Back to Home

Security & Data Protection

Enterprise-grade security measures protecting your data and infrastructure. ISO 27001 aligned with Microsoft Azure best practices.

ISO 27001 Aligned
SOC 2 Type II
Azure Security Certified
GDPR Compliant

Our Security Commitment

At Technspire, security is not an afterthought—it's the foundation of everything we build. We follow ISO/IEC 27001:2022 Information Security Management System (ISMS) standards and leverage Microsoft Azure's enterprise security infrastructure to protect your data, applications, and business operations.

Our security program is designed to maintain the confidentiality, integrity, and availability (CIA triad) of information assets while ensuring compliance with GDPR, NIS2, and industry-specific regulations.

Azure Security

Built on Microsoft Azure's world-class security infrastructure with 99.99% SLA

ISO 27001 Aligned

Information security management following international standards

Continuous Monitoring

Round-the-clock security monitoring with Azure Sentinel and Microsoft Defender

1. Infrastructure Security (Azure Cloud)

1.1 Azure Data Centers

All customer data hosted in Microsoft Azure data centers with:

  • Geographic Redundancy: Primary region (North Europe/West Europe), secondary region for disaster recovery
  • Physical Security: Continuous surveillance, biometric access controls, security personnel
  • Certifications: ISO 27001, ISO 27018, SOC 1/2/3, PCI DSS Level 1, HIPAA, FedRAMP
  • Availability SLA: 99.99% uptime guarantee with financially-backed SLA
  • Network Security: DDoS protection (Azure DDoS Protection Standard), intrusion detection/prevention

1.2 Network Security Architecture

  • Virtual Networks (VNets): Isolated network segments with Azure Virtual Network
  • Network Security Groups (NSGs): Stateful firewall rules at subnet and NIC level
  • Azure Firewall: Centralized network security policy enforcement
  • Private Endpoints: Azure PaaS services accessed via private IPs (no public internet exposure)
  • TLS/SSL: All traffic encrypted with TLS 1.2+ (TLS 1.3 where supported)
  • Web Application Firewall (WAF): Azure Front Door WAF protecting against OWASP Top 10

1.3 DDoS Protection

Azure DDoS Protection Standard provides:

  • Always-on traffic monitoring and automatic mitigation
  • Protection against volumetric, protocol, and application-layer attacks
  • Terabytes/second mitigation capacity
  • Real-time attack metrics and diagnostics

2. Data Security & Encryption

2.1 Encryption at Rest

  • Database Encryption: Azure SQL Database Transparent Data Encryption (TDE) with AES-256
  • Storage Encryption: Azure Storage Service Encryption (SSE) with 256-bit AES
  • Key Management: Azure Key Vault with Hardware Security Modules (HSM) FIPS 140-2 Level 2
  • Backup Encryption: Automated backups encrypted with AES-256
  • Customer-Managed Keys: Option for customers to manage their own encryption keys (BYOK)

2.2 Encryption in Transit

  • HTTPS/TLS: All web traffic encrypted with TLS 1.2+ (minimum), TLS 1.3 preferred
  • API Security: REST APIs protected with OAuth 2.0 + JWT tokens over HTTPS
  • Database Connections: SQL connections encrypted with TLS, certificate validation enforced
  • Internal Traffic: Azure backbone network traffic encrypted
  • Certificate Management: Azure-managed SSL certificates with auto-renewal

2.3 Data Residency & Sovereignty

  • EU Data Residency: Customer data stored in EU Azure regions (North Europe, West Europe)
  • GDPR Compliance: Data Processing Agreements (DPA) with Microsoft, EU Standard Contractual Clauses
  • No Cross-Border Transfers: Data not transferred outside EU without explicit consent
  • Data Classification: Automatic classification using Microsoft Purview

2.4 Backup & Disaster Recovery

  • Automated Backups: Databases backed up every hour, retention 30 days (configurable up to 35 days)
  • Geo-Redundant Storage (GRS): Backups replicated to secondary Azure region
  • Point-in-Time Restore: Restore to any point within retention period
  • Disaster Recovery: RTO < 4 hours, RPO < 1 hour for most services
  • Backup Testing: Quarterly DR drills to validate restore procedures

3. Access Control & Identity Management

3.1 Identity & Authentication

  • Azure Active Directory (Entra ID): Enterprise identity management with conditional access
  • Multi-Factor Authentication (MFA): Mandatory for all administrative access
  • Passwordless Authentication: Support for FIDO2, Windows Hello, Microsoft Authenticator
  • Single Sign-On (SSO): SAML 2.0 / OAuth 2.0 / OpenID Connect integration
  • Password Policies: Minimum 14 characters, complexity requirements, 90-day expiration

3.2 Authorization & Least Privilege

  • Role-Based Access Control (RBAC): Azure RBAC with principle of least privilege
  • Privileged Identity Management (PIM): Just-in-time admin access with approval workflows
  • Separation of Duties: No single person has complete system access
  • Access Reviews: Quarterly reviews of all user permissions
  • Service Principals: Managed identities for applications (no hardcoded credentials)

3.3 Privileged Access Management

  • Privileged Access Workstations (PAW): Dedicated hardened workstations for admin tasks
  • Jump Servers: Azure Bastion for secure RDP/SSH access (no public IPs)
  • Session Recording: All administrative sessions logged and recorded
  • Break-Glass Accounts: Emergency access accounts with strict monitoring

4. Application Security & Development

4.1 Secure Development Lifecycle (SDL)

  • Security Requirements: Threat modeling in design phase (STRIDE methodology)
  • Secure Coding Standards: OWASP Top 10 mitigation, CWE/SANS Top 25 avoidance
  • Code Reviews: Peer review required before merge, security-focused review for sensitive code
  • Static Application Security Testing (SAST): GitHub Advanced Security, SonarQube
  • Dynamic Application Security Testing (DAST): OWASP ZAP automated scans
  • Dependency Scanning: Dependabot, Snyk for vulnerable package detection

4.2 API Security

  • Authentication: OAuth 2.0 with JWT tokens, refresh token rotation
  • Rate Limiting: Azure API Management with per-client throttling
  • Input Validation: Strict schema validation, parameterized queries (no SQL injection)
  • CORS Policies: Whitelisted origins only
  • API Gateway: Azure API Management with request/response inspection

4.3 Web Application Security

  • XSS Prevention: Content Security Policy (CSP), output encoding, React/Next.js built-in protections
  • CSRF Protection: Anti-CSRF tokens, SameSite cookies
  • Clickjacking Prevention: X-Frame-Options: DENY, frame-ancestors CSP directive
  • Security Headers: HSTS, X-Content-Type-Options, Referrer-Policy
  • Secrets Management: Azure Key Vault (no secrets in code/config)

5. Security Monitoring & Incident Response

5.1 Security Information and Event Management (SIEM)

  • Microsoft Sentinel: Cloud-native SIEM with AI-powered threat detection
  • Log Aggregation: Azure Monitor collecting logs from all services
  • Retention: Security logs retained for 1 year (compliance), audit logs 7 years
  • Alerting: Real-time alerts for suspicious activity, failed logins, privilege escalation
  • Threat Intelligence: Microsoft Threat Intelligence integration

5.2 Threat Detection & Response

  • Microsoft Defender for Cloud: Vulnerability scanning, threat detection, security recommendations
  • Endpoint Detection & Response (EDR): Microsoft Defender for Endpoint on all workstations
  • Anomaly Detection: Azure AD Identity Protection detecting unusual sign-in behavior
  • Automated Response: Azure Logic Apps for automated incident response playbooks
  • Security Operations Center (SOC): Continuous monitoring by internal team + Microsoft security experts

5.3 Incident Response Plan

ISO 27001-aligned incident response process:

1

Detection:

Automated alerts, user reports, security scans

2

Triage & Classification:

Severity assessment (Critical/High/Medium/Low), impact analysis

3

Containment:

Isolate affected systems, revoke compromised credentials

4

Eradication & Recovery:

Remove threat, restore from clean backups, patch vulnerabilities

5

Post-Incident Review:

Root cause analysis, lessons learned, process improvements

Incident Notification: Customers notified within 24 hours of confirmed security incidents affecting their data. GDPR breach notification to supervisory authorities within 72 hours if applicable.

6. Compliance & Governance

6.1 Certifications & Standards

  • ISO/IEC 27001:2022

    Information Security Management System

  • SOC 2 Type II

    Service Organization Controls (via Azure)

  • ISO 27017 / 27018

    Cloud Security & Privacy

  • Microsoft Azure Certifications

    Azure Security Engineer, Solutions Architect

6.2 Regulatory Compliance

  • GDPR (EU 2016/679)

    General Data Protection Regulation

  • NIS2 Directive

    Network and Information Security

  • Swedish Data Protection Act

    Dataskyddslag (2018:218)

  • PCI DSS (if applicable)

    Payment Card Industry Data Security Standard

7. Personnel Security

7.1 Background Checks

  • Criminal background checks for all employees with data access
  • Reference checks and employment verification
  • Renewal every 3 years for privileged users

7.2 Security Training

  • Onboarding: Security awareness training for all new hires (mandatory)
  • Annual Refresher: Yearly security training with phishing simulations
  • Role-Specific Training: Secure coding for developers, Azure security for engineers
  • Certifications: Azure Security Engineer, CISSP, CEH for security team

7.3 Confidentiality Agreements

  • All employees sign Non-Disclosure Agreements (NDA)
  • Contractors and third parties sign confidentiality clauses
  • Secure offboarding process: immediate access revocation upon termination

8. Third-Party & Vendor Security

8.1 Vendor Assessment

  • Security questionnaires for all vendors handling customer data
  • SOC 2 / ISO 27001 certification required for critical vendors
  • Annual vendor risk re-assessment

8.2 Key Third-Party Services

  • Microsoft Azure: ISO 27001, SOC 2, GDPR-compliant cloud infrastructure
  • GitHub: SOC 2 Type II certified source code management
  • Microsoft 365: GDPR Data Processing Agreement, EU data residency

8.3 Data Processing Agreements

All third-party processors sign GDPR-compliant Data Processing Agreements (DPA) including:

  • Scope and purpose of processing
  • Security measures and data protection obligations
  • Sub-processor requirements
  • Data subject rights facilitation
  • Breach notification requirements

9. Vulnerability Management

9.1 Vulnerability Scanning

  • Automated Scans: Weekly vulnerability scans with Microsoft Defender for Cloud
  • Infrastructure Scanning: Qualys/Tenable scanning of Azure resources
  • Web Application Scanning: OWASP ZAP automated scans pre-deployment
  • Dependency Scanning: Daily scans for vulnerable npm/NuGet packages

9.2 Patch Management

  • Critical Patches: Applied within 48 hours of release
  • High Severity: Applied within 7 days
  • Medium/Low: Monthly patch cycle
  • Zero-Day Vulnerabilities: Emergency patch process, out-of-band deployment
  • Azure Platform: Automated patching by Microsoft (no customer action required)

9.3 Penetration Testing

  • Annual penetration tests by independent third-party security firm
  • Scope: External attack surface, web applications, API security
  • All findings remediated before production deployment
  • Retest after remediation to verify fixes

10. Business Continuity & Disaster Recovery

10.1 Service Level Objectives

Recovery Time Objective (RTO)

< 4 hours

Maximum acceptable downtime

Recovery Point Objective (RPO)

< 1 hour

Maximum acceptable data loss

10.2 High Availability Architecture

  • Azure Availability Zones for zone redundancy (99.99% SLA)
  • Geo-redundant database replication to secondary region
  • Azure Front Door for global load balancing and failover
  • Auto-scaling based on load (horizontal and vertical)

10.3 Disaster Recovery Plan

  • Documented DR procedures tested quarterly
  • Automated failover to secondary Azure region
  • Communication plan: Customer notification within 1 hour of major outage
  • War room procedures for critical incidents

Responsible Vulnerability Disclosure

We welcome reports from security researchers who discover vulnerabilities in our systems. If you believe you've found a security issue, please:

  1. Email security@technspire.com with details
  2. Do not publicly disclose the vulnerability until we've had a chance to address it
  3. Provide sufficient information to reproduce the issue
  4. Act in good faith (no data destruction, privacy violations, or service disruption)

Our Commitment: We will acknowledge your report within 48 hours, provide regular updates, and publicly credit researchers (with permission) once the issue is resolved.

Security Contact

Security Team: security@technspire.com

General Inquiries: admin@technspire.com

Phone: +46 722 52 52 53

Address: Markörvägen 1a, Stockholm, Sweden

For detailed compliance documentation, SOC 2 reports, or security questionnaires, please contact our security team.

Last Updated: January 1, 2025

This security page is reviewed and updated quarterly to reflect current practices and certifications.

Privacy PolicyTerms of ServiceComplianceBack to Home
Security - Technspire AB | Technspire AB