Security posture.

The architectural defaults that ship with every engagement, the compliance posture we maintain, and the incident-response procedures we run.

01 · ARCHITECTURAL DEFAULTS

EncryptionAES-256 at rest (S3, EBS, RDS, DynamoDB). TLS 1.3 in transit. Secrets in AWS Secrets Manager / Cloudflare Secrets / Doppler — never in code, never in env files in repos.

IAMLeast-privilege by default. SSO via Google Workspace / Okta / Azure AD where the client uses one. MFA enforced on every privileged account. No shared accounts, no service-account password sharing.

Audit loggingCloudTrail / CloudWatch / Cloudflare Logs on every privileged action. 90-day retention default, extended on regulated engagements. Logs immutable.

Backup + restoreTested quarterly, not just configured. RPO + RTO documented per system. Point-in-time recovery on every production database.

Vulnerability scanningDependabot / Snyk / Trivy on every repository. CVE response: critical within 24 hours, high within 72 hours, all others within sprint.

Code reviewTwo-reviewer minimum on production-bound PRs. Automated security linters (Semgrep, Bandit, ESLint security plugin). No direct push to main.

02 · COMPLIANCE POSTURE

ISO 9001:2015Quality-management system certified, audit-firm verified. Process artefacts (decision logs, RACI, change-control) ship with every deliverable.

SOC 2 Type IIAudit-ready. Formal audit firm engagement quoted separately if the client requires a fresh attestation. Architectural defaults are SOC 2-aligned out of the box.

HIPAA / BAABAA-eligible. PHI-flow modelled in week 1 of healthcare engagements. Verified pattern across 14+ healthcare clients. Sample BAA on request.

GDPR · UK GDPR · DPDP 2023Privacy-by-design. Data-fiduciary obligations modelled per jurisdiction. DPA template provided. Deletion + portability flows specified per SOW where personal data is in scope.

PCI-DSS-awarePayment-data architecture defaults to tokenized flows via Stripe / Adyen / Razorpay. Cardholder data does not transit our build unless explicitly required.

03 · INCIDENT RESPONSE

On-call rotationNamed partner accountable on every engagement. CEO escalation within 24 hours if the named partner is unreachable.

Severity tiersP0 (service down): response within 1 hour, all hands. P1 (degraded): 4 hours. P2 (functional issue): 12 business hours. P3 (cosmetic): next sprint.

Breach notification72 hours to client and supervisory authority where regulation requires (GDPR Art. 33, DPDP §8(6)). Sooner if material risk to data subjects.

Post-incidentWritten RCA within 5 business days. Includes timeline, root cause, customer impact, remediation, and what we changed so it does not happen again.

04 · PERSONNEL

Background checksStandard pre-employment verification on every full-time hire. Reference checks. Identity verification.

Security trainingAnnual mandatory for every engineer. OWASP Top 10 + secure-coding patterns + incident-response drill.

Access managementNew hire access provisioned least-privilege. Departures: all credentials revoked same-day, audited.

Code custody on departureNo engineer takes client code with them. Repos live in client GitHub, not ours. Engineer departure does not put client IP at risk.

DEEP-DIVE ARTIFACTS

Architectural defaults are stable across engagements; specific implementations vary based on the client's regulatory posture and existing controls. If your security review needs more depth than this page provides, email hello@alliedbiz.tech with subject "Security review - deep dive" and we'll send the relevant artifacts (SOC 2 readiness statement, sample BAA, PHI-flow diagram, ISO certificate PDF) within 12 business hours.

Ready when you are.

30 minutes, no obligation. We walk through your stack, identify the highest-leverage engagement, and either commit to an SOW within 24 hours or step aside cleanly.

Book a 30-min call →