Our production environment runs on GCP in an isolated network with automated provisioning and recovery. Firewalls block unauthorised access. Production and development are strictly separated.

All data in transit is encrypted with TLS. All databases holding sensitive customer data are encrypted at rest. We enforce role-based access control and least-privilege principles across every system. MFA is required for any remote access to production.

Security training starts on day one for every employee and contractor and repeats annually. Background checks are standard. Everyone signs a confidentiality agreement and acknowledges our Code of Conduct. Corporate devices are MDM managed with full-disk encryption and automatic updates enforced.

We maintain a documented incident response plan covering identification, containment, remediation & communication. It’s tested annually. Infrastructure monitoring alerts on predefined thresholds, and centralised logging gives us continuous visibility into system health and security events.

Every code change is authorised, reviewed, and tested before it touches production. We run continuous vulnerability scanning on all external-facing systems and source code. Critical issues are tracked through remediation with defined SLAs. We also run external third-party penetration tests at least once a year.

Our BC/DR plan is maintained and tested every year. Critical vendors are inventoried and assessed against our security requirements annually. SOC 2 reports from subservice organisations are reviewed to confirm our continued compliance.