Security Practices

SOC 2 Type II. ShieldOps is designed to support annual third-party audits against the SOC 2 Type II Trust Services Criteria (Security, Availability, Confidentiality, Processing Integrity). When the deploying organisation has completed an audit, executive summaries can be made available to customers under NDA. Contact security@shieldops.io for current documentation.

ISO 27001. The platform's Information Security Management System (ISMS) is designed to align with ISO/IEC 27001:2022. ISMS scope, statement of applicability, and any certification status held by the deploying organisation can be shared with customers under NDA.

Penetration testing. The platform supports a programme of independent third-party penetration testing covering network, application, and API layers. Where the deploying organisation runs such a programme, executive summaries of the most recent test can typically be provided to customers under NDA.

Cloud infrastructure. ShieldOps is designed to deploy on a Tier 1 cloud provider across multiple regions with active-active multi-AZ failover and cross-region disaster recovery. Customer data residency options are aligned to your jurisdiction and documented in your order form. Customer data is never transferred across regions without explicit written consent.

Encryption. All data is encrypted in transit using TLS 1.3 (minimum). All data at rest is encrypted using AES-256 via your cloud provider's key management service, with customer-managed key (CMK) support available on Enterprise plans. Encryption keys are rotated annually or upon any suspected compromise.

Network security. Our production environment is isolated in a VPC with no public-facing administrative interfaces. All ingress is mediated by a WAF with DDoS protection. Internal service-to-service communication uses mutual TLS. Network access logs are retained for 12 months.

Backups. Customer data is backed up every 6 hours to geographically separate storage with 30-day point-in-time recovery. Backups are encrypted with a separate key hierarchy from production. Restoration is tested monthly.

Employee access. No ShieldOps employee has standing access to customer data. Access to production systems requires a time-limited, manager-approved just-in-time (JIT) grant that expires after 8 hours. All production access is logged, monitored, and reviewed weekly by our security team.

Authentication. All ShieldOps staff use phishing-resistant multi-factor authentication (FIDO2 hardware security keys and platform passkeys) for access to internal systems. Passwords alone are not accepted for access to any system containing customer data. Contractor access follows the same policy.

Background screening. All employees and contractors with access to production systems undergo pre-employment background screening appropriate to their role and jurisdiction.

ShieldOps maintains a responsible disclosure programme. If you discover a security vulnerability in our platform or website, we ask that you report it to security@shieldops.io with the subject line 'Vulnerability Report'. Please include: a description of the vulnerability, steps to reproduce, and your assessment of the potential impact.

We commit to: acknowledging your report within 24 hours; providing an initial severity assessment within 72 hours; keeping you informed of remediation progress; and, with your permission, crediting you in our security changelog upon resolution.

We ask that you do not publicly disclose the vulnerability before we have had a reasonable opportunity to remediate it (typically 90 days for critical issues). We will not pursue legal action against researchers acting in good faith under this policy.

ShieldOps maintains a documented incident response plan tested via tabletop exercises twice per year. Our incident severity taxonomy aligns with our own threat platform — Critical (P1), High (P2), Medium (P3), Low (P4).

In the event of a security incident affecting customer data, we will: notify affected customers within 72 hours of determining a breach has occurred; provide a full incident report within 30 days of resolution, including root cause analysis and remediation steps; and co-operate fully with any regulatory investigation.

All third-party subprocessors undergo security review before onboarding and annually thereafter. We require all subprocessors with access to customer data to maintain SOC 2 Type II or ISO 27001 certification, sign a Data Processing Agreement, and notify us within 24 hours of any security incident affecting ShieldOps customer data. Our current subprocessor list — covering cloud hosting, monitoring, email delivery, payments, and status communication — is maintained at https://shieldops.io/sub-processors.

ShieldOps does not operate its own data centres. All physical infrastructure is hosted in multi-region facilities operated by our cloud provider, which maintain their own third-party certifications (see your provider's compliance page). Physical access to these facilities is controlled by the cloud provider. ShieldOps offices are access-controlled, monitored, and subject to a clean-desk policy. Laptops are encrypted with full-disk encryption and remotely wipeable.