Secure by design, not by promise.
We're a Microsoft-security-built MSP. Here's exactly how we protect data — ours and our clients'.
The same discipline, ours and yours
We run a security-first practice on our own Microsoft-built platform — and the controls we hold ourselves to are the same discipline we bring to client engagements. This page describes the controls we operate. Which of them apply in your environment depends on your licensing, your data, and your engagement scope — and we'll tell you exactly where things stand, in writing, before we start.
Frameworks we align to
We align our program to recognized security frameworks and document our controls against them. Where certification matters for your engagement, we'll tell you exactly where we stand — no overstating, no fine print.
NIST 800-53 / NIST CSF
Our control set is mapped to NIST 800-53 and the NIST Cybersecurity Framework, captured in an internal self-assessment. This is a self-assessment — there is no third-party authorization (no ATO).
CIS Controls
We use the CIS Controls as a practical hardening baseline for endpoints, identity, and cloud configuration.
FTC Safeguards / GLBA
For clients with financial-data obligations, we align controls to the FTC Safeguards Rule and GLBA expectations.
HIPAA
For covered engagements, we put a Business Associate Agreement (BAA) in place and align safeguards to HIPAA where required.
SOC 2
On our roadmap. We're building toward SOC 2 Type II and operate audit-ready — but we are not yet SOC 2 certified, and we won't claim otherwise.
CMMC
On our roadmap toward CMMC Level 2 for future federal-adjacent work. We are not CMMC certified or authorized today; a 3PAO assessment happens when real federal work warrants it.
We align to these frameworks and document our controls; where certification matters for your engagement, we'll tell you exactly where we stand.
How your data is classified and protected
Data protection starts with knowing what data you have, where it lives, and who can touch it — then encrypting it everywhere, at rest and in transit.
Microsoft Purview
Sensitivity labels applied across Microsoft 365, automated and AI-assisted classification, and Data Loss Prevention (DLP) policies that stop sensitive data from leaving where it shouldn't.
AES-256 + TLS 1.2+
AES-256 encryption at rest and TLS 1.2+ enforced in transit. Secrets and keys are held in Azure Key Vault with soft-delete protection — never in code or config.
Data classification tiers
Data is classified across four tiers — Public, Internal, Confidential, and Restricted — so handling, access, and retention rules match sensitivity.
We watch, around the clock
Detection and response is where security stops being a checklist and starts being a discipline. We run Microsoft's detection stack with 24/7 eyes and documented runbooks.
Microsoft Defender XDR
Defender for Endpoint, Defender for Identity, and Defender for Office 365 working together to detect threats across endpoints, identities, and email.
Microsoft Sentinel
Sentinel SIEM correlates signals across the environment, surfacing real incidents from the noise instead of piling up disconnected alerts.
24/7 monitoring + audit logging
Around-the-clock monitoring with comprehensive audit logging, so activity is recorded and reviewable — nights, weekends, and holidays included.
Incident response plan + runbooks
A documented incident-response plan with runbooks and a designed 15-minute acknowledge target, so a detection turns into a coordinated response, not a scramble.
Built to survive ransomware
Encryption keeps data private; resilience keeps the business running when something goes wrong. We design for recoverability, not just backup.
Documented RTO / RPO
Backup and disaster-recovery design with documented Recovery Time and Recovery Point Objectives, so recovery expectations are defined up front — not discovered during an incident.
Immutable & point-in-time backups
Immutable, point-in-time backups so an attacker who deletes or encrypts live data can't reach the recovery copy.
Ransomware survivability focus
Recovery is designed around the reality that attackers target backups first — the goal is a recoverable event, not a business-ending one.
Tested-recovery discipline
Recovery is tested, not assumed — a backup you've never restored is a hope, not a plan.
Least privilege, by default
The strongest control surface is identity. We run on Microsoft Entra ID with MFA enforced, least-privilege access, and no standing admin keys lying around.
Entra ID + MFA enforced
Microsoft Entra ID with multi-factor authentication enforced — identity is the front door, and it stays locked.
Least-privilege RBAC
Role-based access control scoped to least privilege, so people and services hold only the access the job actually needs.
Just-in-time admin access
Just-in-time admin elevation with no standing SSH access — privileged access is granted when needed and removed when done.
Managed identities
Passwordless managed identities for service-to-service auth, removing long-lived credentials from the attack surface.
30 documented control policies
30 documented control policies mapped to NIST 800-53 — written, versioned, and reviewable rather than tribal knowledge.
Subprocessor vetting
Supply-chain and subprocessor vetting with Data Processing Agreements (DPAs) and no-train terms, so your data isn't used to train third-party models.
Locked at the edge
Traffic is filtered before it reaches anything that matters, and backends are never exposed directly to the open internet.
Azure Front Door WAF
Azure Front Door Web Application Firewall running in prevention mode, blocking common web attacks at the edge.
Origin-locked backends
Backends are origin-locked so they only accept traffic from the WAF, not direct connections from the internet.
DDoS protection
DDoS protection absorbs volumetric attacks before they reach the application layer.
HTTPS-only
HTTPS-only enforcement end to end — no plaintext traffic, ever.
What we have. What we're building.
Trust is built on candor. Here is exactly what's operating today versus what's on the roadmap — no inflation.
Operating today
- Microsoft 365 E5 — Defender, Purview, Sentinel, DLP
- AES-256 at rest + TLS 1.2+ in transit
- 30 documented control policies (NIST 800-53)
- Incident-response plan + runbooks
- 24/7 monitoring with audit logging
- Backup & disaster recovery
- Just-in-time admin access
- Supply-chain / subprocessor vetting
On the roadmap
- SOC 2 Type II — audit-ready, not yet certified
- CMMC Level 2 — roadmap for federal-adjacent work
- Third-party (3PAO) assessment — when federal work is real
- Expanded conditional-access policies
We are not certified for SOC 2, ISO 27001, FedRAMP, or CMMC. Our framework alignment is captured in an internal self-assessment with no ATO and no third-party (3PAO) audit. When that changes, this page will say so.
Frequently asked
Are you SOC 2 certified?
Is my data encrypted?
Do you use Microsoft Purview?
Can I get a security questionnaire or DPA?
How fast do you respond to incidents?
Want to see where you stand?
Start with a free security evaluation. We'll map your real exposure and show you exactly where your controls are strong and where the gaps are — with no obligation. Have a questionnaire, a DPA, or a hard security question? Reach us directly.