Prometheas Technologies
Trust & security

How we handle
your data and access.

We work inside regulated environments for a living — banks, insurers, healthcare systems, and SaaS businesses with their own enterprise buyers to answer to. This page is the short version of the security questionnaire we fill out every week.

Certifications & attestations

The attestations auditors want to see.

ISO/IEC 27001:2022

Information security management system certified for our entire delivery organization. Annual surveillance audits by an accredited body.

SOC 2 Type II

Independently attested controls across security, availability, and confidentiality — covering the people, process, and platforms we use to deliver client engagements.

GDPR-aligned delivery

Standard Data Processing Addendum (DPA) available for EU / UK clients. EU data residency on request; EEA-only sub-processor routing where needed.

HIPAA-aware engagements

For healthcare clients, we deliver under a BAA with HIPAA-aware tooling, minimized PHI surfaces, and audit-ready access logging.

Operating practices

The controls under the certifications.

People

  • Background checks for all staff touching client systems
  • Annual security awareness and role-based training
  • Named data protection officer accountable to the board
  • Documented onboarding and offboarding procedures

Access

  • SSO with MFA required across all corporate systems
  • Just-in-time access to client production systems
  • Zero standing privileged access; break-glass audited
  • Client-specific VPN and segmented workstations when required

Platforms

  • Endpoint detection and response on every workstation
  • Centralized logging with tamper-evident storage
  • Encryption at rest and in transit for all data we hold
  • Vulnerability management with documented SLAs

Delivery

  • Secure-SDLC practices (threat modelling, code review, SAST/DAST)
  • Dependency scanning and signed releases
  • Pre-prod vulnerability testing before go-live
  • Incident response runbooks with named owners
Responsible disclosure

Found something?

If you've identified a security issue on this website or in any Prometheas-operated system, email security@prometheastech.com — ideally with PGP (fingerprint on request).

We acknowledge within two business days, investigate, and commit to fixing genuine issues under a coordinated-disclosure timeline. We don't pursue legal action against good-faith researchers.