Logo

Assuric

Book a demo

Security at Assuric

As a compliance solution, we naturally take our own business and product security very seriously! We help our customers keep their own information secure and endeavour to 'practice what we preach' across all aspects of our own business and product development operations. Assuric actively maintains a Cyber Essentials certification, and is working towards an independently verified ISO27001 certification in 2025.

Below is a further overview of some of the measures we take across our business and Services to keep Customer Information safe and secure.

If you have any questions or would like to responsibly disclose a possible security finding please reach out to us at security@assuric.com.

Information Security values

The following principles form a core part of our company values. We maintain and implement a robust set of policies and procedures to help us practice these values in our daily operations.

  • Confidentiality: ensuring that sensitive information is accessible only to authorised users;
  • Integrity: ensuring that data is accurate and consistent;
  • Availability: ensuring that data is accessible when needed;
  • Compliance: meeting legal and regulatory requirements;
  • Resilience: extending availability by ensuring we are well placed to respond in the event of accidental loss, corruption, or disaster;

Security Measures

Corporate Identity, Authentication, and Authorisation Controls

Assuric maintains industry best practices for authenticating and authorising internal employee and service access, including the following measures:

  • Mandatory multi-factor authentication is used for authenticating to any service used to access organisational data;
  • Role Based Access Controls (RBAC) are used when provisioning internal access to the Services;
  • Unique login identifiers are assigned to each user;
  • Established review and approval processes for any access requests to services storing Customer Data;
  • Periodic access audits designed to ensure access levels are appropriate for the roles each user performs;
  • Established procedures for promptly revoking access rights upon employee separation;
  • Established procedures for reporting and revoking compromised credentials (such as passwords and API keys); and
  • Established password reset procedures, including procedures designed to verify the identity of a user prior to a new, replacement, or temporary password.

Customer Identity, Authentication, and Authorisation Controls

Assuric maintains industry best practices for authenticating and authorising customers to the Services, including the following measures:

  • Use of a third-party identity access management service to manage Customer identity, meaning Assuric does not store user-provided passwords on users’ behalf; and
  • Logically separating Customer Data by organisation account using unique identifiers.

Cloud Infrastructure and Network Security

Assuric maintains industry best practices for securing and operating its cloud infrastructure, including the following measures:

  • Separate production and non-production environments (develop, staging, preview, production);
  • The Services are routinely audited for security vulnerabilities;
  • Application secrets and service accounts are managed by a secrets management service;
  • Network security policies and firewalls are configured for least-privilege access against a pre-established set of permissible traffic flows. Non-permitted traffic flows are blocked; and
  • Services logs are monitored for security and availability;

System and Workstation Control

Assuric secures systems used to access corporate data, including laptops and any on-premises infrastructure with the following measures:

  • Endpoint monitoring of workstations / laptops;
  • Endpoint monitoring of mobile devices;
  • Automatic application of security configurations to workstations;
  • Mandatory patch management; and
  • Maintaining appropriate security logs.

Data Access Control

Assuric maintains industry best practices for preventing authorised users from accessing data beyond their authorised access rights and for preventing the unauthorised input, reading, copying, removal, modification, or disclosure of data. Such measures include the following:

  • Employee access to services follows the principle of least privilege - staff are only granted the minimum privileges required for their job function; and
  • Customer Data submitted to the Services is only used in accordance with applicable contractual agreements in place with Customer.

Disclosure Control

Assuric maintains industry best practices for preventing the unauthorised access, alteration, or removal of data during transfer, and for securing and logging all transfers. Such measures include:

  • Encryption of data at rest in production datastores using strong encryption algorithms (AES-256);
  • Encryption of data in transit sing modern protocols (TLS only) and secure ciphers;
  • Audit trail for all data access requests for production datastores;
  • Full-disk encryption required on all corporate workstations;
  • Device monitoring controls required on all corporate workstations;
  • Restrictions on use of portable or removable media; and
  • Customer Data can be deleted upon request.

Availability control

Assuric maintains industry best practices for maintaining Services functionality through accidental or malicious intent, including:

  • Hosting data in multiple availability zones/regions in order to maximise availability;
  • Where possible, we deploy a High Availability (HA) architecture to ensure resilience with automated failover to provide uninterrupted service;
  • Ensuring that systems may be restored in the event of an interruption;
  • Ensuring that systems are functioning and faults are reported; and
  • Anti-malware and intrusion detection/prevention solutions implemented comprehensively across our environment.

Segregation control

Assuric maintains industry best practices for separate processing of data collected for different purposes, including:

  • Logical separation of production, preview, staging and development environments including isolated databases;
  • Logical segregation of Customer Data;
  • Restriction of access to data stored for different purposes according to staff roles and responsibilities;
  • Segregation of business information system functions; and
  • Segregation of testing and production information system environments.

Risk Management

Assuric maintains industry best practices for detecting and managing cybersecurity risks, including:

  • Automated feature and security testing;
  • Static code testing to ensure code is free from known vulnerabilities;
  • Regular dependency and package management audits and remediation;
  • Threat modeling to document and triage sources of security risk for prioritisation and remediation;
  • Commitment to conducting penetration testing on our Services at least annually, and remediation of identified items as soon as possible on a timetable commensurate with the associated risk.
  • Commitment to annual engagements of a qualified, independent external auditor to conduct periodic reviews of Assuric’s security practices against recognised audit standards. and
  • A vulnerability management program designed to ensure the prompt remediation of vulnerabilities affecting the Services.

Personnel

Assuric maintains industry best practices for vetting, training, and managing personnel with respect to security matters, including:

  • Background checks, where legally permissible, of employees with access to Customer Data or supporting other aspects of the Services;
  • Annual security training for employees, and supplemental security training as appropriate; and
  • Utilising qualified security professionals with recognised experience and certifications in technical security architecture as well as governance, risk, and compliance.

Physical Access Control

Assuric follows controls for preventing unauthorised physical access to our office space, including:

  • Physical barrier controls including locked doors and gates;
  • 24-hour on-site security guard staffing;
  • 24-hour video surveillance and alarm systems, including video surveillance of common areas and facility entrance and exit points;
  • Access control systems requiring badge / PIN for entry to all facilities;
  • Logging of facility exits and entries.

Third Party Risk Management

Assuric maintains industry best practices for managing third party security risks, including with respect to any subprocessor or subcontractor to whom Assuric provides Customer Data, including the following measures:

  • Written contracts designed to ensure that any agent agrees to maintain reasonable and appropriate safeguards to protect Customer Data; and
  • Vendor Security Assessments: All third parties deemed high risk undergo a formal vendor assessment process

Security Incident Response

Assuric maintains a security incident response plan for responding to and resolving events that compromise the confidentiality, availability, or integrity of the Services or Customer Data including the following:

  • Assuric aggregates system logs for security and general observability from a range of systems to facilitate detection and response; and
  • If Assuric becomes aware that a Personal Data Breach has occurred, Assuric will notify Customer in accordance with the agreements in place with them.

Security Evaluations

Assuric commits to performing regular security and vulnerability testing to assess whether key controls are implemented properly and are effective as measured against industry security standards and its policies and procedures and to ensure continued compliance with obligations imposed by law, regulation, or contract with respect to the security of Customer Data as well as the maintenance and structure of Assuric’s information systems.