Security Practices

[CUSTOMISE: your primary compliance framework]. ShieldOps is designed to support annual third-party audits against frameworks such as SOC 2 Type II, aligned to the Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity). [CUSTOMISE: describe your actual audit cadence and reporting]. Contact security@shieldops.io to request available documentation.

[CUSTOMISE: additional frameworks]. Our Information Security Management System (ISMS) is designed to support certification against [CUSTOMISE: your target frameworks, e.g. ISO 27001]. [CUSTOMISE: certificate number, scope, and expiry — only populate once certified].

Penetration testing. We engage an independent third-party penetration testing firm for a comprehensive annual test of our production environment, including network, application, and API layers. Critical and high findings are remediated within 14 days of the report. Customers may request an executive summary of the most recent test results.

Cloud infrastructure. ShieldOps is hosted on [CUSTOMISE: your primary cloud provider and region] with [CUSTOMISE: describe failover or DR arrangement, if any]. Customer data residency options are aligned to your jurisdiction and documented in your order form. Customer data is never transferred across regions without explicit written consent.

Encryption. All data is encrypted in transit using TLS 1.3 (minimum). All data at rest is encrypted using AES-256 via your cloud provider's key management service, with customer-managed key (CMK) support available on Enterprise plans. Encryption keys are rotated annually or upon any suspected compromise.

Network security. Our production environment is isolated in a VPC with no public-facing administrative interfaces. All ingress is mediated by a WAF with DDoS protection. Internal service-to-service communication uses mutual TLS. Network access logs are retained for 12 months.

Backups. Customer data is backed up every 6 hours to geographically separate storage with 30-day point-in-time recovery. Backups are encrypted with a separate key hierarchy from production. Restoration is tested monthly.

Employee access. No ShieldOps employee has standing access to customer data. Access to production systems requires a time-limited, manager-approved just-in-time (JIT) grant that expires after 8 hours. All production access is logged, monitored, and reviewed weekly by our security team.

Authentication. All ShieldOps staff use phishing-resistant multi-factor authentication ([CUSTOMISE: e.g. hardware security keys / passkeys / FIDO2]) for access to internal systems. Passwords alone are not accepted for access to any system containing customer data. Contractor access follows the same policy.

Background screening. All employees and contractors with access to production systems undergo pre-employment background screening appropriate to their role and jurisdiction.

ShieldOps maintains a responsible disclosure programme. If you discover a security vulnerability in our platform or website, we ask that you report it to security@shieldops.io with the subject line 'Vulnerability Report'. Please include: a description of the vulnerability, steps to reproduce, and your assessment of the potential impact.

We commit to: acknowledging your report within [CUSTOMISE: your acknowledgement SLA]; providing an initial severity assessment within [CUSTOMISE: your triage SLA]; keeping you informed of remediation progress; and, with your permission, crediting you in our security changelog upon resolution.

We ask that you do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate it (typically 90 days for critical issues). We will not pursue legal action against researchers acting in good faith under this policy.

ShieldOps maintains a documented incident response plan tested via tabletop exercises twice per year. Our incident severity taxonomy aligns with our own threat platform — Critical (P1), High (P2), Medium (P3), Low (P4).

In the event of a security incident affecting customer data, we will: notify affected customers within [CUSTOMISE: your breach notification SLA commitment] of determining a breach has occurred; provide a full incident report within 30 days of resolution, including root cause analysis and remediation steps; and co-operate fully with any regulatory investigation.

All third-party subprocessors undergo security review before onboarding and annually thereafter. We require all subprocessors with access to customer data to maintain [CUSTOMISE: your required compliance posture for subprocessors, e.g. SOC 2 Type II or equivalent], sign a Data Processing Agreement, and notify us within 24 hours of any security incident affecting ShieldOps customer data. Our current subprocessor list — [CUSTOMISE: list your sub-processors] — is maintained at https://shieldops.io/sub-processors.

ShieldOps does not operate its own data centres. All physical infrastructure is hosted in [CUSTOMISE: your primary cloud provider and region] facilities, which maintain their own third-party certifications (see your provider's compliance page). Physical access to these facilities is controlled by the respective cloud providers. ShieldOps offices are access-controlled, monitored, and subject to a clean-desk policy. Laptops are encrypted with full-disk encryption and remotely wipeable.