Security Measures

Standards: Our security program follows industry best practices and aligns with:

• ISO/IEC 27001:2013 (Information Security Management) framework
• ISO/IEC 27017:2015 (Cloud Security) guidelines
• ISO/IEC 27018:2019 (Protection of PII in Public Clouds) principles
• NIST Cybersecurity Framework
• Cloud Security Alliance (CSA) Security Guidance
• OWASP Top 10 for application security

Data Center Security (Microsoft Azure):

• Biometric access controls
• 24/7 surveillance and monitoring
• Visitor management systems
• Multiple layers of physical security

Multi-Factor Authentication (MFA):

• Required for all employee access to systems processing customer data
• Individual user accounts (no shared credentials)
• MFA enforced through Azure Active Directory

Role-Based Access Control (RBAC):

• Principle of least privilege
• Access granted only as necessary for job function
• Regular access reviews (quarterly)
• Immediate revocation upon termination

Authentication Security:

• Strong password policies (complexity, rotation)
• Single sign-on (SSO) with conditional access
• Session timeouts for inactive users
• IP restrictions for administrative access

Transport Layer Security:

• TLS 1.2 or higher for all connections
• Perfect forward secrecy enabled
• Certificate pinning for critical connections
• No SSL, TLS 1.0, or TLS 1.1

Storage Encryption:

• AES-256 encryption for all customer data
• Microsoft Azure Storage Service Encryption
• Database-level encryption
• File-level encryption for documents

Key Management:

• Keys stored in Azure Key Vault
• Hardware Security Modules (HSMs)
• Regular key rotation
• Separation of key management from data access

Segmentation:

• Logical separation of customer environments
• Multi-tenant architecture with tenant isolation
• Separate networks for production, testing, corporate
• Virtual Private Clouds (VPCs) with restricted connectivity

Firewalls:

• Web Application Firewall (WAF) protecting internet-facing services
• Network firewalls with default-deny rules
• Regular firewall rule reviews
• Minimal open ports

Monitoring:

• Network Intrusion Detection Systems (NIDS)
• Real-time threat intelligence integration
• Automated blocking of malicious traffic
• 24/7 security operations center (SOC)

DDoS Protection:

• Microsoft Azure DDoS mitigation
• Rate limiting and traffic shaping
• Automatic scaling for traffic spikes

Scanning and Testing:

• Continuous vulnerability scanning
• Annual penetration testing by independent third parties
• Application security testing for all releases
• Risk-based remediation (critical within 14 days)

Patch Management:

• Automated patch deployment
• Testing in non-production environments
• Emergency patching for critical vulnerabilities

Documentation:

• Information Security Policy (reviewed annually)
• Data Protection Policy
• Incident Response Plan (tested quarterly)
• Business Continuity Plan
• Change Management Procedures

Governance:

• Chief Information Security Officer (CISO)
• Privacy Officer
• Clear security responsibilities for all roles

Background Checks:

• Background verification for employees with data access (where legally permissible)
• Confidentiality and NDA agreements for all personnel
• Ongoing monitoring for high-risk roles

Training and Awareness:

• Mandatory annual security training for all employees
• Specialized data protection training for personnel handling personal data
• Quarterly phishing awareness training and simulations
• Regular security awareness campaigns

Clear Desk Policy:

• Clean desk requirements
• Screen lock after 10 minutes of inactivity
• Secure disposal of physical documents

Security Information and Event Management (SIEM):

• Centralized logging of security events
• Real-time correlation and analysis
• Automated alerting for threats
• 12-month log retention minimum
• Tamper-proof log storage

24/7 Capability:

• Incident response team available around the clock
• Documented procedures and playbooks
• Defined escalation paths
• Regular testing (quarterly tabletop exercises)

Data Breach Response:

• Immediate containment procedures
• Forensic investigation capabilities
• Notification workflows (24-hour target for customer notification)
• Post-incident review and lessons learned

Secure Development Lifecycle (SDL):

• Security requirements in design phase
• Threat modeling for new features
• Secure coding standards and guidelines
• Code review with security checks

Testing:

• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Dependency scanning for vulnerabilities
• API security testing

Third-Party Components:

• Tracking of all dependencies
• Automated scanning for known vulnerabilities
• Regular updates of third-party libraries
• License compliance verification

Backup Strategy:

• Daily incremental backups
• Weekly full backups
• Geographic redundancy (backups in separate Azure regions)
• Monthly backup integrity testing

Recovery Objectives:

• Recovery Time Objective (RTO): 4 hours for critical systems
• Recovery Point Objective (RPO): 24 hours maximum data loss

Planning:

• Business continuity plans tested annually
• Backup personnel for critical roles
• Alternate processing facilities identified
• Regular plan reviews and updates

Service Availability:

• Redundant systems and infrastructure
• Geographic redundancy for critical components
• Automatic failover capabilities

Assessment:

• Security assessments before engagement
• Contractual security requirements
• Regular vendor risk reviews
• Right to audit security controls

Sub-Processors:

• Equivalent security obligations required
• Data Processing Agreements with security terms
• Regular security reviews
• Incident notification requirements

Collection:

• Collect only data necessary for services
• Avoid special categories of personal data
• Clear purpose specification

Retention:

• Active subscription: Data retained as necessary
• After termination: 30-day retrieval, then deletion
• Backup retention: 90 days maximum
• Legal holds documented and time-limited

Multi-Tenancy:

• Logical separation of customer data
• Tenant-level isolation
• Access controls prevent cross-tenant access

Deletion Methods:

• Secure deletion preventing recovery
• Multi-pass overwriting where applicable
• Destruction certificates for physical media
• Deletion audit trails maintained

Equerra:

• Follows ISO 27001 controls and best practices
• Regular third-party security assessments
• Annual penetration testing by independent firms
• Continuous security improvement program

Microsoft Azure (inherited):

• ISO 27001, ISO 27017, ISO 27018
• SOC 1 Type 2, SOC 2 Type 2, SOC 3
• PCI DSS Level 1 (where applicable)
• Regional certifications per tenant location

Regular Assessments:

• Annual third-party security audits
• External penetration testing (minimum annually)
• Application security testing per release
• Code security reviews

Review Cycles:

• Quarterly security measure reviews
• Annual policy updates
• Post-incident improvements
• Regular threat modeling

Information Provided:

• Nature of the incident
• Data affected
• Impact assessment
• Containment and remediation actions
• Contact for questions

You Are Responsible For:

• Maintaining confidentiality of account credentials
• Implementing strong passwords
• Enabling multi-factor authentication
• Promptly reporting suspected unauthorized access
• Managing user access within your organization

Appropriate Use:

• Don't input data more sensitive than necessary
• Inform us if you'll process special categories of personal data
• Follow your own data classification policies

Report to Us:

• Suspected security incidents
• Lost or stolen credentials
• Unusual account activity
• Potential vulnerabilities

Postal Address:

Equerra Limited

2nd Level

40 Lady Elizabeth Lane

Wellington Central

New Zealand 6011