1. Our Commitment to Security
At CaseForge, security is not an afterthought — it is foundational to everything we build. As a platform designed for security professionals, we hold ourselves to the highest standard when it comes to protecting your data and the integrity of your security operations.
2. Security Architecture
Infrastructure Security
- Hosted on Google Cloud Platform (GCP) enterprise-grade infrastructure
- Multi-tenant isolation with strict logical separation between customer environments
- Virtual Private Cloud (VPC) network segmentation
- Cloud-native security controls and managed services
- Automated patching and vulnerability remediation
Application Security
- Developed following OWASP security guidelines
- Regular code reviews with security focus
- Input validation and output encoding on all user-supplied data
- Protection against XSS, CSRF, and SQL injection attacks
- Content Security Policy (CSP) headers enforced
3. Data Protection
Encryption
- All data in transit protected by TLS 1.3 or higher
- All data at rest encrypted using AES-256
- Encrypted backups with separate key management
- Key management handled by Google Cloud KMS
Data Isolation
- Logical tenant separation enforced at the application layer
- Row-level security applied to all multi-tenant data stores
- Isolated storage buckets per tenant
- No cross-tenant data sharing under any circumstances
4. Access Control
Authentication
- Minimum 12-character passwords required
- Passwords hashed using bcrypt with salt
- Account lockout after 5 failed attempts
- Secure session token management
- Single Sign-On (SSO) coming soon
Authorisation
- Role-Based Access Control (RBAC) throughout the platform
- Least-privilege principle applied to all system access
- Granular permissions at the resource level
- Regular access reviews and privilege audits
5. Security Monitoring
Logging and Monitoring
- Comprehensive audit logging of all user and system actions
- Real-time monitoring and alerting
- Anomaly detection for unusual access patterns
- Log retention in accordance with regulatory requirements
- Centralised log management with tamper-proof storage
Threat Detection
- Intrusion Detection System (IDS) deployed at network and host levels
- DDoS protection via GCP Cloud Armor
- API rate limiting and abuse prevention
- Automated threat response playbooks
6. Incident Response
Our incident response process follows a structured lifecycle:
- Detection — automated monitoring identifies potential incidents
- Response — on-call team triages and classifies the incident
- Containment — immediate steps to limit impact
- Investigation — root cause analysis and evidence collection
- Notification — affected customers notified per our DPA obligations
- Recovery — service restoration with lessons learned
- Post-incident review — process improvements documented
7. Compliance and Certifications
CaseForge operates in compliance with:
- UK General Data Protection Regulation (UK GDPR)
- UK Data Protection Act 2018
We are actively working towards ISO 27001 certification and SOC 2 Type II attestation.
8. Security Testing
- Regular vulnerability assessments of all systems
- Annual third-party penetration testing
- Automated security scanning integrated into the CI/CD pipeline
- Dependency monitoring and CVE alerting
- Regression testing following any security remediation
9. Physical Security
CaseForge operates exclusively on cloud infrastructure. Physical security is managed by Google Cloud Platform data centres, which include:
- 24/7 physical security and surveillance
- Biometric access controls
- CCTV monitoring
- Environmental controls and power redundancy
10. Employee Security
- Background checks conducted for all employees with data access
- Regular security awareness training
- Non-disclosure agreements in place for all staff
- Least-privilege access applied to internal systems
- Security training refreshed annually or when material threats emerge
11. Vulnerability Disclosure
We support responsible disclosure. If you discover a security vulnerability in the SIQ.ONE platform, please report it to us before public disclosure so we can investigate and remediate promptly. We commit to acknowledging reports within 24 hours and providing regular updates throughout the remediation process.
Report vulnerabilities to: security@siq.one (PGP key available on request)
12. Customer Responsibilities
Security is a shared responsibility. To protect your account and data, we ask that you:
- Use strong, unique passwords and consider a password manager
- Keep your credentials strictly confidential and never share them
- Report any suspicious activity on your account immediately
- Keep your own systems and browsers up to date
- Follow your organisation's security policies when using the platform
13. Updates to This Policy
This Security Policy is reviewed and updated at least annually, or whenever significant changes to our security posture occur. We will notify customers of material changes.
14. Contact Us
For security concerns or questions about this policy, please contact us:
Security Team
CaseForge
Email: security@siq.one (PGP key available on request)
Address: London, United Kingdom