Skip to Content
Data Protection

Data Protection

Protecting client data is our primary obligation. This page covers controls at two levels: the devices our engineers use, and the infrastructure where applications and data reside.

Endpoint Security

Controls applied to engineer workstations and devices.

Endpoint Detection and Response (EDR)

All devices accessing client resources run EDR software:

  • Primary solution: SentinelOne
  • Alternatives: Microsoft Defender for Endpoint, CrowdStrike (per client preference)

EDR provides:

  • Real-time threat detection and behavioral analysis
  • Automated quarantine of suspicious files
  • Continuous monitoring with alerting

Device Compliance

Devices must meet compliance requirements verified by MDM:

RequirementVerification
EDR installed and activeJumpCloud agent confirms SentinelOne status
Disk encryption enabledFileVault (Mac) or BitLocker (Windows) verified
OS currentPatches within defined window
Device registeredAssigned to authorized user

Non-compliant devices are blocked from accessing client resources.

Patch Management

  • Patches deployed automatically via MDM
  • Users may defer updates for up to 3 days
  • Critical security patches prioritized
  • Applies to OS and managed applications

Device Encryption

All engineer devices have full-disk encryption:

PlatformMethodStandard
macOSFileVaultAES-256, FIPS 140-3 compliant
WindowsBitLockerAES-256, FIPS 140-3 compliant

Encryption is enforced via MDM policy. Devices cannot be compliant without it.

Removable Media

USB storage is blocked at the OS level:

  • Read/write/execute denied for removable devices
  • Enforced via MDM policy
  • No exceptions without explicit approval

Infrastructure Security

Controls applied to cloud environments, networks, and hosted services, i.e., what we build for you.

Encryption

At Rest

PlatformMethodStandard
Cloud storageProvider encryptionAES-256
DatabasesTransparent data encryptionPer platform
BackupsProvider encryptionAES-256

In Transit

All data in transit is encrypted:

  • VPN: AES-256 encryption for network tunnels
  • HTTPS: TLS 1.2+ for all web traffic
  • SSH: For remote access and Git operations
  • API calls: TLS-encrypted endpoints only

Key Management

  • Encryption keys managed by cloud provider
  • No manual key handling by engineers
  • Key rotation per platform best practices

Network Security

VPN Requirements

Access to client networks requires VPN:

  • Site-to-site VPN for persistent connections
  • Client VPN for individual access
  • AES-256 encryption standard
  • MFA required for VPN authentication

Network Isolation and Segmentation

We use logical network segmentation to separate client environments:

  • Single-tenant deployments: Each client engagement runs in isolated infrastructure
  • Dedicated virtual networks: Separate VPCs/VNets per client, preventing lateral access
  • Private subnets: Backend services reside in private subnets with no direct internet exposure
  • Separate billing/resource boundaries: Complete isolation of resources, access controls, and cost management between clients

Example architecture (Azure Virtual Desktop):

┌─────────────────────────────────────────────────────────┐
│                    Azure Environment                    │
│  ┌─────────────────────────────────────────────────┐    │
│  │              Private Virtual Network            │    │
│  │  ┌─────────┐  ┌─────────┐  ┌─────────┐          │    │
│  │  │  VM 1   │  │  VM 2   │  │  VM 3   │          │    │
│  │  └─────────┘  └─────────┘  └─────────┘          │    │
│  │         No inbound internet access              │    │
│  └─────────────────────────────────────────────────┘    │
│                         │                               │
│                    VPN Gateway                          │
│                         │                               │
└─────────────────────────│───────────────────────────────┘
                          │ Site-to-Site VPN
                          │ (AES-256)

              ┌───────────┴───────────┐
              │   Client Network      │
              └───────────────────────┘

Outbound Connectivity Options

VMs cannot initiate outbound connections except through approved channels. We support flexible options depending on your requirements:

  • VPN only: All outbound traffic routes through the VPN to your network. Use this if your policy requires all traffic to pass through your infrastructure.
  • NAT gateway: Outbound traffic exits through a NAT gateway with a known, static IP range (CIDR). You can whitelist these IPs in your firewall. This is useful if a full VPN setup isn’t feasible on your side.
  • VPN + NAT: VPN for traffic to your internal network, NAT for approved external services (package registries, cloud APIs, etc.)

We provide the NAT IP ranges upfront so you can whitelist them as needed. The approach is configured per engagement based on your security policies.

Data Loss Prevention

Data loss prevention is enforced through multiple layers: role-based access control, least-privilege policies, network segmentation, encryption at rest and in transit, and continuous monitoring.

Clipboard and File Transfer (VM Model)

When using Azure Virtual Desktop:

  • Clipboard copy/paste disabled between VM and local machine
  • File download from VM blocked
  • Screen capture disabled
  • Print disabled

Email Restrictions (VM Model)

  • Outbound email (port 25) blocked from VMs
  • Prevents data exfiltration via email
  • Client-approved communication channels used instead

Network-Based DLP

  • Monitoring for unusual data transfer patterns
  • Alerting on large data movements
  • Traffic inspection where applicable

Monitoring and Logging

What We Log

  • Authentication events (success and failure)
  • Resource access (files, databases, systems)
  • Configuration changes
  • Network activity
  • Security alerts and responses

Retention

  • Logs retained per client requirements
  • Default retention: 90 days
  • Extended retention available upon request

Alerting

  • Real-time alerts for security events
  • Escalation procedures defined
  • Client notification for significant events

For incident response procedures, see Incident Response.

Backup and Recovery

When we host infrastructure on your behalf:

Backup Strategy

  • Automated backups: Scheduled backups of databases, application data, and critical configurations
  • Frequency: Backup schedules configured based on data criticality and change rate (daily, hourly, or continuous depending on requirements)
  • Encryption: Backups encrypted at rest using cloud provider encryption

Redundancy

  • Geographic redundancy: Backups stored in separate regions or availability zones from primary data
  • Multiple copies: Critical data backed up to multiple locations to protect against regional failures
  • Isolation: Backup storage accounts separated from production with distinct access controls

Recovery Capabilities

  • Tested restoration: Backup restoration procedures verified periodically to confirm recoverability
  • Point-in-time recovery: Available for databases where supported by the platform
  • Recovery objectives: RTO (Recovery Time Objective) and RPO (Recovery Point Objective) defined per engagement based on your requirements
  • Documented procedures: Runbooks for restoration scenarios

Retention

  • Retention periods configured per engagement requirements
  • Compliance-driven retention available for regulated data
  • Secure deletion of expired backups

For client-hosted environments, we follow your backup policies and procedures.

Security Testing

Penetration Testing

We support regular security assessments and are flexible on how these are arranged:

  • We engage a third party: We can arrange penetration tests through external security providers on a periodic basis
  • You engage a third party: If you prefer to use your own security assessors, we facilitate access and cooperate fully with the testing process
  • Continuous vulnerability scanning: Automated scanning integrated with cloud security tooling (Azure Security Center, AWS Security Hub, or equivalent)
  • Remediation tracking: Findings are triaged, prioritized, and remediated according to severity

For client-hosted environments, we participate in client-led security assessments as required.

Application Security Testing

Security is integrated throughout our development lifecycle:

  • Automated security scans: Run on every pull request as part of CI/CD
  • Dependency vulnerability scanning: Continuous monitoring of third-party packages
  • Code scanning: Static analysis for common security issues before deployment
  • Pre-deployment checks: Security gates in the deployment pipeline

Vulnerability Management

We maintain a proactive approach to vulnerability management:

  • Threat intelligence: We monitor security advisories and threat feeds relevant to our technology stack
  • Automated patching: Security patches are deployed through MDM (devices) and infrastructure automation (cloud)
  • Dependency tracking: Package versions and vulnerabilities tracked across projects
  • Regular dependency updates: Outdated or vulnerable packages are updated on a defined schedule
  • Network segmentation and least-privilege access: Limits exposure if vulnerabilities are exploited

Data Handling by Classification

Controls are calibrated to data sensitivity:

ClassificationControls Applied
PublicStandard encryption, access logging
InternalAbove + restricted access, need-to-know
ConfidentialAbove + enhanced monitoring, restricted channels
Highly ConfidentialAbove + VM isolation, no local storage

Compliance Alignment

Our controls align with:

  • SOC 2 Type II principles
  • ISO 27001 controls
  • NIST Cybersecurity Framework
  • GDPR requirements (where applicable)

We implement controls consistent with these frameworks.

Last updated on
Workstation OptionsAccess Management