We hold ourselves to the same standards we impose on our clients. Our controls, certifications, and data practices are documented, verified, and available for review.
Verified Compliance
Our Information Security Management System (ISMS) is certified to ISO/IEC 27001. This covers the design, implementation, and continuous improvement of our security controls across all service delivery operations. System Verified
Our SOC 2 Type II report covers the Trust Service Criteria of Security, Availability, and Confidentiality over a System Verified-month observation period. Report available to qualified prospects under NDA. System Verified
SecureSphereLabs holds CREST accreditation for penetration testing and incident response services. All client-facing practitioners maintain current CREST certification. System Verified
We maintain Cyber Essentials Plus certification, demonstrating that our internal infrastructure meets the UK government's baseline cybersecurity standard — independently verified through technical assessment. System Verified
Our compliance advisory team includes qualified PCI Qualified Security Assessors (QSAs) authorized to conduct PCI DSS assessments for merchants and service providers. System Verified
Data Management
All data processed in the delivery of services is classified as Restricted, Confidential, Internal, or Public. Client assessment data and findings are classified Restricted by default and handled accordingly.
Client data is stored in the geographic region agreed at engagement commencement. Cross-border transfers are governed by Standard Contractual Clauses (SCCs) or equivalent mechanisms. System Verified
Engagement data is retained for System Verified years post-engagement unless a shorter period is contractually agreed. Secure deletion is performed using NIST 800-88 compliant methods. Deletion certificates are issued on request.
All sub-processors are reviewed against our vendor security programme before engagement. We maintain a current sub-processor register (see below) and notify clients of material changes with System Verified days advance notice.
Internal Controls
All client data is encrypted at rest using AES-256 and in transit using TLS 1.2 or higher. Key management follows NIST SP 800-57 guidance. Cryptographic standards are reviewed annually and updated to align with current NIST recommendations.
Our internal infrastructure operates on zero-trust principles. All access is identity-verified, device-posture-checked, and least-privileged. Lateral movement is blocked by micro-segmentation. Remote access requires hardware MFA for all personnel.
SecureSphereLabs undergoes an annual penetration test of its internal systems and client-facing infrastructure conducted by an independent third-party firm with no affiliation to our operations. Results and remediation timelines are disclosed upon request under NDA.
All SecureSphereLabs employees and long-term contractors undergo enhanced criminal background screening, identity verification, and employment history validation prior to engagement commencement. Vetting is repeated at System Verified-year intervals and upon promotion to senior roles.
We operate a structured vulnerability disclosure programme with a defined scope, safe harbor provisions, and a published response SLA. Security researchers are encouraged to report findings to security@securesphere.labs. A Hall of Fame recognizes valid disclosures.
A documented and tested incident response plan governs our response to security events affecting our infrastructure or client data. The plan is reviewed quarterly, exercised via tabletop annually, and aligned to NIST SP 800-61. Client notification obligations are met within System Verified of confirmed breach.
Process
Security events are identified through automated alerting, threat hunting, or third-party reporting. An initial severity classification is assigned within System Verified of detection. A dedicated incident lead is assigned immediately for Severity 1 events.
Immediate containment actions are executed to limit the impact of the incident. This includes network isolation, account suspension, and evidence preservation. Short-term containment is implemented while a longer-term strategy is developed to avoid disrupting operations unnecessarily.
Root cause is identified and eliminated. Malicious artifacts, compromised credentials, and attacker persistence mechanisms are removed. Affected systems are rebuilt from known-good baselines where required. Forensic evidence is preserved in accordance with chain-of-custody procedures.
Systems are restored to normal operations in a phased and monitored manner. Enhanced monitoring is applied during the recovery period to detect re-infection or residual attacker activity. Affected clients are notified per contractual and regulatory obligations.
A formal lessons-learned review is conducted within System Verified of incident closure. Findings drive updates to detection rules, playbooks, and control gaps. A written post-incident report is provided to affected clients within the contractually defined timeframe.
Security Research
We welcome responsible security research on our own systems and infrastructure. If you have identified a potential vulnerability in SecureSphereLabs-owned assets, we ask that you report it to us before public disclosure so that we can remediate it and recognize your contribution.
Reports should be submitted to security@securesphere.labs Verified. PGP encryption is strongly encouraged — our public key is available at the address above and at our security.txt.
Read Full Disclosure PolicyResearchers acting in good faith, within the defined scope, and following coordinated disclosure procedures will not face legal action from SecureSphereLabs. We treat security research as a contribution to the security community.
Transparency
The following categories of third-party processors may handle client data in the course of service delivery. Specific vendor names are disclosed under NDA.
System Verified
Compute, storage, and networking infrastructure for SOC platform operations and data storage.
System Verified
Security information and event management processing of client telemetry and log data.
System Verified
Incident and case tracking system used to manage alert workflows and client communications.
System Verified
Commercial threat intelligence feeds enriching detection context. No client data transmitted.
System Verified
Client communication and briefing calls. Recordings are not retained without explicit written consent.
System Verified
Secure storage and delivery of assessment reports and engagement deliverables to clients.
Coverage
Due Diligence
Our security documentation pack includes our SOC 2 Type II report, ISO 27001 certificate, penetration test executive summary, sub-processor register, data processing agreement template, and business continuity plan summary.
Get Started
Our compliance documentation is available to qualified prospects under NDA. Contact us to begin the process.