Security & Compliance

How Securapilot systematically works with information security

Version 1.0 - Last updated: 2026-01-15

Introduction

As a SaaS provider in risk management and compliance, security is a cornerstone of our business. This document describes Securapilot's systematic approach to information security and how we ensure compliance with international standards and frameworks.

Our framework covers all of Securapilot's SaaS platform, including:

  • Application and database infrastructure
  • Network security and access control
  • Monitoring and incident management
  • Backup and continuity planning

Security Organization

Securapilot has clearly defined roles for security work:

Role Area of Responsibility
System Administrator Overall responsibility for operations, security and compliance
Operations Engineer Operational management, patching, monitoring and incident handling
Security Officer Security hardening, vulnerability management and compliance controls

Governing Documentation

  • Information security policy
  • Security plan for patching, monitoring and hardening
  • Incident handling procedures
  • Backup and recovery plan
  • Business continuity planning (BCP/DR)

Security Controls and Measures

Patch Management

Objective: Minimize exposure time for vulnerabilities through systematic and automated patching.

  • Automatic installation of security updates on all servers
  • Kernel updates applied weekly or for critical vulnerabilities
  • Application updates tested in staging environment before production
  • Critical vulnerabilities (CVSS score 9 or above) handled urgently within 24 hours

Monitoring and Alerting

Objective: Proactive identification of anomalies and ensuring high availability.

  • Continuous monitoring of system resources (CPU, memory, disk, network)
  • Centralized log management for forensic analysis
  • Real-time visualization via dashboards
  • Automatic alerts at defined thresholds
  • External availability monitoring

Security Hardening

Objective: Minimize the attack surface through systematic hardening according to industry standards.

  • Based on CIS Benchmarks for Ubuntu Linux
  • Separation of system partitions with secure mount options
  • Disabling of unnecessary services
  • Network hardening and strict access control

Network Security:

  • Firewall with default-deny policy
  • Whitelisting of allowed services and IP addresses
  • Automatic blocking on suspicious activity
  • Segmentation between different environments

Access Control:

  • Multi-factor authentication for administrative access
  • Key-based SSH authentication (passwords disabled)
  • Principle of least privilege for all user accounts
  • Regular review of permissions

Vulnerability Management

Objective: Continuous identification and remediation of security weaknesses.

  • Monthly automated security scans
  • Quarterly manual penetration testing
  • Continuous monitoring of security bulletins
  • Structured process for risk assessment and prioritization
  • Follow-up and verification of all remediated vulnerabilities

ISO 27001 - Information Security

Securapilot's security work is structured according to ISO/IEC 27001:2022 and covers all mandatory controls in Annex A.

ISO 27001 Control Implementation Status
A.5.1 Information security policy Documented and approved security policy Implemented
A.5.15 Access control MFA, RBAC, principle of least privilege Implemented
A.8.8 Technical vulnerability management Automated patching + monthly scans Implemented
A.8.9 Configuration management CIS Benchmarks, version control Implemented
A.8.12 Data leakage prevention DLP controls, encryption, network segmentation Implemented
A.8.16 Monitoring activities Prometheus/Grafana, centralized logging Implemented

ISMS Processes (Plan-Do-Check-Act)

Plan

Risk assessment, control selection and security objectives

Do

Implementation of controls and security measures

Check

Internal audit, monitoring and measurement

Act

Corrective actions and continuous improvement

SOC 2 - Trust Service Criteria

Securapilot is working towards SOC 2 Type II certification according to AICPA Trust Service Criteria.

Criterion Application Priority
Security Mandatory - Protection against unauthorized access High
Availability System availability according to SLA High
Processing Integrity Correct and complete data processing Medium
Confidentiality Protection of business-critical information High
Privacy GDPR compliance for personal data High

Path to SOC 2 Type II

Q1 2026
Gap analysis & technical controls
Q2 2026
Documentation & readiness
Q3-Q4 2026
Observation period & audit

GDPR - Data Protection

As a data controller for personal data, Securapilot complies with GDPR.

Technical and Organizational Measures (Article 32)

  • Encryption of data at rest and in transit
  • Pseudonymization where applicable
  • Continuous security monitoring
  • Regular testing of security measures
  • Processes for data protection by design and by default

Data Protection Rights

  • Documented processes for data subject rights
  • Automated handling of access, rectification and erasure requests
  • Portability in standardized formats
  • Breach notification procedure (72 hours)

Incident Management

Structured process for security incidents:

1

Detection

Automatic through monitoring or manual reporting

2

Classification

Assessment of severity and impact

3

Containment

Immediate measures to limit damage

4

Eradication

Elimination of root cause

5

Recovery

Return to normal operations

6

Lessons Learned

Documentation and improvement measures

Business Continuity & Disaster Recovery

Backup Strategy

  • Frequency: Daily automated backups
  • Retention: 30-day rolling retention + monthly archives
  • Geographic separation: Backups in different data centers/regions
  • Encryption: All backups encrypted at rest and in transit
  • Testing: Quarterly restoration tests

Objectives

< 4h

RTO

Recovery Time Objective for critical systems

< 1h

RPO

Recovery Point Objective for transaction data

Secure System Development

Security is integrated throughout the development process through our Secure Development Lifecycle (SDL):

Design

Threat modeling and security architecture

Development

Secure coding practices and code review

Testing

Security testing and vulnerability scans

Deployment

Secure configuration, minimal attack surface

Operations

Continuous monitoring and patching

Physical Security

  • Data centers with certified security controls (ISO 27001, SOC 2)
  • Redundant power sources and cooling systems
  • 24/7 monitoring and intrusion detection
  • Controlled physical access with logging
  • Fire protection and disaster preparedness

Contact Us

For questions about Securapilot's security work, please contact:

Security Officer

Email: security@securapilot.se

General Inquiries

Email: info@securapilot.se

Glossary

Term Description
CIS Benchmark Center for Internet Security - standardized security configurations
CVSS Common Vulnerability Scoring System - standard for vulnerability assessment
MFA Multi-Factor Authentication
RBAC Role-Based Access Control
RTO Recovery Time Objective - maximum acceptable downtime
RPO Recovery Point Objective - maximum acceptable data loss

We use anonymous statistics without cookies to improve the website. Read more