Security

Security

How we secure the systems, code, and data we handle — for us and for our clients.

Updated 1 June 2026~6 min readQuestions? hello@olystrix.com
🔐
🛡
Security is built in, not bolted on. Every system we architect and every line of code we write is reviewed through a security lens — from design to deployment.
AES-256
Encryption at rest
TLS 1.3
Encryption in transit
24hr
Critical incident response
72hr
Breach notification (GDPR)
OWASP Top 10GDPRSOC 2 alignedISO 27001 alignedZero-trust principlesPen-test ready
🔐

Security overview

Olystrix handles sensitive client data, source code, and production systems. We apply defence-in-depth across every layer: infrastructure, network, application, and human.

This page describes our practices. For a customised security questionnaire, signed attestation, or penetration-test report, contact hello@olystrix.com.

🏗

Infrastructure security

☁️
Cloud-native hosting
Services deployed on AWS/GCP/Azure. All regions selected for data residency compliance.
🔒
Encryption at rest
All data stores use AES-256 encryption. Encryption keys are rotated regularly and stored in dedicated KMS services.
🌐
Encryption in transit
TLS 1.3 enforced on all endpoints. HTTP traffic is permanently redirected to HTTPS.
🔥
Network controls
VPC isolation, security groups, private subnets for databases. Public exposure is minimised and reviewed.
🗄
Backups
Automated daily backups with point-in-time recovery. Backup integrity tested quarterly.
🔄
Patch management
OS and dependency patches applied within 14 days of release; critical patches within 48 hours.
💻

Secure development lifecycle

  • Threat modelling during architecture design phase
  • OWASP Top 10 review checklist on all new features
  • Static analysis (SAST) and dependency vulnerability scanning in CI/CD pipelines
  • Required peer code review with security considerations before merge
  • Secrets scanning on every commit — credentials never committed to source control
  • Container images scanned for CVEs before deployment
🔑

Access control

🎫
Least privilege
Every role has only the permissions it needs. Access is reviewed quarterly and revoked immediately on offboarding.
📱
Multi-factor auth
MFA enforced on all internal systems, cloud consoles, code repositories, and client-facing portals.
🔐
Secrets management
All credentials and API keys stored in dedicated secrets managers (e.g. AWS Secrets Manager, Vault). No plaintext secrets in config or code.
🖥
Device security
Endpoint protection and disk encryption enforced on all devices accessing client systems.
🛡

Data protection

  • Client data is never used for purposes beyond the agreed engagement
  • Production data is not copied to development environments without explicit written approval
  • Data is classified by sensitivity and handled according to classification level
  • All sub-processors are vetted and bound by data processing agreements
  • Data deletion is cryptographic or verified physical destruction upon request or contract end
📡

Monitoring & alerting

📊
Centralised logging
All system and application logs centralised. Retained for 90 days minimum with tamper-evident storage.
🚨
Real-time alerting
Automated alerts on anomalous login attempts, privilege escalation, and unusual data access patterns.
🔍
Intrusion detection
Network and host-level IDS/IPS deployed across infrastructure. Alerts routed to on-call rotation.
📋
Audit trails
Immutable audit logs for all administrative actions, data access, and configuration changes.
🚒

Incident response

Detection
Identify & contain
Alert triggers on-call engineer. Scope assessed; affected systems isolated within 1 hour of detection.
< 24hrs
Client notification
Affected clients notified of any incident that may impact their data or services.
< 72hrs
Regulatory notification
Where a personal data breach has occurred, supervisory authority notified within 72 hours (GDPR Art. 33).
Resolution
Root cause & remediation
Root cause identified, fix deployed, and regression controls put in place.
Post-incident
Written report
Incident report provided to affected clients, including timeline, impact, and preventative measures.
📜

Compliance & standards

Olystrix aligns its practices with the following frameworks:

🛡
OWASP
Application security controls modelled on OWASP Top 10 and ASVS.
🇪🇺
GDPR
Personal data handling, sub-processor management, and data subject rights aligned with UK/EU GDPR.
📋
SOC 2
Controls aligned with SOC 2 Trust Services Criteria (security, availability, confidentiality).
🌍
ISO 27001
Information security management practices aligned with ISO/IEC 27001:2022.

Formal third-party certification is available for client projects that require it. Contact us to discuss requirements.

🔎

Vulnerability disclosure

🔎
Responsible disclosure is welcomed. If you discover a vulnerability in an Olystrix-operated system, please report it before public disclosure so we can address it.
  • Email: hello@olystrix.com with subject "Security Vulnerability"
  • We will acknowledge within 2 business days
  • We aim to remediate critical vulnerabilities within 7 days
  • We will not take legal action against researchers acting in good faith
Report a vulnerability
Responsible disclosure helps us protect everyone. We respond within 2 business days.
Report securely →
Ready to start a project?
Senior engineers, fixed-price scopes, full IP transfer.
Get in touch← Back to site
© 2026 Olystrix Ltd. All rights reserved.
Privacy PolicyTerms of ServiceNDA TemplateSecurity