# Security measures We adhere to a 15-point Security Principle Framework that prioritizes proactive design, strict access controls, and resilience. The strategy is built on the philosophy that security is everyone's responsibility, compliance is merely a baseline, and systems must be designed assuming that breaches can occur (Zero Trust). #### Pillar 1: Secure Architecture & Infrastructure Focus: Building a hardened foundation that minimizes the blast radius of any potential attack. * Security by Design & Defense in Depth: We do not rely on a single control. Security is integrated during the architecture phase to prevent costly rework, using layered defenses (e.g., App auth + Network ACLs). * Zero Trust & Immutable Infrastructure: We trust nothing by default. Every request is verified regardless of origin. Infrastructure is deployed via code (IaC) rather than manual patches to prevent configuration drift. * Resilience: We design systems to degrade gracefully, assuming failure is inevitable, and prioritize fast recovery (MTTR). #### Pillar 2: Identity & Access Management Focus: Ensuring only the right people and services have access to the right resources. * Least Privilege: Access is restricted to the absolute minimum required for a role. * Strong IAM: We enforce centralized identity management and Multi-Factor Authentication (MFA) to protect against credential theft. #### Pillar 3: The Secure Development Lifecycle (SDLC) Focus: Automating security to catch vulnerabilities before they reach production. * Shift Left: Security testing (static analysis) happens early in the CI/CD pipeline, not just before deployment. * Secure Defaults: Systems launch with the most secure settings enabled automatically (e.g., encryption on by default). * Supply Chain Security: We actively scan and validate third-party dependencies and libraries to prevent upstream attacks. #### Pillar 4: Visibility & Data Protection Focus: Knowing what we have, protecting it, and watching it closely. * Data Classification: Sensitive data (PII/PHI) is identified, tagged, and encrypted according to its risk level. * Auditability & Monitoring: We implement comprehensive logging and real-time behavioral analytics to detect anomalies immediately. * Incident Readiness: We don't just watch; we practice. Tabletop exercises ensure we are ready to respond to incidents effectively. #### Pillar 5: Culture & Compliance Focus: Making security a human norm rather than just a technical requirement. * Shared Responsibility: Security is an organizational norm; engineers are trained to own the security of their code. * Compliance as Baseline: We view regulatory requirements as the "floor," not the "ceiling," effectively going beyond what is legally required to ensure true safety. For more information please visit our[ Trust Centre on Vanta](https://app.vanta.com/owkin/trust/qq8guymgbci1jnk49kjbc) Email: