Security Controls

ByTek operates an ISMS aligned to ISO/IEC 27001:2022 and maps controls to the NIST CSF. Continuous control monitoring runs through Drata, integrated with Google Workspace (identity), Google Cloud (infrastructure), and Bitbucket (source code).

Identity & access management

RBAC and least privilege (ISO 27001 Annex A.9; NIST SP 800-53 AC-6).
MFA is mandatory for all access to production systems, cloud platforms, and administrative interfaces; enforced via Google Workspace.
Access reviews quarterly; production access is default-disabled, time-boxed, and granted case-by-case.
Deprovisioning SLA: 24h standard, 1h for privileged/high-risk; inactive IDs (30 days) revoked.
Password policy: minimum 12 characters with complexity; privileged-account rotation ≥90 days; last 12 passwords barred; lockout after repeated failed attempts.

Encryption

At rest: AES-256 (or equivalent) on all storage — cloud databases, file storage, and backups; full-disk encryption on all endpoints.
In transit: TLS 1.2 or higher for all internal and external communications.
Pseudonymization: SHA-256 hashing of identifiers at ingestion and before activation.
Key management: centralized KMS, keys stored separately from data and rotated at least every 12 months; secrets in Google Secret Manager and Zoho Vault.

Application & development security

CI/CD via Bitbucket Pipelines and Google Cloud Build; secrets centralized (never in source or build artifacts).
Static analysis (SAST) as a mandatory CI/CD gate; dynamic analysis (DAST) on staging before production for web-facing apps.
No production deployment with unresolved Critical or High findings without an approved exception.
Annual secure-coding / OWASP Top 10 training for developers.

Vulnerability management & penetration testing

Remediation SLAs: Critical 24h · High 72h · Medium 7 days · Low 30 days.
Annual independent penetration test (VAPT) by a qualified third party, using OWASP Top 10 methodology. Reports available to clients under NDA.
Automated vulnerability scanning; scanner signatures updated weekly; patch-compliance dashboard reviewed monthly.
Web Application Firewall (OWASP Top 10 ruleset) for internet-facing applications; managed endpoint protection.

Logging & monitoring

Centralized log management and SIEM.
Log retention ≥12 months, tamper-protected, time-synchronized (NTP/UTC); administrators cannot erase their own logs.
Audit coverage includes operations on sensitive data, authentication/authorization, all administrative actions, and access-rights changes (GCP Cloud Audit Logs).

Multi-tenancy & data separation

Each customer's data warehouse is their own GCP project — strong tenant isolation.
Each customer has a dedicated reconciliation database within Cloud SQL.
The central configuration database holds platform configuration, not customer end-user data.

Personnel security

Security-awareness training at onboarding and renewed annually; phishing simulations.
Pre-employment background verification proportionate to role and data-access level.
NDAs before access; staff appointed as Art. 29 authorized processors; signed Code of Conduct.

Identity & access management​

Encryption​

Application & development security​

Vulnerability management & penetration testing​

Logging & monitoring​

Multi-tenancy & data separation​

Personnel security​