SECURITY & COMPLIANCE

Effective: January 2026

TRUST CENTER STATEMENT: Backbeam Studio architecture relies on a "Defense in Depth" strategy. We do not trust the network perimeter alone; we enforce strict authentication and encryption at every layer of the stack.

1. Corporate Governance & Personnel

Security begins with people. Our governance framework ensures that every employee, contractor, and sub-processor adheres to rigorous standards.

  • Background Screening: All personnel undergo comprehensive criminal and professional background checks prior to accessing any corporate systems.
  • Security Awareness Training: Employees participate in mandatory security onboarding and continuous phishing simulation exercises. Failure to pass simulations results in remedial training and access revocation.
  • Policy Enforcement: We maintain strict internal policies regarding Acceptable Use, Password Management (1Password mandatory), and Remote Work Security.
  • Device Security: All corporate devices are centrally managed (MDM), full-disk encrypted, and monitored for compliance. Non-compliant devices are automatically blocked from accessing internal resources.

2. Cloud Infrastructure

We deploy exclusively on Tier-1 Global Cloud Providers that certify compliance with ISO 27001, SOC 2 Type II, and PCI-DSS Level 1.

Resilience & Availability

  • Multi-Region Redundancy: Data is replicated across multiple Availability Zones (AZs) to withstand data center failures.
  • DDoS Mitigation: We utilize advanced edge-layer scrubbing to absorb volumetric attacks before they reach our origin.

Network Security

  • VPC Isolation: All compute resources run within private virtual networks, inaccessible from the public internet.
  • WAF (Web Application Firewall): Requests are filtered for SQL injection, XSS, and malicious bot activity.

3. Data Protection

We assume the network is hostile. Therefore, data is encrypted both at rest and in transit, with strict key management procedures.

Encryption Standards

  • In Transit: strictly TLS 1.3 (or 1.2 minimum) with strong cipher suites. Pre-Loading HSTS is enabled.
  • At Rest: Files and databases are encrypted using AES-256 standard.
  • Key Management: Encryption keys are rotated automatically. Master keys are stored in Hardware Security Modules (HSM) managed by our cloud provider.

Data Lifecycle

  • Retention: Customers configure their own retention policies. By default, logs persist for 90 days before secure deletion.
  • Deletion: "Soft deleted" data is permanently purged from physical storage within 30 days of deletion request, allowing for a short recovery window before final destruction.

4. Application Security (AppSec)

We integrate security into our Development Lifecycle (SDLC). Code is not shipped unless it passes security gates.

  • Static Analysis (SAST): Automated tools scan every commit for known vulnerability patterns (e.g., OWASP Top 10).
  • Dependency Scanning (SCA): We continually monitor open-source libraries (npm, pip) for CVEs. Critical patches are applied within 24 hours of release.
  • Peer Review: No code is merged to production without approval from at least one senior engineer.
  • Bug Bounty: We maintain a Responsible Disclosure program to incentivize white-hat researchers to report findings.

5. Identity & Access Management (IAM)

Zero Trust Architecture

We verify explicitly, use least privilege access, and assume breach.

  • Multi-Factor Authentication (MFA): Hardware keys (FIDO2/WebAuthn) or TOTP are required for all administrative access. No exceptions.
  • Just-in-Time (JIT) Access: Production database access is not persistent. Engineers must request ephemeral access grants that expire automatically.
  • Audit Logging: Every action taken by staff within the infrastructure is logged to an immutable audit trail.

6. Compliance & Audits

Our infrastructure providers verify their physical security and controls via:

SOC 2 Type IIISO 27001PCI-DSS Level 1HIPAA Eligible

7. Incident Response

We maintain a documented Incident Response Plan (IRP) tested annually.

  • Detection: 24/7 automated monitoring of anomalies.
  • Communication: Dedicated status page and email alerts for service disruptions.
  • Transparency: We commit to publishing Post-Mortem analyses for significant incidents.

8. Contact Security Team

To report a vulnerability or request a copy of our CAIQ (Consensus Assessments Initiative Questionnaire), email security@backbeamstudio.co.uk. Use our PGP key for sensitive communications.

← Return to Home