Granular Access
Managed Perimeter
Protected Channels
Total Traceability
Our Approach
Our Security Principles
Zero-Trust & Least Privilege
We apply a least-privilege mindset to data access:
This reduces the surface area of risk and supports a disciplined stewardship of your information
Controlled Environments
We distinguish between “someone working from somewhere” and a controlled environment:
The goal is to ensure your data is processed in predictable, governed conditions, not scattered across random endpoints.
Monitored & Auditable Workflows
Where systems allow, we design workflows so that activity is traceable:
When you need to review how work was done, we want you to see evidence, not just assurances
Secure Tooling & Data Handling
We prioritize reputable, security-conscious tools for communication and file handling:
We also work with you to set data handling rules such as:
- What can and cannot be stored locally
- Retention expectations for working files
- Anonymization or pseudonymization where appropriate for training or testing
Governance & Alignment
Our governance framework is built to align with global best practices. We maintain strict incident response protocols, business continuity plans (BCP), and data privacy policies to withstand your due diligence process.
Frequently Asked Questions
Where is our data stored and processed?
By default, our operating model is designed so that your data remains stored in your own environment or in US-based cloud infrastructure and is accessed remotely by our delivery teams through secure, controlled channels.
In practical terms, that means:
- Data at rest – Your data is stored in systems you control (or in agreed US-based cloud systems).
- Access from delivery centers – Our teams typically work through secure, cloud-based VDI or similar controlled environments, so they can view and process records without downloading or copying them to local devices.
- No local offline copies – Our standard is that client data is not saved, synced, or exported to personal endpoints.
In some cases, especially for large enterprises or regulated clients, we may work directly inside your systems under your existing access and logging controls.
If you have specific data residency or cross-border access requirements (e.g., “US-only access” or “region-restricted”) we can discuss this during onboarding and design the engagement to align with those constraints.
How do you control who can see our data?
We apply a least-privilege approach:
- Access is granted based on role and responsibility, not convenience.
- Team members only see the data they need to perform their tasks.
- Where systems support it, we use named accounts and avoid shared logins.
We also align with your own access guidelines wherever feasible.
Can you work with our preferred security tools (VDI, SSO, VPN, etc.)?
In most cases, yes.
- If you already use your own VDI solution, SSO, VPN or zero trust platform, we can connect through your existing stack, subject to your policies.
- If you prefer CapSigma to provide the environment, we use the Microsoft 365 and Windows 365 stack as our default platform, with MFA, encryption and logging enabled.
We will work with your security and IT teams to agree on the simplest secure setup that fits your standards
Are you SOC 2 / ISO certified?
We are building towards formal certifications such as SOC 2 / ISO 27001, and we design our internal controls with those frameworks in mind.
We do not claim certifications we do not hold. Instead, we provide:
- Documented policies and procedures
- Training and acknowledgment records
- Access reviews and other evidence to support your vendor due diligence
As our certification status evolves, we will update this page with accurate, current information.
How do you handle security incidents or suspected issues?
We maintain:
- A documented incident response procedure
- Internal escalation paths if an issue is suspected
- A commitment to notify you promptly if we become aware of an incident that affects your data, consistent with our contractual obligations
We work with you to align on what “incident” means in your context and how communication should flow.
How long do you retain our data?
We follow data retention rules agreed with you during onboarding, which typically specify:
- What we may temporarily store
- For how long
- Where and how it should be deleted or archived
We aim to keep retention no longer and no broader than necessary to support the agreed work.