Last updated · April 2026
Security

How we secure client data.

Encryption, access controls, vendor management, and incident response. The detail your CIO will want; the plain-English version your partner will read.

Security program

A written information security program ("WISP") owned by the Head of Security and reviewed quarterly by the partners.

The program is mapped to SOC 2 Trust Services Criteria and the NIST Cybersecurity Framework, with HIPAA Security Rule controls layered on for engagements that handle PHI. Policies are reviewed at least annually; exceptions require partner-level approval and are time-bound.

Data protection

Encryption in transit and at rest, by default, on every system that touches client data.

  • In transitTLS 1.2 minimum, TLS 1.3 preferred. HSTS enforced on all public-facing surfaces. No plain-text protocols.
  • At restAES-256 for storage volumes, object stores, and backups. Customer-managed keys available on enterprise plans.
  • SegregationEach client tenant is logically isolated. Production data does not cross client boundaries; non-production environments use synthetic or anonymised data.
  • BackupsDaily encrypted backups, retained 35 days, with quarterly restore drills.

Access & identity

Least-privilege role-based access, multi-factor on every administrative surface, no shared accounts.

  • SSOSAML 2.0 single sign-on for staff. Hardware-key MFA required for all privileged accounts.
  • RBACRoles defined per engagement. Access reviewed quarterly. Departures trigger same-day revocation.
  • JIT elevationStanding production access is the exception. Elevation requests are logged, time-bound, and partner-approved.
  • EndpointDisk encryption, EDR agent, MDM enrollment, automated patching. Personal devices cannot access client data.

Infrastructure

Production runs on hyperscale cloud providers in US regions, with environment isolation and infrastructure-as-code change control.

Network segmentation is enforced at VPC and service-mesh layers. Private services are not internet-exposed. WAF and DDoS protection are enabled on every public endpoint. Secrets are stored in a managed vault, never in source control. All infrastructure changes flow through pull-request review and automated security scanning.

Vendor management

Every subprocessor that touches client data is reviewed before engagement and re-reviewed annually.

Reviews cover SOC 2 reports, data-handling commitments, breach-notification terms, and termination provisions. Subprocessors that handle PHI sign BAAs. The current subprocessor list is available to clients on request and is updated whenever a material change occurs, with 30 days’ notice.

Monitoring & logging

Centralised, immutable audit logs covering authentication, privilege changes, data access, and infrastructure modification.

Logs are retained for 12 months in a write-once store and shipped to a SIEM with 24/7 alerting on the highest-risk events. Anomaly detection is layered on top of rule-based alerts. We test alerting paths quarterly with simulated events.

Incident response

A documented incident-response plan with named on-call roles, escalation paths, and client-notification timelines.

  • DetectionSIEM alerting, EDR telemetry, and on-call rotation. Time-to-acknowledge target: 15 minutes.
  • ContainmentAccount isolation, credential rotation, network segmentation. Forensic evidence is preserved.
  • NotificationAffected clients are notified within 72 hours of confirmation, sooner if required by contract or by HIPAA.
  • Post-incidentWritten root-cause analysis with corrective actions, shared with affected clients on request.

Business continuity

Multi-region failover, tested annually. RPO 15 minutes, RTO 4 hours for tier-1 services.

Tabletop exercises are run twice a year covering ransomware, vendor outage, and key-personnel loss. Backups are tested quarterly with end-to-end restore drills, and results are reviewed by the partner group.

Certifications & assurance

SOC 2 Type II audit in progress; report issuance expected Q3 2026.

  • SOC 2 Type IIIn progress. Audit firm engaged; controls in operation since Q4 2025. Report available under NDA on issuance.
  • HIPAAAdministrative, physical, and technical safeguards mapped. BAA available for healthcare engagements.
  • ISO 27001Aligned. Formal certification scheduled for 2027.
  • Penetration testingAnnual third-party penetration test. Executive summary available under NDA. Critical findings remediated within 30 days.

Vulnerability disclosure

Responsible disclosure is welcomed. Email security@famaash.com with details and reproduction steps.

We acknowledge receipt within 2 business days, communicate triage status within 5 business days, and remediate critical findings within 30 days. We do not pursue researchers acting in good faith under coordinated disclosure.

Contact

Email security@famaash.com for security questions, audit requests, or vulnerability reports.

For SOC 2 reports and the subprocessor list, request through your engagement partner or the security team directly.

Need our SOC 2 report?

Email security@famaash.com.

Contact security team