Home / SupportYourApp Security

Enterprise-Grade Security Behind Every Support Interaction

At SupportYourApp, security comes first. We run a full stack of controls across every client project, maintained by certified engineers and verified annually by independent auditors.

SupportYourApp Security

Ultimate Security

pci
ccpa
gdpr
iso

Administrative Controls

How we govern access, respond to risk, and keep every process
documented and accountable across the organization.

Data Classification Process

We organize all our data by relevant categories, so they may be used and protected more efficiently. It also makes data easier to locate and retrieve. Data classification is of particular importance when it comes to risk management, compliance, and data security. The procedure for classifying all data is documented in high-level documents.

Data Classification Process

Need to Know Basis Principle

Regardless of their security clearance level or other approvals, all our staff only have access to the information required by their job functions. Anyone who wants to gain more authority or a higher level of access must receive an approval from the Corporate Security.

Need to Know Basis Principle

Business Continuity and
Disaster Recovery Plan

We use Business Continuity and Disaster Recovery procedures to minimize the effects of outages and disruptions on business operations and to enable our company to get back on its feet after issues occur. With their help, we reduce the risk of data loss and reputational harm, and improve operations while decreasing the chance of emergencies. This procedure is documented, and we resort to it only in case of serious incidents.

Business Continuity and<br /> Disaster Recovery Plan

Risk Assessment Process

The main purpose of risk assessment for us is to help our Corporate Security and Technology Departments identify any event that could negatively affect our organization generally

Risk Assessment Process

Staff Verification and
Onboarding Process

When a person passes all interview stages and gets a job offer, they come to the onboarding stage. We review each potential candidate’s history to confirm their professional background and appropriate work experience required for the position. Background check is also a part of the verification process. With its help, we find out if a person has had issues with the law or has a criminal record, which is very important for working with highly secured each department in particular. Based on the ISO/IEC 27001:2022 standard requirements, we conduct an annual risk assessment of all departments. This helps us be sure that every department's operations are safe, secure, and cannot become the sources for leaks and breaches.

Staff Verification and<br /> Onboarding Process

Incident Response Plan

We have an Incident Response Team that responds to each incident in a timely and continuous manner and monitors the incidents that have already occurred. Incidents can be detected by our IPS/IDS and DLP systems, or personally by management at the time of the incident’s occurrence. Each incident goes through a life cycle, from identifying to closing and taking countermeasures. Each incident is documented, which helps us track its current status and take measures to keep it from reappearing in the future projects.

Incident Response Plan

Security Awareness and Training Process

All members of the SupportYourApp team receive appropriate security awareness education, training, and regular updates in organizational policies and procedures, as relevant for their job functions. Our awareness program includes training for staff of all positions in different formats (presentations, videos, etc.), verification of the learned material, phishing simulations that simulate scam/spam/fraud attempts and regular awareness mailing. Each team member has their own risk score and dashboard so that they can be monitored by Corporate Security.

Security Awareness and Training Process

Logical Controls

The technical systems that control who gets in, what they can do, and
what leaves our environment.

Logical Controls
  • SIEM (Security Information and Event Management)

    A dedicated Security Engineer monitors system activity through our SIEM platform around the clock. Events and alerts are analyzed in real time. Critical incidents trigger immediate notification and response. The SIEM is owned and operated by the Corporate Security department.

  • NGFW and ZTNA (Zero Trust Network Access)

    NGFW, our Next-Generation Firewall, is the infrastructure layer behind our Zero Trust model. ZTNA works on a simple principle: never trust, always verify. Before any connection is granted, the system checks:

    • Who the user is
    • What device they are on
    • What they are trying to access
    • Whether the context meets active policy

    Our Security Engineer monitors all network traffic and responds to anomalies. The NGFW also handles web filtering, intrusion prevention, and controls over browsing resources. ZTNA can be deployed on both corporate and personal devices.

    Use case: this is the recommended control for remote teams and hybrid work arrangements.

  • Data Encryption

    Data is encrypted in transit and at rest. Transit encryption covers both remote and office work environments. Encryption at rest applies to office setups and our SupportCRM platform.

  • DLP (Data Loss Prevention)

    DLP is the system that monitors, detects, and blocks the unauthorized transmission of data, helping protect confidential information. Can be installed only on SupportYourApp’s corporate devices.

    DLP is installed by System Administrators and managed by the Security Department. For remote teams, it can run on corporate VDI instead of the local device.

    Required for PCI DSS projects. Strongly recommended for HIPAA workstreams, KYC, and document validation.

  • MDM (Mobile Device Management)

    Every corporate device is enrolled in MDM from day one. Here's what it means in practice:

    • All devices managed from a single platform
    • Access restricted to approved applications only
    • Security updates pushed automatically
    • Application usage and browser policies enforced centrally
    • Remote configuration, lockdown, or shutdown available at any time
    • Zero-touch enrollment, no system admin involvement required at the device level
  • Role-Based Access Control (RBAC)

    Team members see only what their role requires. Nothing more. Access assignments are documented for every team member and reviewed during our internal audit cycle.

  • Multi-Factor Authentication (MFA)

    All internal system access requires MFA. A second verification layer sits between a user's credentials and anything sensitive. Stolen passwords alone are not enough to get in.

  • Password Policy

    Passwords are stored and managed in Passbolt only, to prevent unauthorized access and keep credentials out of emails, chats, and spreadsheets.

  • VDI (Virtual Desktop Infrastructure) on AWS

    VDI changes the risk profile of remote work. Instead of data living on a consultant's device, everything is stored on secure cloud servers hosted on AWS. This matters when a device gets lost, stolen, or compromised.

    What VDI delivers:

    • Centralized storage and processing on secure servers
    • An isolated work environment in the security cloud
    • Secure working from personal devices without exposing client data
    • A deployment path for DLP on remote teams
    • Reduced leakage risk during user interactions with sensitive information
  • CrowdStrike EDR (Endpoint Detection and Response)

    Traditional antivirus looks for known threats. CrowdStrike Falcon looks for behavior. Using AI-driven analytics and a graph database, it tracks patterns across every endpoint in real time. Unusual activity gets flagged before it becomes a breach.

Trusted by 250+ companies
across 30+ countries

Physical Controls

The on-site measures that protect our offices, our equipment, and the
people on our team.

CCTV and Access Cameras

CCTV and Access Cameras

Every SupportYourApp office runs closed-circuit camera coverage across the full perimeter. If an incident happens, we can reconstruct what led to it. The cameras serve another purpose: they scare off potential intruders.

Physical Security Zones

Physical Security Zones

Our offices are divided into security zones with a clear access hierarchy. The higher the sensitivity, the stricter the access. Data processing happens only in specially equipped zones where getting in requires biometric verification. Every team member carries a badge. No visitors on-site without prior authorization.

Compliance Controls

The frameworks we operate under and the internal processes
that keep us aligned with them year over year.

Internal Audit

Once a year, every department goes through a full internal audit and risk assessment. The audit surfaces gaps, checks whether controls are working, and confirms alignment with both internal policy and external regulations. What we find shapes where security investment goes next.

GDPR, CCPA, and HIPAA

SupportYourApp meets GDPR, CCPA, and HIPAA requirements. This covers the collection, storage, processing, and deletion of personal data across client projects.

gdpr

GDPR: in the
European Union

ccpa

CCPA: in the State of
California, United States

hippa

HIPAA: across US
healthcare businesses

If your business operates under any of these frameworks, our controls are already built for it. Data processing agreements are available for every client. The compliance program is updated as regulations change.

Sup Team

Certifications

Independent verification of our security posture, conducted annually
by third-party auditors.

PCI

PCI DSS Level 1 and Level 2 Service Provider

SupportYourApp holds PCI DSS Level 1 certification, verified by an external auditor — the highest tier of payment data security in the industry. We also maintain a Level 2 PCI DSS SAQ-D (self-assessed) compliance for merchants who process between 1 and 6 million transactions annually. Depending on your volume and requirements, we can operate under either standard.

ISO

ISO/IEC 27001:2022 Compliance

ISO/IEC 27001:2022 is the international standard for information security management. Our certification covers security policies, SIEM monitoring, incident response, and team-wide training. It is renewed through independent third-party audits, not self-assessment. For clients in regulated industries, it is the clearest signal that their customers’ data will stay safe with us.

For instance client-logo client-logo client-logo client-logo client-logo client-logo client-logo client-logo is working with us

Contact Us Now