// Legal · Security
Security Policy
Effective Date: April 28, 2026 · Last Updated: April 28, 2026 · Version 1.0
Security is foundational to everything iCirus builds and operates. This Security Policy outlines our commitment to protecting your data, our infrastructure security standards, and how we respond to security incidents.
1. Security Commitment
iCirus Technologies operates a security-first infrastructure designed to protect client data, ensure service availability, and maintain the integrity of our global network. We apply defense-in-depth principles across all layers of our stack — physical, network, application, and data.
2. Physical Security
All iCirus data centers meet or exceed Tier III/IV standards with the following physical controls:
- Biometric access controls and 24/7 security personnel
- CCTV monitoring with 90-day retention
- Mantrap entry systems and perimeter security
- N+1 redundant power with UPS and diesel generators
- Redundant cooling systems with environmental monitoring
- Strict visitor access logging and escorted entry
- Seismically braced infrastructure where applicable
3. Network Security
3.1 DDoS Protection
iCirus operates always-on DDoS mitigation across all customer-facing infrastructure with scrubbing capacity exceeding 10 Tbps. Mitigation is automatic and requires no client intervention.
3.2 Firewall and Perimeter Security
- Next-generation firewalls with deep packet inspection
- Intrusion Detection and Prevention Systems (IDS/IPS)
- Network segmentation and micro-segmentation
- BGP route filtering and RPKI validation
- Private network separation for management traffic
3.3 Encryption in Transit
- TLS 1.2 minimum enforced across all endpoints (TLS 1.3 preferred)
- Certificate management with automated renewal
- HSTS enforced on all web-facing services
- OCSP stapling for certificate validation
4. Data Security
4.1 Encryption at Rest
All client data stored on iCirus infrastructure is encrypted using AES-256. Encryption keys are managed via Hardware Security Modules (HSMs) with strict access controls.
4.2 Data Isolation
Client environments are logically isolated from one another. No cross-tenant data access is permitted or architecturally possible in our standard configurations.
4.3 Backup Security
- Automated daily backups with 30-day retention (varies by plan)
- Backups stored in geographically separate locations
- Backup data encrypted with separate key sets
- Regular restore testing to verify backup integrity
5. Access Control
- Role-based access control (RBAC) enforced across all systems
- Multi-factor authentication (MFA) required for all administrative access
- Principle of least privilege applied to all staff and systems
- Privileged access workstations (PAW) for critical infrastructure management
- All administrative sessions logged, recorded, and auditable
- Quarterly access reviews and deprovisioning of inactive accounts
- SSH key-based authentication; password authentication disabled on servers
6. Application Security
- Secure Software Development Lifecycle (SSDLC) practices
- Regular third-party penetration testing (minimum annually)
- Automated vulnerability scanning of all production systems
- Web Application Firewall (WAF) protection on all client-facing portals
- OWASP Top 10 mitigations applied to all web applications
- Dependency vulnerability monitoring and patching
- Code review requirements for all production deployments
7. Security Monitoring
iCirus operates a 24/7 Security Operations Center (SOC) with the following capabilities:
- Security Information and Event Management (SIEM) platform
- Real-time threat intelligence integration
- Anomaly detection and behavioral analytics
- Log aggregation and retention for minimum 12 months
- Automated alerting with human escalation protocols
- Mean time to detect (MTTD) target: under 15 minutes
- Mean time to respond (MTTR) target: under 1 hour for critical incidents
8. Incident Response
iCirus maintains a formal Incident Response Plan aligned with NIST SP 800-61 guidelines:
- Detection: Automated and manual monitoring identifies potential incidents
- Containment: Immediate isolation of affected systems to prevent spread
- Eradication: Root cause identification and threat removal
- Recovery: Verified restoration of affected services
- Post-Incident Review: Lessons learned and policy updates
Clients affected by security incidents that may impact their data will be notified within 72 hours of confirmed detection, in compliance with GDPR Article 33 and applicable breach notification laws.
9. Compliance and Certifications
iCirus infrastructure and operations are aligned with the following standards:
SOC 2 TYPE II
ISO 27001
PCI DSS
GDPR
PIPEDA
CCPA
HIPAA READY
NIST CSF
10. Vulnerability Disclosure
If you discover a security vulnerability in iCirus systems or services, please report it responsibly to security@icirus.com. We are committed to acknowledging reports within 24 hours and working with researchers in good faith. We do not pursue legal action against researchers who follow responsible disclosure principles.
Please include in your report:
- Description of the vulnerability and its potential impact
- Steps to reproduce the issue
- Any proof-of-concept code or screenshots
- Your contact information for follow-up
11. Employee Security
- Background checks for all employees with access to client data or infrastructure
- Mandatory security awareness training upon hire and annually thereafter
- Signed confidentiality and acceptable use agreements
- Phishing simulation and social engineering awareness programs
- Secure onboarding and offboarding procedures
12. Vendor Security
All third-party vendors with access to iCirus systems or client data are subject to:
- Security assessment prior to engagement
- Data Processing Agreements (DPAs) with appropriate security requirements
- Annual security review and recertification
- Contractual security obligations aligned with iCirus standards
13. Contact