An overview of the technical and organizational security measures BRANDED IAM implements to protect your data.
The security of your data is a core responsibility we take seriously. This article summarizes the technical and organizational security controls we maintain across our systems and operations.
Technical Controls
- Encryption in transit: All communication between your browser and our servers uses TLS 1.2 or higher. API communications are also fully encrypted.
- Encryption at rest: Database and file storage is encrypted at rest using AES-256. This means even in the unlikely event of physical storage media theft, your data is unreadable.
- Authentication: All BRANDED IAM employee accounts use strong passwords and mandatory MFA. No employee can access production systems without multiple authentication factors.
- Access control: Internal access to client data follows the principle of least privilege — employees can only access the systems and data needed for their specific role. Access is reviewed quarterly.
- Penetration testing: External security researchers conduct annual penetration tests on our public-facing systems. Findings are remediated based on severity within defined SLA windows.
Organizational Controls
- Employee security training: All BRANDED IAM employees complete security awareness training at hire and annually thereafter, including phishing simulation exercises.
- Incident response plan: A documented, tested incident response plan is in place. All employees know their roles in the event of a security incident.
- Vendor security review: All third-party vendors who process client data are reviewed for security compliance before onboarding and annually thereafter.
Reporting a Security Vulnerability
If you discover a potential security vulnerability in BRANDED IAM's systems, please report it responsibly to [email protected]. We have a responsible disclosure process and will respond to reports within 48 hours.