Built on Accountability

Firewalls are configured on all networks used to access client environments, restricting unauthorized inbound and outbound traffic.

All remote access to client infrastructure occurs over approved encrypted connections (TLS, SSH tunnels, or VPN). Unencrypted access is not permitted.

Remote access to client systems requires multi-factor authentication. Password-only access is not permitted for any privileged session.

Access to client production environments—applications, databases, and networks—is restricted to personnel with a documented business need for that engagement.

Each system and datastore requires unique credentials. Shared accounts and default credentials are not used.

Access, change, and error events on client systems are captured in a log management system. Logs are retained for a minimum of 90 days and are available for investigation when alerts or anomalies are identified.

Client infrastructure managed under retainer engagements is monitored for performance and availability. Threshold-based alerting is configured to surface issues proactively.

MFA is required on all accounts with access to client infrastructure, source control, and internal tooling.

Accounts follow a strong password policy: minimum length, no reuse, and storage in a password manager. Passwords are not shared or transmitted in plaintext.

Access is scoped to the minimum permissions required per engagement. Elevated roles require justification and are reviewed regularly.

Temporary credentials (AWS STS, GCP Workload Identity, etc.) are used wherever possible over long-lived static API keys.

SSH keys are unique per engineer, rotated at least annually, and removed upon role change or engagement end.

All client access is revoked within 24 hours of engagement close or any personnel change.

All client data, credentials, and architecture details are treated as confidential. NDAs are signed at engagement start.

Any client data stored during an engagement (configuration, backups, artifacts) is encrypted at rest using AES-256 or equivalent.

Standard communication channels (email, Slack, video) use encryption in transit. Client secrets are not transmitted over unencrypted channels.

Secrets are stored in dedicated vaults (AWS Secrets Manager, HashiCorp Vault, etc.) and never committed to version control.

Intellizu does not retain copies of client production data beyond active work sessions unless explicitly required and agreed upon in writing.

Engagement artifacts (docs, configs, credentials) are purged or transferred to client ownership within 30 days of engagement close.

All engineer workstations use full disk encryption (FileVault, BitLocker, or equivalent).

Workstations run active malware detection. Suspicious activity triggers immediate investigation.

Devices lock automatically after an idle period. Manual lock on leave is required practice.

Security patches are prioritized based on severity and applied on a risk-informed timeline. Systems are reviewed monthly for outstanding updates.

A documented IR plan defines roles, escalation paths, and communication templates for security events.

Clients are notified within 24 hours of any confirmed security event that affects their environment.

All security incidents result in a written post-mortem shared with affected clients within 5 business days.

Threats and changes—environmental, regulatory, and technological—are assessed at least annually. Identified risks are formally documented and tracked to resolution.

Security controls are reviewed at least annually to verify they are in place and operating effectively. Findings drive corrective action.

Intellizu maintains a list of SaaS tools and subprocessors used in delivery (communication, cloud providers, CI/CD). Available on request.

New tools that will access client data are evaluated for security posture before adoption.

Production code changes are reviewed through pull request workflows before deployment. Direct commits to main branches are not permitted.

Application dependencies are scanned for known vulnerabilities using automated tooling. Findings are triaged and remediated based on severity.

Deployment pipelines and build systems require authenticated access and are restricted to authorized personnel.

Development, staging, and production environments are logically separated. Production data is not used in non-production environments without explicit sanitization.

Critical systems and configuration data managed under retainer engagements are backed up on a defined schedule. Backups are encrypted at rest.

Backup restoration procedures are tested periodically to validate recovery integrity and confirm backups are usable.

Personnel with access to client systems complete periodic security awareness training covering current threat patterns and safe handling practices.

Engineers are trained to identify and report phishing attempts. Suspicious communications are escalated before action is taken.

Critical runbooks, architecture decisions, and access inventories are documented and not siloed with a single engineer.

Retainer clients can request a designated backup contact for urgent issues during primary engineer unavailability.

Structured offboarding ensures clients receive all documentation, credentials, and artifacts before engagement close.