Security Overview
Transparency in Our Operations
Keeping your data and our infrastructure secure is paramount. This page outlines the services we utilize, the types of data they may access, and the policies that govern our security posture.
Filter by Data Type Access:
Showing all services. Select data types above to filter.
Infrastructure Providers
- AWS (Amazon Web Services):Hosts core infrastructure, websites, backend functions, and DNS.
Utilizes various services including: Compute (EC2, Lambda), Storage (S3, DynamoDB), Networking (VPC, Route53, CloudFront, Transfer Family), Identity (IAM, Identity Center), Secrets Management (Secrets Manager, KMS), Monitoring (CloudWatch, CloudTrail, Config), Orchestration (Step Functions, EventBridge), Security (WAF), Backup, and AI (Amazon Q).
Data at Rest: Encrypted using AWS Key Management Service (KMS). Includes ECS/Client files, code, secrets, logs, backups.
Data in Transit: Encrypted via TLS.
Security: Access secured via M365 SSO with MFA via IAM Identity Center. Granular IAM policies, ControlTower, Organizations, and AWS Config enforce security best practices and least privilege. Client resources isolated in separate accounts.
Justification: Essential for hosting/operating cloud services, DNS, backend functions, and internal tools. - Microsoft Azure:Hosts security services (Microsoft Sentinel SIEM, EASM), multi-tenant management (Lighthouse), bot communications (Teams bot), and internal applications.
Data at Rest: Encrypted using Microsoft Managed Keys. Includes security logs, configuration data, application data, bot messages.
Data in Transit: Log data, management commands, bot messages, encrypted via TLS.
Security: Access secured via M365 SSO with MFA. Azure Lighthouse & Role-Based Access Control (RBAC) enforce least privilege for multi-tenant management.
Justification: Core platform for centralized security monitoring (SIEM), external attack surface management, client environment management, and internal automation.
Identity & Access Management
- Microsoft 365 / Entra ID:Primary identity provider for Single Sign-On (SSO).
Configuration: Tenant secured with strong MFA policies, real-time risk analysis, and conditional access rules.
SSO Integrations: Used for AWS, HaloPSA, Hudu, N-Central, KnowBe4, 3CX, Telnyx, Hubspot, Keeper, Dmarcian, Microsoft products, and other integrated services.
Data Accessed: User identity details, login activity, group memberships.
Justification: Centralizes authentication and enforces consistent security policies across integrated platforms. - Duo SSO:Provides secondary Multi-Factor Authentication (MFA) and Single Sign-On (SSO) for specific applications.
Data Handled: User directory info (names, emails), policy configuration, authentication logs.
Security: Secure protocols, admin access controls. Used where M365 SSO is not available or as an additional factor.
Justification: Secures logins to specific integrated applications and servers for ECS staff or clients. - Microsoft Intune:Cloud-based service focusing on mobile device management (MDM) and mobile application management (MAM).
Part of the Microsoft 365 suite, integrated with Entra ID.
Functionality: Enforces device compliance policies, configures device settings, manages applications, protects company data on managed devices.
Data Handled: Device inventory, hardware details, OS versions, application inventory, compliance status, user-device association, configuration policies, security logs.
Security: Relies on M365/Entra ID security (SSO, MFA, Conditional Access). Policies control data access and security posture.
Justification: Essential for managing and securing company and potentially client endpoints (computers, mobile devices) accessing corporate resources.
Communication & Collaboration Tools
- Microsoft 365 Suite (Teams, SharePoint, OneDrive, Outlook):Core platform for internal/external communication, file storage, and collaboration. Includes Teams, SharePoint, OneDrive, Outlook.
Data Handled: Emails, chat logs, meeting recordings/transcripts, internal documents, potentially shared client files.
Data Storage: Files stored in SharePoint/OneDrive, messages in respective services.
Security: Relies on M365 security stack (MFA via Entra ID, conditional access, data loss prevention policies). Also includes Mobile Device Management (MDM) capabilities via Intune policies.
Justification: Facilitates internal communication, collaboration, client interaction, and device management. - Zoom:Backup video conferencing platform.
Data Handled: Meeting metadata, potentially cloud recordings/transcripts.
Data in Transit: Meeting audio/video streams.
Security: Meeting passwords, waiting rooms configured. Access via M365 SSO where applicable.
Justification: Provides redundant video communication capability. - 3CX:Primary phone system platform.
Data Handled: Call logs, voicemails, configuration data, call recordings.
Data in Transit: Voice call data via VoIP carriers.
Security: Access control via M365 SSO with MFA, utilizes secure VoIP protocols (SRTP/TLS).
Justification: Handles business telephone communications. - Telnyx:Primary VoIP carrier, routes calls.
Data Handled: Call Detail Records (CDRs), voice call data during transit. Calls may be recorded by Telnyx before secure transfer to AWS S3 storage per our Communications Policy.
Security: API keys secured via approved Secrets Management tools, supports TLS/SRTP encryption. Access via M365 SSO with MFA.
Justification: Connects 3CX phone system to the public telephone network. - Twilio:Secondary VoIP carrier/SMS provider.
Data Handled: CDRs, SMS logs, voice calls/SMS messages during transit.
Security: API keys secured via approved Secrets Management tools, supports TLS/SRTP encryption.
Justification: Provides redundant voice termination and SMS capabilities.
Developer Tools
- GitHub:Hosts ECS and potentially client code repositories.
Data Handled: Source code, commit history, ECS/Company secrets (if improperly committed).
Security: MFA enforced via organizational policy requiring MFA and periodic audits. Branch protection rules and secret scanning enabled (including GitHub Secrets as an approved manager). Accidental commitment of secrets is automatically scanned for and treated as a P1 Incident, even in private repositories. Data handling governed by GitHub Privacy Policy.
Justification: Essential for version control and collaborative development. - VSCode:Local development environment; extensions may connect to services.
Data Handled: Primarily local code. Extensions may handle secrets or transit data.
Security: Relies on local machine security and extension security. Avoid storing secrets in workspace files.
Justification: Primary tool for writing code and scripts. - GitHub Copilot:AI code completion service.
Data Handled: Code snippets sent for analysis.
Security: Uses paid tier configured to prevent code snippet retention and model training. Data handling governed by GitHub Privacy Policy.
Justification: Improves developer productivity. - Thunderclient:API testing tool (VSCode extension).
Data Handled: API request collections, potentially embedded secrets (if saved locally).
Security: Relies on local storage security. Store secrets in approved Secrets Management tools, not directly in collections.
Justification: Facilitates API development and testing. - DeepSource:Analyzes code for quality and security issues.
Data Handled: Source code during analysis, analysis results.
Security: Access via GitHub App using M365 SSO credentials.
Justification: Automated code review to improve security and maintainability. - Docker:Containerization platform for packaging applications.
Data Handled: Container images (may contain code/dependencies).
Security: Image scanning policies enforced, use of secure base images preferred.
Justification: Standardizes deployment environments. - MongoDB:Database used for internal applications (e.g., website backend, customer dashboard cache).
Data Handled: Application data, cached customer details (names, contacts), endpoint names, billing history, potentially configuration containing secrets.
Security: Access control enforced, encryption at rest/transit configured.
Justification: Data persistence and performance caching for specific internal tools. - Graph Explorer:Tool for interacting with Microsoft Graph API (M365 data).
Data Handled: M365 data (User details, emails, files, etc.) during API calls.
Security: Uses user authentication context (M365 SSO).
Justification: Testing and exploring M365 API capabilities. - OpenAI API:Provides access to AI models for internal automation and service enhancement (e.g., summarization, transcription).
Data Handled: Prompts and responses sent to API, potentially containing communication data or internal documents.
Security: Uses paid tier configured to prevent data retention and model training. API keys secured via approved Secrets Management tools. Data handling governed by OpenAI Privacy Policy.
Justification: Powers AI features in internal tools and service delivery. - Cursor:AI-powered code editor used as an alternative to VSCode by some developers. Integrates with AI models like Gemini and Claude.
Data Handled: Code context sent for AI features.
Security: Used on a paid tier with privacy features enabled to prevent code retention or model training. Relies on local machine security. See Cursor Privacy Policy.
Justification: AI assistance for improving developer productivity within the code editor. - Google Gemini API:Provides access to Google AI models for script/automation/software development, often via integrations like Cursor.
Data Handled: Prompts and code context sent to API.
Security: Uses paid tier/configuration ensuring data is not used for model training. API keys secured via approved Secrets Management tools. Governed by Google API & Privacy Policies.
Justification: Powers AI features in development tools. - Anthropic Claude API:Provides access to Anthropic AI models for script/automation/software development, often via integrations like Cursor.
Data Handled: Prompts and code context sent to API.
Security: Uses paid tier/configuration ensuring data is not used for model training. API keys secured via approved Secrets Management tools. Governed by Anthropic Privacy Policy.
Justification: Powers AI features in development tools. - Python:Programming language runtime. No data stored or transited inherently.
- JavaScript, Node, Express:Web development runtime. No data stored or transited inherently.
- PowerShell:Scripting runtime. No data stored or transited inherently.
- ChatGPT (Web UI):AI assistant used via web interface for research, troubleshooting ideas, content generation.
Data Handled: Prompts entered by staff. Usage governed by internal policy prohibiting input of sensitive client/ECS data.
Security: Uses paid tier configured to prevent data retention and model training. Governed by OpenAI Privacy Policy.
Justification: Assists staff with information gathering and non-sensitive problem-solving.
Sales & Marketing Tools
- Hubspot:Manages customer relationships, sales pipelines, and marketing activities.
Data Handled: Contact details, company info, communication logs, deal info.
Security: Access secured via M365 SSO with MFA, role-based permissions.
Justification: Centralizes sales, marketing, and customer service interactions. - Quickbooks Online:Handles company accounting and invoicing.
Data Handled: Financial records, client/vendor details, invoice data.
Security: MFA enforced, role-based access.
Justification: Core financial management. - Mailchimp:Sends marketing emails and newsletters.
Data Handled: Email lists (contact details), campaign stats.
Security: Account security features utilized, including MFA.
Justification: Bulk email communication for marketing. - Google Analytics:Tracks website visitor behavior.
Data Handled: Anonymized/aggregated usage statistics.
Security: Access controlled via Google accounts with MFA.
Justification: Understand website traffic and user engagement. - LinkedIn:Professional networking and marketing platform.
Data Handled: ECS company profile, employee connections, ad campaign data.
Security: Account security features utilized, including MFA.
Justification: Marketing, recruitment, networking. - Facebook:Social media interaction. No client/code data access specified.
Justification: Marketing and brand presence. - TikTok:Social media interaction. No client/code data access specified.
Justification: Marketing and brand presence. - Twitter / X:Social media interaction and marketing platform.
Data Handled: ECS company profile, posts, interactions.
Security: Account security features utilized, including MFA.
Justification: Marketing and brand presence.
Social Media Management
- Buffer:Schedules and publishes posts to social media platforms.
Data Handled: Social media account credentials (tokenized), post content, scheduling information.
Security: Access secured via M365 SSO where possible, MFA enforced.
Justification: Centralized scheduling for social media marketing. - Loomly:Collaborative platform for social media content planning and approval.
Data Handled: Social media credentials (tokenized), post drafts, analytics data.
Security: Access secured via M365 SSO where possible, MFA enforced.
Justification: Team collaboration and workflow management for social media.
Support Tools
- HaloPSA:Primary platform for ticketing, client management, and service delivery.
Data Handled: Client details, contact info, ticket history, communication logs, configurations. ECS policy prohibits intentional storage of secrets in tickets; credentials received via email are remediated. Integration API keys (Company/ECS Secrets) may be stored securely within HaloPSA in a non-human-readable format.
Security: Access secured via M365 SSO with MFA, role-based permissions control data visibility.
Justification: Core tool for managing client support and services. - Hudu:Documentation and password management platform.
Data Handled: Client/ECS documentation, configurations, procedures, stored secrets (client and ECS).
Security: Access secured via M365 SSO with MFA, role-based permissions, audit logs track access. One of the approved Secrets Management tools.
Justification: Centralized knowledge base and secure password storage. - N-Central (N-Able):Remote Monitoring and Management (RMM) tool. Includes remote access via N-Able Take Control.
Data Handled: Client device information, performance metrics, software inventory, remote access session data, logs.
Security: Access secured via M365 SSO with MFA, agent communication encrypted, role-based access control.
Justification: Monitors and manages client endpoints and servers, provides primary remote support access. - ConnectWise Control:Secondary remote access and support tool (formerly ScreenConnect).
Data Handled: Remote screen data, session logs, file transfer logs (if used).
Security: Access secured via M365 SSO with MFA, sessions encrypted, role-based permissions.
Justification: Provides redundant/alternative secure remote support access. - N-Able N-sight:Legacy Remote Monitoring and Management (RMM) platform.
Data Handled: Similar to N-Central, but for specific remaining clients.
Security: Access secured via M365 SSO with MFA, role-based access.
Justification: Supports clients not yet migrated to N-Central. - N-Able Cove Data Protection:Cloud backup and recovery platform.
Data Handled: Client backup data (files, system state, M365 data), backup job logs.
Security: End-to-end encryption, MFA enforced for console access, secure data centers.
Justification: Provides secure, managed backup services for client data protection. - CIPP (Cyberdrain Improvement Platform):Utility for managing Microsoft 365 tenants.
Data Handled: M365 tenant connection info (securely stored), standardized scripts, logs of actions performed.
Data in Transit: M365 API calls/responses.
Security: Relies on secure M365 API access credentials (stored in approved Secrets Manager).
Justification: Streamlines common M365 administrative tasks across multiple clients. - ImmyBot:Platform for endpoint deployment, configuration, and task automation.
Data Handled: Scripts, deployment configurations, task logs, potentially credentials for automation tasks (stored securely).
Data in Transit: Scripts, commands, software packages sent to endpoints.
Security: MFA enforced, secure agent communication.
Justification: Automates endpoint setup and repetitive maintenance tasks.
Security Tools
- Keeper Security:Password management and secrets vault.
Data Handled: Stored ECS and client credentials/secrets.
Security: Access secured via M365 SSO with MFA, zero-knowledge encryption architecture, audit logs track access. One of the approved Secrets Management tools.
Justification: Secure storage and sharing of sensitive credentials. - KnowBe4:Security awareness training and simulated phishing platform.
Data Handled: Employee names/emails, training progress, phishing simulation results.
Security: Access secured via M365 SSO with MFA.
Justification: Trains users to recognize and avoid security threats. - Dmarcian:Monitors DMARC records for email authentication.
Data Handled: Aggregated DMARC reports (sender domains, IP addresses, counts), potentially forensic failure reports (email headers).
Security: Access secured via M365 SSO with MFA.
Justification: Helps prevent email spoofing and phishing. - Microsoft Sentinel:Security Information and Event Management (SIEM) and Security Orchestration, Automation, and Response (SOAR) platform.
Data Handled: Security logs from various sources (M365, Azure, endpoints, firewalls), incident data.
Security: Runs within Azure, access controlled via M365 SSO/RBAC.
Justification: Centralized security log aggregation, threat detection, and response orchestration. - Microsoft Defender Suite:Integrated suite for endpoint, email, identity, and cloud app security. Includes components like Defender for Endpoint P2, Defender for Business, Defender for 365.
Data Handled: Endpoint security events, file hashes, process information, vulnerabilities, cloud configurations, email metadata/attachments (for scanning), device compliance data (via Intune integration).
Security: Integrated with M365/Azure, access controlled via M365 SSO/RBAC.
Justification: Provides comprehensive threat protection, EDR, vulnerability management, and visibility across endpoints, identities, and cloud resources. - Sentinel One:Endpoint Detection and Response (EDR) platform.
Data Handled: Endpoint agent logs, threat intelligence data, policy configurations, file/process data.
Security: Secure agent communication, platform access controls with MFA.
Justification: Provides advanced endpoint threat detection, investigation, and response for specific client environments. - Mimecast:Email security gateway providing filtering, archiving, and continuity.
Data Handled: Inbound/outbound client email traffic, quarantined emails, archived emails, security logs.
Security: Secure connections (TLS), platform security measures. Access controlled by MFA.
Justification: Protects client email from threats and provides archiving/continuity features. - Adlumin MDR:Managed Detection and Response (MDR) service correlating logs and alerts.
Data Handled: Aggregated security logs from client sources, alert data, case information.
Data in Transit: Secure log streams.
Security: Platform access controls with MFA.
Justification: Provides advanced threat detection and response capabilities through log correlation and expert analysis. - ThreatLocker:Application whitelisting, ringfencing, and endpoint policy enforcement.
Data Handled: Application execution logs, policy configurations, file hashes.
Security: Platform access controls with MFA, secure agent communication.
Justification: Prevents unauthorized applications (malware) from running via allowlisting and ringfencing. - LastPass:Password management solution (potentially alongside Keeper).
Data Handled: Encrypted password vaults.
Security: Zero-knowledge encryption, MFA enforced.
Justification: Securely stores and shares credentials for specific users/teams.
Management Tools
- AWS Secrets Manager:Secure storage for secrets used by AWS services and internal applications.
Data Handled: API keys, database credentials, other secrets.
Security: Managed within AWS, access controlled by IAM (using M365 SSO), encryption at rest (KMS), audit logs.
Justification: One of the approved Secrets Management tools, tightly integrated with AWS. - Apple Business Manager:Facilitates deployment and management of Apple devices.
Data Handled: Device serial numbers linked to ECS, managed Apple IDs (if used). Integrates with MDM (Intune).
Security: Access controlled by managed Apple IDs with MFA.
Justification: Required for zero-touch deployment and corporate management of Apple devices. - ScalePad (Lifecycle Manager):Provides hardware/software asset visibility, warranty lookups, and reporting.
Data Handled: Aggregated asset data (from RMM/PSA/Cloud), warranty information, lifecycle reports.
Security: API keys secured via approved Secrets Manager, role-based access, access via M365 SSO.
Justification: Automates asset lifecycle tracking and reporting for QBRs and planning.
Partner Management
- AWS Partner Central:Portal for managing AWS partnership, registering deals, and accessing resources.
Data Handled: ECS partnership details, deal registration information (may include limited client contact/company names), training records.
Security: Access via AWS account credentials with MFA (linked to M365 SSO).
Justification: Required for AWS partnership program participation and benefits. - Microsoft Partner Center:Portal for managing Microsoft partnership and client Cloud Solution Provider (CSP) licenses.
Data Handled: ECS partnership details, client tenant list, license assignments, support requests.
Security: Access secured via M365 SSO with MFA.
Justification: Required for Microsoft partnership and CSP license management.
Vendor Portals & License Management
- 888VoIP:Portal for VoIP hardware distribution partner.
Data Handled: ECS account details, order history.
Security: Standard portal login, MFA enforced.
Justification: Procurement of VoIP hardware. - Pax8:Cloud marketplace and distributor portal.
Data Handled: ECS account details, client license/subscription assignments (M365, other software), order history.
Security: Access secured via M365 SSO with MFA.
Justification: Procurement and management of cloud licenses and software for ECS and clients. - TD Synnex:Portal for hardware/software distribution partner.
Data Handled: ECS account details, potentially order history linked to clients.
Security: Standard portal login, MFA enforced.
Justification: Procurement of hardware/software.
Infrastructure Management
- FortiCloud:Cloud management platform for Fortinet firewalls and SD-WAN.
Data Handled: Firewall configurations, logs, device inventory.
Data in Transit: Configuration changes, log uploads, management commands.
Security: Access secured via M365 SSO with MFA, role-based access.
Justification: Centralized management and monitoring of client Fortinet devices. - Plesk / Plesk360:Web server control panel used on hosting servers. Managed via Plesk360 for SSO.
Data Handled: Website files, databases, configurations, server access credentials (stored within Plesk).
Security: Access controlled via Plesk360 platform login
Justification: Manages client and internal web hosting environments.
Reporting & Analytics
- Lifecycle Insights:Aggregates data for asset management and business reviews (QBRs).
Data Handled: Client asset lists, warranty info, assessment data (pulled from other tools like RMM, PSA, M365).
Security: API keys for platform access secured by platform in write-only interface
Justification: Provides insights into client IT environment for strategic planning and QBRs. - CloudCapsule:Analyzes Microsoft 365 tenant security posture and generates reports.
Data Handled: Analysis reports, tenant configuration snapshots (read-only via M365 API).
Security: Uses secure M365 API access (read-only permissions).
Justification: Provides security assessments and reporting for M365 environments.
Migration Tools
- SkyKick:Platform for automating Microsoft 365 migrations and backups.
Data Handled: Migration project details, M365 data during transit (encrypted), M365 backup data (encrypted at rest).
Security: End-to-end encryption, platform access controlled by MFA.
Justification: Facilitates complex M365 transitions and provides M365-specific backup solution.
Legacy Systems
- RepairShoppr:Legacy ticketing/billing system archive.
Data Handled: Historical client details, tickets, invoices, potentially related files.
Data in Transit: Minimal (archive access only).
Security: Access limited and controlled.
Justification: Provides access to historical client records from previous system.
Operating Systems
- Microsoft Windows (Desktop & Server):Primary operating system for employee workstations and application servers.
Data Handled: Hosts applications that process various data types. Stores local files, logs.
Security: Managed via Intune/Defender policies, Active Directory/Entra ID integration, regular patching.
Justification: Standard corporate desktop and server environment. - Apple macOS:Used on specific employee workstations for designated workflows.
Data Handled: Hosts applications, stores local files, logs.
Security: Managed via Intune policies where applicable, standard macOS security features, patching.
Justification: Supports specific business or development needs. - Apple iOS:Operating system for company-owned mobile devices used by employees.
Data Handled: Hosts mobile applications, potentially stores local data/cache, logs.
Security: Managed via Intune MDM policies, device passcodes, encryption.
Justification: Standard mobile operating system for corporate devices. - Ubuntu Linux:Used as the base OS for Plesk web hosting servers and Session Border Controllers (SBCs).
Data Handled: Hosts web applications/files, SBC configuration/logs.
Security: Hardened configurations, regular patching, network security controls.
Justification: Common Linux distribution for specific server roles. - Debian Linux:Used as the base OS for 3CX VoIP servers.
Data Handled: Hosts 3CX application, stores call logs, voicemails, configuration.
Security: Hardened configurations, regular patching.
Justification: Recommended OS for 3CX deployments. - FortiOS:Operating system for Fortinet network security appliances (firewalls, etc.).
Data Handled: Network traffic logs, firewall rules, device configuration.
Security: Managed via FortiCloud, regular firmware updates.
Justification: OS for network security infrastructure.
Security Policies & Practices
Our commitment to security is formalized through comprehensive policies, procedures, and standard practices. Key points include:
- Identity & Access: We utilize Microsoft 365 / Entra ID as our primary identity provider, enforcing strong MFA, real-time risk analysis, and conditional access policies for integrated applications.
- Data Encryption: Data at rest is encrypted using platform-managed keys (e.g., AWS KMS in AWS, Microsoft Managed Keys in Azure). Data in transit is protected using TLS encryption.
- Secrets Management: API keys and sensitive credentials are stored exclusively in approved, audited systems like AWS Secrets Manager, Keeper, or Hudu.
- Source Code Security: Access to code repositories (GitHub) is protected by MFA, organization policies, periodic audits, automatic security scanning/linting, and automated secret scanning.
- AI Platform Usage: For all AI platforms (e.g., OpenAI API, GitHub Copilot), we utilize paid tiers configured to prevent data ingestion for model training and human review, ensuring confidentiality. See linked provider policies for details.
- Communications Policy: All business communications (emails, calls, messages, meetings) may be subject to recording, logging, and analysis (including by AI) for purposes of service provision/improvement, security, training, and documentation.
- Cloud Backup Security: Our standard cloud backups utilize robust encryption both in transit and at rest. We aim for standard RTOs/RPOs suitable for business continuity, with specific details available in client agreements or BC/DR plans.
- Privacy Policy: Details our practices regarding personal information across all Services (Website and MSP). View Privacy Policy.
- Formal Documents: Comprehensive details are available in our internal Data Protection Policy, Business Continuity/Disaster Recovery (BC/DR) Policy, and Incident Response Plan. Access to additional documents may be available upon request for clients under NDA.
For specific questions or document requests (where applicable), please contact us.