Apply security patches to internet-facing services, browsers and plugins within ML1 timeframes; remove unsupported apps.

Regular dependency updates, weekly patch cadence, prompt remediation of critical issues, and deprecation of unsupported packages.

Apply OS security patches within ML1 timeframes; remove unsupported OS versions.

Unattended-upgrades enabled; weekly OS patch window plus out-of-band for critical fixes.

Use MFA for remote/privileged access and important systems and services.

MFA enforced on cloud provider, CI/CD, database consoles and other privileged systems; customer MFA at signup and for available for sensitive information where applicable.

Limit admin privileges to those who need them, use separate admin accounts, and review regularly.

Least-privilege across environments; just-in-time access for sensitive actions with auditing; no standing production database admin sessions.

Implement application control to prevent execution of unapproved/malicious executables, scripts and libraries.

Only approved services and processes run on our hosts and restricts executive of executables, software libraries, scripts, compiled HTML, HTML applications and control panel applets.

Block macros from the internet and only allow vetted macros; prevent untrusted macro execution.

We do not use Office macros in any systems; customer documents are never executed; internal policy blocks internet-sourced macros.

Disable or remove Internet Explorer 11, no java or web advertisements from the internet, users cannot change web security settings.

Our workstations run Apple MacOS and do not include Internet Explorer. We do not run Java. We run adblockers in all browsers, and only admin can change web security settings.

Perform regular backups, protect them from compromise, and test restoration.

Postgres backups every 5 minutes with point-in-time recovery; AU-region storage; and periodic restore tests.