulatory baseline shifts, and operating lessons accumulate.
We make no claim of zero incidents. Operational maturity in this domain is measured by mean time to detection, containment quality, the rigour of the post-incident review cycle, and the rate at which lessons learned are codified back into operating procedure. Each incident is an input to the next review cycle, not a one-off event to be closed out.
Clients with active programmes receive incident notifications per the contractual SLA. Programmes operating under heightened regulatory regimes (financial services, healthcare, fit-and-proper jurisdictions) receive a tailored notification protocol with regulator-specific timelines.
Technology stack and data architecture
Here's the full technology stack we use to handle candidate data, with security boundaries clearly defined:
Data residency: We comply with data residency requirements by jurisdiction. EU candidate data is processed and stored in EU regions only (Azure EU West 2). Cross-border transfers use Standard Contractual Clauses and Transfer Impact Assessments per GDPR.
Data flow and encryption
Walk through the complete candidate data journey from ingest to retention, with encryption applied at every stage:
1
Ingest: Candidate uploads documents and identity data
Data uploaded via client portal or API is transported over TLS 1.3. Validation rules are applied immediately (file type, size, content checks). Data is encrypted at rest using AES-256 before storage. Encryption keys are stored separately in Azure Key Vault with role-based access.
2
Processing: Verification tasks run in isolated containers
Data is decrypted only within secure processing containers. Candidate PII is never decrypted outside the container boundary. Encryption keys are rotated automatically every 90 days. Key rotation does not trigger data re-encryption (we use envelope encryption and rotate the envelope key only). Sub-processor access to data is scoped to specific fields and time-limited (tokens expire after task completion).
3
Sub-processor access: Ephemeral, scoped tokens issued per task
Each sub-processor (database query provider, identity verification API, credit bureau) receives a one-time, time-limited access token valid for the specific verification task only. Tokens expire automatically after 24 hours. Sub-processors cannot retain or persist candidate data. Access is logged with timestamp, IP, data fields accessed, and purpose. No persistent data copies are made at the sub-processor level.
4
Reporting: Encrypted delivery via secure dataroom
Reports are generated and encrypted at generation time using a client-specific encryption key. Reports are never sent via email. Instead, they're uploaded to our secure dataroom (Azure Blob), and clients access via authenticated portal session. Client portal sessions are SAML-authenticated and IP-restricted for enterprise clients. Downloads are logged and watermarked.
Candidate data is retained per jurisdiction minimums (typically 12-24 months). Encryption keys used to protect retained data are themselves encrypted and stored in a separate key vault. At retention end-date, the data encryption key is destroyed (cryptographic erasure). This renders the candidate data inaccessible without recovery, even if the encrypted data remains on disk. Periodic key destruction events are logged and audited.
Key management: All encryption keys are managed by Azure Key Vault with Hardware Security Module (HSM) backing for critical keys. Key generation, storage, rotation, and destruction are all audit-logged and reviewed quarterly.
Access controls and privilege management
We enforce a multi-layered access control strategy based on the principle of least privilege:
RBAC: 12 role definitions
System administrator, security engineer, audit analyst, support tier 1/2, operations, data analyst, legal, and read-only roles. Each role has explicitly defined permissions. Roles are reviewed quarterly.
Least privilege enforcement
Users are provisioned with the minimum permissions required for their role. Permissions are granted per client/project scope, not globally. Cross-client access is prevented at the database level using row-level security (RLS) policies.
Mandatory MFA
All internal staff and client admin users must use MFA. We support TOTP (Time-based One-Time Password) and hardware keys (YubiKey, Windows Hello). SMS-based MFA is not permitted due to SIM-swap risks.
SSO for client portal
Clients can enforce SAML 2.0 or OIDC SSO on their team. This ties portal access to the client's identity provider. SSO access logs are retained for 12 months and available in audit reports.
Just-in-time access (JIT)
Sensitive operations (e.g., database backups, encryption key access, data deletion) require just-in-time elevation. Users request access with a reason, an approver must authorize (via out-of-band notification), and access is granted for a limited time window (typically 30 minutes). All JIT sessions are recorded.
Access reviews: quarterly
Every quarter, we conduct access reviews. Role managers verify that users still require their assigned permissions. Unused access is revoked automatically after 90 days of inactivity. All access changes are logged.
Privileged access monitoring
All administrative and sensitive operations are session-recorded (video + keystrokes). Recordings are retained for 6 months. Anomalous access patterns trigger alerts (e.g., access outside business hours, access from new IP, mass data export).
Separated duties
Critical functions are split across roles: approval vs. execution, audit vs. administration, etc. A single user cannot both approve and execute a sensitive change.
Audit trail: All access control events (login, privilege grant, resource access, JIT requests/approvals) are logged to an immutable audit log and reviewed for anomalies weekly.
Vulnerability assessment and penetration testing (VAPT)
We conduct rigorous testing to identify and remediate security vulnerabilities:
Testing type
Frequency
Scope
Latest result
External VAPT (independent third party)
Annually
Full application stack, APIs, cloud infrastructure, network
Third-party library and package vulnerability monitoring
Auto-patched
Remediation SLAs:
Critical vulnerabilities: 7 days to patch or mitigate
High severity: 30 days
Medium severity: 90 days
Low severity: 120 days (batched into releases)
Bug bounty programme: We maintain a responsible disclosure programme via HackerOne. Security researchers who discover vulnerabilities can report confidentially. We respond within 48 hours and offer bounties for valid, unreported findings ($500 to $5,000 depending on severity and impact). The latest VAPT summary and executive report are available under NDA.
Network security and isolation
Our network is designed to prevent unauthorized access and lateral movement:
Web application firewall (WAF): Azure Front Door WAF is enabled at the network edge. It protects against OWASP Top 10 attacks (SQL injection, XSS, CSRF, etc.) and rate-limits malicious requests. WAF logs are retained for 90 days.
DDoS protection: Azure Front Door includes DDoS mitigation (Layer 3 and 4). Volumetric attacks are automatically absorbed. We have tested DDoS resilience and maintained availability during simulated attacks.
Network segmentation: Admin, production, and disaster recovery networks are isolated via separate subnets, network security groups (NSGs), and firewall rules. Admin users cannot directly access production data via admin network. Production data flows only through the application layer.
Zero trust networking: All internal service-to-service communication uses mutual TLS (mTLS). Services authenticate each other by certificate. This prevents compromised internal services from accessing other services without proper credentials.
IP allowlisting: Enterprise clients can request IP allowlisting. Their public IPs are added to a whitelist, and only traffic from those IPs can access the secure dataroom portal. This prevents access from unknown networks.
Geographic data residency: We support geographic data residency controls. EU clients can enforce data processing in EU regions only. Azure automatically blocks cross-region data transfer for compliant tenants. Audit logs confirm regional processing.
VPN for admin access: All administrative access to infrastructure goes through a hardened VPN gateway. VPN access requires certificate authentication + MFA. VPN sessions are logged and audited.
Endpoint and operational security
We secure the systems our team uses and the code we deploy:
Managed endpoints with EDR: All staff laptops/desktops are managed via Intune (Microsoft Endpoint Manager). Endpoint Detection and Response (EDR) is installed on all devices. EDR monitors for malware, suspicious process execution, and lateral movement attempts. Alerts are reviewed in real-time by our security team.
Mobile device management (MDM): All work phones and tablets are enrolled in MDM. Policies enforce encryption, PIN protection, and remote wipe capability if a device is lost.
Data loss prevention (DLP): DLP policies block unauthorized data transfer outside the organization. Candidate data cannot be copied to external USB drives, cloud storage (personal Google Drive, Dropbox), or email. Violations are logged and investigated.
No USB storage: USB ports on work devices are disabled. File transfer is only permitted via approved secure channels (Azure File Share, secure dataroom).
Encrypted hard drives: All work devices use BitLocker (Windows) or FileVault 2 (Mac) full-disk encryption. Encryption keys are escrowed to our identity provider, allowing remote decryption if needed for forensics.
Secure coding training: All engineers complete quarterly secure coding training. Training covers OWASP Top 10, API security, authentication/authorization, secure configuration, etc. Training completion is mandatory.
Code review requirement: All code changes to production go through mandatory peer review. Reviewers check for security issues, best practices, and compliance with our secure coding standards. Code is not deployed until reviewed and approved.
Secrets management: API keys, database passwords, and other secrets are never hardcoded. All secrets are stored in Azure Key Vault. Applications retrieve secrets at runtime via managed identities. Secrets are rotated every 90 days automatically.
Incident response and breach notification
If a security incident occurs, we have a rapid, documented response process:
24/7 security operations center (SOC): Our SOC monitors security alerts 24/7/365. Any critical alert triggers an automated escalation to on-call security engineers. Response begins within 15 minutes.
Severity classification: SEV 1: Confirmed material breach (PII exposed, systems compromised). SEV 2: Suspected breach, ongoing investigation. SEV 3: Minor vulnerability or misconfiguration. SEV 4: Audit finding or enhancement.
Client notification SLAs: SEV 1: client notified within 4 hours of confirmation (not suspicion). SEV 2: notification within 24 hours if investigation confirms breach. SEV 3-4: next business day. Notifications include scope, affected data, impact, and remediation timeline.
Regulatory notification: We handle GDPR breach notifications (72 hours to authorities if high risk). Other jurisdictions follow local requirements. We prepare the breach notification on behalf of the client if we are the primary processor.
Forensics capability: We maintain in-house forensics capability. For SEV 1 incidents, we engage an external forensics partner (e.g., Mandiant) within 2 hours for independent investigation. All forensics work is documented and available to clients and regulators.
Post-incident review (PIR): Within 14 days of an incident, we conduct a blameless PIR. PIR includes timeline, root cause, contributing factors, and remediation/prevention actions. PIR findings are shared with the client and tracked to completion.
Lessons learned: Every incident triggers a security improvement. Improvements are tracked in our security roadmap and implemented within the next quarter. Quarterly reviews ensure improvements are effective.
Tabletop exercises: We conduct quarterly tabletop exercises simulating breach scenarios. These exercises test our incident response process, communication, and decision-making. Lessons from exercises inform improvements.
Certifications and attestations
We maintain industry-standard security certifications to demonstrate compliance with best practices:
ISO 27001:2022
Information security management system certification. Current certificate valid through 2026. Scope includes all operational systems.
SOC 2 Type II
Annual audit by Big Four firm covering security, availability, integrity, confidentiality, and privacy. Latest report covers 12-month test period.
ISO 27701 (in progress)
Privacy Information Management standard. Extends ISO 27001 with privacy-specific controls. Expected certification by Q3 2026.
Cloud Security Alliance STAR
STAR Level 2 registered. We maintain Level 2 compliance through annual attestation and self-assessment updates.
Industry questionnaires
CAIQ 4.0 (CSA), SIG Lite and SIG Core (Shared Assessments) pre-completed and available for auditors.
Compliance matrix
One-page matrix showing alignment with GDPR, CCPA, LGPD, PDPA, and other major data protection laws.
What you'll receive in the InfoSec pack
The security whitepaper and supporting documentation includes:
Full security architecture document: Detailed technical overview of our infrastructure, security controls, data flows, and encryption implementation. Includes threat model and risk assessments.
Latest VAPT summary: Executive summary of the annual external VAPT. Full detailed report available under NDA. Includes vulnerability counts, remediation status, and methodology.
Penetration testing reports: Detailed reports from our quarterly internal penetration tests. Available under NDA. Demonstrates control testing and effectiveness validation.
ISO 27001:2022 certificate and scope: Current certification with audit date, next audit date, and auditor contact information.
SOC 2 Type II report: Full annual audit report covering the 12-month test period. Available under NDA. Includes management assertion, auditor opinion, and detailed test results.
CAIQ 4.0 (Cloud Security Alliance): Pre-completed questionnaire covering all 130+ security questions. Available as a download or portal view for auditors.
SIG Lite and SIG Core (Shared Assessments): Pre-completed vendor security assessments. Used by many enterprise procurement teams.
Data flow diagrams: Visual diagrams (Lucidchart, draw.io, or similar) showing candidate data flows through our system, with encryption boundaries and sub-processor access clearly marked.
Encryption key management policy: Detailed policy covering key generation, storage, rotation, destruction, and audit logging. Includes HSM specifications and key escrow procedures.
Access control policy: RBAC definitions, least-privilege enforcement, MFA requirements, JIT access procedures, and access review schedules.
Incident response plan: Full incident classification, SLAs, notification procedures, forensics protocols, and post-incident review process.
Threat model and risk register: Documented threats, likelihood/impact assessment, existing controls, and residual risk. Updated quarterly.