This article is part of a series on how Pisys approaches data security . Read 'Pisys Security Approach' to learn more
When you use Pisys hosted services, we treat your data like a protected asset: we focus on confidentiality (only the right people can access it), integrity (it stays accurate and uncorrupted), and availability (it’s there when you need it).
Here’s what that looks like in practice on AWS.
Locked-down AWS network design (so systems aren’t “open to the internet” by default)
Pisys hosts customer-facing/hosted services on AWS inside a Virtual Private Cloud (VPC) and uses standard controls like load balancers plus protective layers such as AWS WAF (Web Application Firewall). We also use VPN and client VPN services where appropriate.
Strong access control and “need-to-know” permissions
Access is limited to people who have a legitimate business need, and we use strict access controls for sensitive systems and information.
We also implement multi-factor authentication (MFA) as part of secure authentication.
Encryption to protect data in transit and at rest
Customer data is encrypted:
- In transit (when moving between systems/users), and
- At rest (when stored)
using industry-leading algorithms.
Monitoring and detection (spot issues early)
We continuously monitor critical systems and infrastructure for anomalies or signs of compromise, and use tooling to support detection and response.
Backups and recovery testing (so data can be restored)
We maintain regular backups of critical information assets, including replication to a backup site, and we **verify backup integrity** by performing recovery tests.
Business continuity and disaster recovery (keep services running)
Pisys maintains documented Business Continuity and Disaster Recovery planning, including:
Incident response steps (activation, containment, eradication, recovery, and post-incident review), and
Regular testing/exercises.
Customer and asset data are stored in the cloud and accessible remotely, supporting continuity when disruptions occur.
Vulnerability reporting and coordinated response
If a security issue is discovered, we provide a clear vulnerability disclosure process via our Support team, including acknowledgement within 5 business days and a defined triage/investigation/resolution workflow.
Data retention rules (keep data only as long as needed)
We follow documented retention periods and secure disposal guidance to reduce risk and support compliance. Backup retention/cycles can be agreed with the client.
Governance and assurance (ISO 27001)
Pisys holds ISO 27001 certification and undergoes annual audits plus monthly internal audits and annual management reviews to help us continuously improve our security processes and culture.
Needed for Procurement?
The table below contains links to public domain documents which describe our security processes. Please contact us for any additional detail
