Our philosophy

Security is a design constraint. We use a risk-based approach, align controls to your business context, and select fit-for-purpose methods that meet your requirements. We are vendor-agnostic and recommend options that balance confidentiality, integrity, availability, cost, and time-to-value.

Governance and accountability

  • Security ownership sits with an executive sponsor and a named security lead accountable for outcomes.
  • Policies cover access control, change management, incident response, supplier management, and data handling.
  • Reviews occur regularly and after material changes. Evidence is available for customer due diligence on request.

Shared responsibility

Responsibilities are defined at project start and documented in the statement of work.

  • You control who in your organization has access, what data is connected, approval flows for high-risk actions, and retention choices.
  • We operate the components we build or manage, apply the controls described here, and provide audit evidence.
  • Third parties provide infrastructure or services under their own terms. We evaluate them and ensure contracts reflect your requirements.

Risk assessment and design

  • Lightweight threat modeling is performed for new solutions and significant changes.
  • We identify data classes, legal bases, and regional constraints. Special categories or regulated data trigger additional controls and approvals.
  • We propose security patterns that match your constraints, with options and trade-offs clearly documented.

Identity and access management

  • Least privilege with role-based access models.
  • Strong authentication for administrative access. Multi-factor authentication is mandatory for Gyreon staff.
  • Just-in-time elevation and time-bound credentials for support work. Access reviews occur on a regular cadence.

Data protection

  • Data is protected in transit and at rest using industry-accepted encryption methods. Key management follows your preference, including customer-managed options where available.
  • We minimize personal data, segregate environments, and use separate credentials per environment.
  • Backups follow documented retention and restoration testing procedures.

Application security

  • Secure development lifecycle with requirements, code review, change control, and approvals.
  • Dependency hygiene with vulnerability monitoring and prompt remediation.
  • Static and dynamic testing is applied based on risk. High-risk surfaces receive deeper testing.
  • Secrets are stored in dedicated secret stores. No secrets in code repositories.

Platform and network security

  • Network exposure is minimized. Inbound surfaces are restricted and monitored.
  • Traffic is filtered and rate-limited where appropriate.
  • Hardening standards are applied to runtime environments and build pipelines.
  • Customer-managed environments and private networking are supported for stricter isolation.

AI and model safeguards

  • No model training on your data without explicit written opt-in.
  • Prompts, tools, and retrieval are separated by tenant or workspace.
  • Inputs are validated for prompt injection and unsafe content. Outputs are filtered or routed to human review where risk is high.
  • Evaluation and monitoring are performed with metrics agreed during scoping.

Logging, monitoring, and alerting

  • Centralized logging for access, application, and audit events with defined retention.
  • Alerts are tuned for signal and delivered to on-call responders.
  • Security logs are protected from tampering.

Business continuity and disaster recovery

  • Backups are automated and restorations are tested regularly.
  • Recovery objectives are set per system at scoping.
  • Runbooks cover restoration and dependency failures.

Vulnerability management and testing

  • Regular scanning of code, images, and deployed assets where applicable.
  • Patching follows severity-based SLAs.
  • Independent penetration tests can be commissioned annually or aligned to your schedule. Customer-run tests are supported with coordination.
  • A responsible disclosure channel is available for security researchers at security@gyreon.com.

Incident response

  • Continuous intake via security@gyreon.com with internal escalation for high-severity events.
  • Triage, containment, eradication, and recovery are run under documented procedures.
  • Customers are notified without undue delay if their data is affected, along with scope, impact, and remediation steps.
  • Post-incident reviews produce corrective actions and timeline summaries that we can share.

Compliance and regional considerations

  • Controls align to recognized frameworks and applicable privacy regulations.
  • For PDPA and GDPR contexts, we support data subject rights and maintain records of processing.
  • Sector-specific needs can be mapped during scoping.
  • Data residency and sovereignty options are available. We can deploy to regions you select or within your environment.

Subprocessors and suppliers

We work with a small set of reputable providers for infrastructure and tooling. We review their controls and keep a current list available for customers on request. Material changes are notified where contractually required.

Customer enablement

  • Security runbooks and administrative guides are provided for delivered solutions.
  • We can train your administrators and end users on secure operation and responsibilities.

Contact

Security and vulnerabilities: security@gyreon.com

Privacy and data rights: dpo@gyreon.com

Commercial and procurement: sales@gyreon.com

Procurement artifacts available on request

  • Security overview one-pager
  • Data Processing Addendum
  • Subprocessors list
  • Business continuity and disaster recovery summary
  • Penetration test summary letter

Last updated: