Security

§01Our approach

Security at Acerti is built on three principles:

• Least privilege by default. No one — consultant, manager, or executive — has standing access they do not need.
• Defence in depth. No single control is relied upon. Identity, network, endpoint, application, and data controls are layered.
• Auditable everything. Access decisions, sub-processor changes, code commits, and incidents are logged and retained.

Acerti is a US Delaware LLC; our LATAM subsidiaries follow the same security policy regardless of country of operation.

§02Frameworks & audits

• SOC 2-aligned controls across all five Trust Services Criteria (security, availability, processing integrity, confidentiality, privacy).
• SOC 2 Type II — engaged with auditor; report targeted for 2027.
• ISO 27001 — ISMS established; certification targeted for 2027.
• GDPR & UK GDPR — Standard Contractual Clauses and UK IDTA in place for transfers.
• CCPA / CPRA — processor commitments per our DPA.
• Quebec Law 25 & PIPEDA — compliant for Canadian client engagements.
• Annual third-party penetration test on our public surface and engagement-management systems.
• Quarterly internal access reviews across all systems with production access.

§03Access control & identity

• Single sign-on via Okta for every Acerti system. No shared logins, ever.
• Multi-factor authentication required on all accounts. Phishing-resistant factors (WebAuthn, hardware keys) for any role with production access.
• Zero-trust network access — no perimeter VPN. Access is per-application, contextual, and continuously evaluated.
• Role-based access control with documented joiner-mover-leaver workflows. Access is removed within four working hours of role change or separation.
• Just-in-time elevation for sensitive operations; standing admin access is the exception, not the rule.
• Privileged access logged and reviewed quarterly.

§04Endpoint security

• Every device with access to client or company data is enrolled in our endpoint management programme.
• Full-disk encryption enforced (FileVault on macOS, BitLocker on Windows).
• EDR agent installed and monitored centrally; alerts triaged within one business hour.
• Automatic OS and application patching with maximum patch latency targets.
• Screen-lock and idle-timeout policies enforced.
• Removable-media use is restricted by policy and logged.

§05Data protection

• Encryption in transit: TLS 1.2+ on all public endpoints; mutual TLS for inter-service traffic where possible.
• Encryption at rest: AES-256 on all managed storage. Key management uses cloud-native KMS with rotation.
• Data segregation: client data is logically separated by engagement; no co-mingling across clients.
• Backups: daily snapshots of critical systems, encrypted, with documented restore testing every six months.
• Data minimisation: we collect what we need to deliver the engagement and nothing more.

§06Application & code security

• Source-code reviews required on every change to production code; AI-assisted review augments human review.
• Static analysis & dependency scanning on every pull request; vulnerable dependencies block merge.
• Secrets management — no secrets in source. All credentials live in a centrally-managed vault.
• OWASP Top 10 mitigations baked into our build templates and reviewed during architecture sign-off.
• Production deploys require change tickets and a second-pair sign-off.

§07People & training

• Background checks on every consultant before they start an engagement, calibrated to local law.
• NDA at contract signing for every Acerti staff member and contractor.
• Security awareness training within the first week of joining and annually thereafter, covering phishing, data handling, secure remote work, and incident reporting.
• Role-specific training for engineers (secure coding) and for staff handling personal data (GDPR/CCPA basics).
• Acceptable-use, BYOD, and remote-work policies signed by everyone with system access.

§08Vendor & sub-processor management

• Every sub-processor goes through a documented security review covering compliance certifications, data location, and breach history.
• Data Processing Agreements (or equivalent) in place with every sub-processor handling personal data.
• Annual review of all critical vendors.
• A current sub-processor list is available on request — see our Privacy Policy for the categories.

§09Incident response

• Documented incident-response plan with defined severities, roles, and escalation paths.
• Initial response within 1 hour of detection of a high-severity incident.
• Client notification within 72 hours for incidents involving personal data, per GDPR Article 33; faster for material incidents per our DPA.
• Post-incident review on every Sev-1 and Sev-2 incident, with findings shared with affected clients.
• Tabletop exercises run twice a year.

§10Business continuity & disaster recovery

• BCP/DR plan reviewed annually, covering loss of office, loss of key cloud region, loss of key personnel.
• Multi-region cloud architecture for all internal critical systems.
• RTO ≤ 4 hours and RPO ≤ 24 hours for tier-1 internal systems; client RTO/RPO are defined per SOW.
• Cyber-insurance policy in force.

§11Working in your environment

When our consultants work inside your systems (your SSO, your repositories, your data) we follow your security controls. We do not export client data to Acerti-managed storage unless explicitly agreed.

• Client-issued laptops, VDI, or sandboxed access supported.
• Consultant offboarding within four working hours of an engagement ending.
• Logs of consultant activity in client environments belong to the client.

§12Reporting a vulnerability

If you believe you have found a security vulnerability in acerti.com or any Acerti-operated system, please write to security@acerti.com with reproduction steps. We acknowledge reports within one business day and aim to remediate confirmed issues within the timelines defined by severity. We do not pursue good-faith researchers.

§13Contact