Security as an engineering discipline.

Deburise builds and operates AI systems that often touch sensitive business data. We approach security as an ongoing engineering practice - not a checkbox - and apply it across every layer: code, infrastructure, people, vendors, and operations.

This page summarises the safeguards we use. For client engagements with specific security requirements (e.g. healthcare, financial services), we align with sector standards and document compensating controls in your Data Processing Agreement and security questionnaire responses.

We encrypt data both in transit and at rest as a baseline across all production systems we operate:

• In transit: TLS 1.2 minimum (TLS 1.3 preferred). HSTS enforced on web endpoints. End-to-end encryption for sensitive internal communication.
• At rest: AES-256 for all databases, object storage, and backups. Disk-level encryption on all team devices.
• Key management: Cloud KMS (AWS KMS / Google KMS / Azure Key Vault) with regular rotation. No hard-coded credentials in source code.
• Secrets handling: All secrets stored in dedicated secret managers (Vault, AWS Secrets Manager). Never in environment files committed to source control.

We follow least-privilege access principles across every system that handles client data:

• Multi-factor authentication (MFA) required for every employee on every system that handles client data or production infrastructure. Hardware keys preferred where supported.
• Single sign-on (SSO) via a centrally managed identity provider, with role-based access groups.
• Just-in-time access for production environments - engineers request temporary elevated permissions, which auto-expire after the task is complete.
• Quarterly access reviews - every employee's access rights are reviewed and trimmed against current responsibilities.
• Off-boarding within 24 hours - access revoked promptly when team members leave.

Our production infrastructure runs on Tier-1 cloud providers (AWS, Google Cloud, Microsoft Azure), each with their own deep security certifications and physical safeguards. We add the following layers on top:

• Network isolation: Private VPCs, security groups, and network policies that block public access to internal services by default.
• Environment separation: Production, staging, and development environments use separate cloud accounts/projects with no shared credentials or data.
• Backups: Encrypted, geo-redundant backups with periodic restore testing to verify recoverability.
• DDoS protection: Cloudflare (or equivalent) edge protection in front of all public endpoints.
• Endpoint protection: Managed endpoint detection and response (EDR) on all team devices, with full-disk encryption and remote-wipe capability.

Most security incidents start with people. We invest accordingly:

• Background checks for every full-time hire before joining (subject to local law).
• Confidentiality agreements signed by every employee and contractor before access to client data.
• Annual security training covering phishing, password hygiene, social engineering, data classification, and incident reporting.
• Privacy-by-design training for engineers - GDPR, CCPA, DPDP, and other applicable frameworks.
• Regular phishing simulations to identify and coach team members who need extra training.

We build software with security baked into the development process:

• Code review by a second engineer before any change reaches production.
• Automated security scans on every pull request - SAST, dependency vulnerabilities, secrets detection, and license compliance.
• Pinned dependencies and rapid patching of high-severity advisories (target: 7 days for critical CVEs).
• OWASP Top 10 awareness baked into our engineering practices - input validation, parameterised queries, output encoding, authentication, session management.
• Threat modelling for new features that handle sensitive data or expand the attack surface.

We treat vulnerability management as an ongoing operation:

• Continuous vulnerability scanning of infrastructure, containers, and dependencies.
• Annual third-party penetration testing by a reputable security firm, with remediation tracked to closure.
• Responsible disclosure program at security@deburise.com - we appreciate good-faith reports from independent researchers.
• Patch SLAs: Critical = 7 days, High = 30 days, Medium = 90 days, Low = next regular release.

We maintain full observability across production systems:

• Centralised log aggregation with retention appropriate to the data sensitivity.
• Real-time alerting on anomalies - unusual access patterns, repeated authentication failures, unexpected data egress.
• 24/7 on-call rotation for production-impacting incidents.
• Tamper-evident audit logs for access to client data, retained for a minimum of one year (longer per contract).

We maintain a documented incident response plan reviewed at least annually. Our response process follows industry standards:

• Detect: Through monitoring, alerts, customer reports, or external notifications.
• Contain: Isolate affected systems to prevent spread.
• Eradicate: Remove the root cause - bad credentials revoked, vulnerable code patched, etc.
• Recover: Restore normal operations from clean backups, with extra monitoring during recovery.
• Notify: Affected customers and supervisory authorities per applicable law (e.g. within 72 hours of awareness under GDPR for personal data breaches).
• Learn: Conduct a blameless post-mortem and feed improvements back into our processes.

We participate in regular third-party security reviews and align our practices with industry-recognised frameworks:

• ISO 27001 alignment - our information security management practices align with ISO 27001 controls (formal certification in roadmap).
• SOC 2 Type II - audit engagement in progress; we'll share the report under NDA once available.
• GDPR, CCPA, DPDP compliance reviews conducted annually with external counsel.
• Vendor security reviews - we evaluate the security posture of every sub-processor and reassess annually.
• Penetration testing annually by a reputable firm; we'll share executive summaries with clients under NDA.

For security-related questions, vulnerability reports, or to request security documentation:

For client engagements with security-specific requirements, we're happy to complete security questionnaires, sign sector-specific DPAs, and provide documentation. See also our Data Processing Agreement page.