Last Updated: January 15, 2025
Version: 1.0
This document provides comprehensive information about Actuals' security measures, compliance frameworks, and technical safeguards implemented to protect customer data and ensure service availability.
Security Commitment
Actuals is committed to maintaining the highest standards of information security. We implement industry-leading security practices and are actively working toward achieving ISO 27001 certification and SOC 2 Type II compliance.
Our security program is built on the following foundations:
Security by Design: Security considerations integrated into all development processes
Risk-Based Approach: Regular risk assessments and threat modeling
Continuous Monitoring: 24/7 security monitoring and incident response
Compliance First: Adherence to industry standards and regulations
Regular Audits: Internal and external security assessments
We align our security practices with the following frameworks:
ISO 27001: Information Security Management System (in progress)
SOC 2 Type II: Service Organization Control (in progress)
GDPR: General Data Protection Regulation compliance
CCPA: California Consumer Privacy Act compliance
NIST Cybersecurity Framework: Risk management and security controls
Our infrastructure is hosted on leading cloud platforms:
Primary Cloud Provider: Amazon Web Services (AWS)
Secondary Providers: Google Cloud Platform, Microsoft Azure
Certifications: All providers maintain SOC 2, ISO 27001, and other certifications
Data Centers: Tier III/IV data centers with physical security controls
Redundancy: Multi-region deployment for high availability
Firewalls: Next-generation firewalls with intrusion prevention
Network Segmentation: Isolated network zones for different services
DDoS Protection: Distributed denial-of-service attack mitigation
VPN Access: Secure remote access for authorized personnel
Load Balancing: Distributed traffic management and failover
Hardening: Security-hardened operating systems and configurations
Patch Management: Automated security updates and vulnerability patching
Monitoring: Real-time system monitoring and alerting
Backup Systems: Regular backups with tested recovery procedures
Antimalware: Enterprise-grade endpoint protection
We implement comprehensive encryption across all data states:
Data at Rest: AES-256 encryption for all stored data
Data in Transit: TLS 1.3 for all network communications
Database Encryption: Transparent data encryption (TDE) for databases
Backup Encryption: All backups encrypted with separate key management
Key Management: Hardware Security Modules (HSMs) for key storage
We classify data based on sensitivity levels:
Public: Information that can be freely shared
Internal: Information for internal use only
Confidential: Sensitive business information
Restricted: Highly sensitive data requiring special handling
Personal Data: Information subject to privacy regulations
Content Inspection: Automated scanning for sensitive data
Policy Enforcement: Automated blocking of unauthorized data transfers
Monitoring: Real-time monitoring of data movement
Reporting: Detailed logs and alerts for security incidents
Multi-Factor Authentication (MFA): Required for all system access
Single Sign-On (SSO): Centralized authentication management
Strong Password Policy: Enforced complexity and rotation requirements
Biometric Authentication: Available for high-security access
Session Management: Automatic timeout and session monitoring
Role-Based Access Control (RBAC): Granular permission management
Principle of Least Privilege: Minimum necessary access rights
Segregation of Duties: Critical operations require multiple approvals
Regular Access Reviews: Quarterly access certification process
Privileged Access Management: Special controls for administrative access
User Provisioning: Automated account creation and configuration
Access Modifications: Workflow-based permission changes
Deprovisioning: Immediate access revocation upon termination
Audit Trails: Complete logging of all access changes
Security Requirements: Security considerations in all development phases
Threat Modeling: Risk assessment for all new features
Code Reviews: Mandatory security-focused code reviews
Static Analysis: Automated security testing in CI/CD pipeline
Dynamic Testing: Runtime security testing and penetration testing
OWASP Top 10: Protection against common web vulnerabilities
Input Validation: Comprehensive input sanitization and validation
Output Encoding: Prevention of injection attacks
Session Security: Secure session management and CSRF protection
API Security: OAuth 2.0, rate limiting, and API gateway protection
Model Security: Protection against adversarial attacks
Data Poisoning Prevention: Input validation and anomaly detection
Model Versioning: Secure model deployment and rollback procedures
Privacy-Preserving ML: Differential privacy and federated learning
Explainable AI: Transparent and auditable AI decision-making
SIEM (Security Information and Event Management): Centralized log analysis
Real-time Alerting: Immediate notification of security events
Threat Intelligence: Integration with threat intelligence feeds
Behavioral Analytics: User and entity behavior analysis
Vulnerability Scanning: Regular automated security scans
24/7 Security Operations Center (SOC): Round-the-clock monitoring
Incident Response Team: Dedicated team for security incidents
Response Procedures: Documented incident response playbooks
Forensic Analysis: Digital forensics capabilities
Communication Plan: Stakeholder notification procedures
Disaster Recovery: Comprehensive DR plan with regular testing
Backup Strategy: Multiple backup locations and recovery points
High Availability: 99.9% uptime SLA with redundant systems
Failover Procedures: Automated failover to backup systems
Security Assessments: Comprehensive evaluation of all vendors
Contractual Requirements: Security clauses in all vendor agreements
Ongoing Monitoring: Regular review of vendor security posture
Incident Coordination: Joint incident response procedures
Background Checks: Comprehensive screening for all employees
Security Training: Regular security awareness training
Confidentiality Agreements: All staff sign confidentiality agreements
Security Clearance: Role-based security clearance levels
Termination Procedures: Secure offboarding process
Regular Training: Quarterly security awareness sessions
Phishing Simulations: Regular phishing awareness tests
Security Policies: Comprehensive security policy documentation
Incident Reporting: Clear procedures for reporting security concerns
Access Control: Badge-based access to office facilities
Visitor Management: Escort requirements for all visitors
Surveillance: CCTV monitoring of all entry points
Clean Desk Policy: Mandatory clean desk and screen lock policies
Secure Storage: Locked storage for sensitive documents
Physical Access: Biometric access controls
Environmental Controls: Temperature, humidity, and power monitoring
Fire Suppression: Advanced fire detection and suppression systems
Security Guards: 24/7 on-site security personnel
Regular Assessments: Quarterly compliance assessments
Gap Analysis: Identification and remediation of compliance gaps
Policy Updates: Regular updates to reflect regulatory changes
Training Programs: Compliance training for all staff
Internal Audits: Regular internal security audits
External Audits: Annual third-party security assessments
Penetration Testing: Quarterly penetration testing
Certification Programs: Working toward ISO 27001 and SOC 2 certification
Mean Time to Detection (MTTD): Average time to detect security incidents
Mean Time to Response (MTTR): Average time to respond to incidents
Vulnerability Metrics: Time to patch critical vulnerabilities
Security Training Completion: Percentage of staff completing training
Compliance Score: Overall compliance with security frameworks
Monthly Security Reports: Executive summary of security posture
Incident Reports: Detailed analysis of security incidents
Compliance Reports: Status of regulatory compliance
Customer Reports: Security status reports for enterprise customers
Security Team
Security Officer: Saurabh Srivastava
Email: security@actuals.co.in
Phone: +91 8073 879 031
Emergency: security-emergency@actuals.co.in
Security Assurance
This document represents our current security posture and is updated regularly to reflect improvements and changes to our security program. For the most current information or specific security questions, please contact our security team.
