How we handle
your data and access.
We work inside regulated environments for a living — banks, insurers, healthcare systems, and SaaS businesses with their own enterprise buyers to answer to. This page is the short version of the security questionnaire we fill out every week.
The attestations auditors want to see.
ISO/IEC 27001:2022
Information security management system certified for our entire delivery organization. Annual surveillance audits by an accredited body.
SOC 2 Type II
Independently attested controls across security, availability, and confidentiality — covering the people, process, and platforms we use to deliver client engagements.
GDPR-aligned delivery
Standard Data Processing Addendum (DPA) available for EU / UK clients. EU data residency on request; EEA-only sub-processor routing where needed.
HIPAA-aware engagements
For healthcare clients, we deliver under a BAA with HIPAA-aware tooling, minimized PHI surfaces, and audit-ready access logging.
The controls under the certifications.
People
- Background checks for all staff touching client systems
- Annual security awareness and role-based training
- Named data protection officer accountable to the board
- Documented onboarding and offboarding procedures
Access
- SSO with MFA required across all corporate systems
- Just-in-time access to client production systems
- Zero standing privileged access; break-glass audited
- Client-specific VPN and segmented workstations when required
Platforms
- Endpoint detection and response on every workstation
- Centralized logging with tamper-evident storage
- Encryption at rest and in transit for all data we hold
- Vulnerability management with documented SLAs
Delivery
- Secure-SDLC practices (threat modelling, code review, SAST/DAST)
- Dependency scanning and signed releases
- Pre-prod vulnerability testing before go-live
- Incident response runbooks with named owners
Found something?
If you've identified a security issue on this website or in any Prometheas-operated system, email security@prometheastech.com — ideally with PGP (fingerprint on request).
We acknowledge within two business days, investigate, and commit to fixing genuine issues under a coordinated-disclosure timeline. We don't pursue legal action against good-faith researchers.
