DEPOWISE TECHNICAL & ORGANISATION MEASURES (TOM)

Last modified
11 August 2025

This document outlines the Technical and Organizational Measures (TOMs) implemented by Depowise to ensure the security and availability of its managed service and maintain compliance to applicable laws and regulations. These measures align with industry best practices and regulatory requirements, including ISO 27001, SOC 2, GDPR, and DOA. The technical and organisational measures are continuously reviewed and updated to address emerging security threats and evolving regulatory requirements.

For further details, contact info@depowise.com.

1. Technical Measures

1.1 Access Control & Authentication

Role-Based Access Control (RBAC): Users are granted the minimum level of access necessary required for their
roles.

Multi-Factor Authentication (MFA): Required for all administrative and sensitive system access and enabled
across company.

Strong Password Policies: Enforced password complexity and expiration rules.

Session Management: Automatic session timeouts and re-authentication for critical actions.

1.2 Data Protection & Encryption

Encryption in Transit: All data is encrypted using TLS 1.2/1.3.

Encryption at Rest: Data stored using AES-256 encryption.

Key Management: Secure handling of cryptographic keys using managed Key Vaults.

Data Masking & Tokenization: Protection of personally identifiable information (PII) through anonymization.

1.3 Secure Software Development (DevSecOps)

Secure Coding Standards: Adherence to OWASP Top 10 security guidelines.

Automated Security Testing: Integration of SAST, DAST, and SCA into CI/CD pipelines.

Code Reviews: Mandatory security reviews before deployment.

Third-Party Library Scanning: Regular vulnerability assessments of external dependencies.

1.4 Infrastructure Security & Network Protection

Firewall & Network Segmentation: Isolation of development, staging, and production environments.

Zero Trust Architecture (ZTA): Authentication and validation for all users and devices.

SIEM & Logging: Centralized log monitoring.

Endpoint Security: Use of XDR and MDM solutions for device protection.

1.5 Incident Response & Business Continuity

Automated Threat Detection: Use of IDS/IPS and anomaly detection systems.

Backup & Disaster Recovery (DR): Regular encrypted backups stored in multiple secure locations.

Incident Response Plan: Predefined procedures for detecting, responding to, and recovering from security
incidents.

1.6 Compliance & Auditing

Regular Security Audits: Internal and third-party assessments to maintain compliance.

Penetration Testing: Conducted periodically to identify and mitigate vulnerabilities.

Access & Activity Logging: All critical system actions logged for forensic analysis.

 

2. Organizational Measures

2.1 Security Awareness & Training

Regular Employee Training: Security awareness training for all employees.

Phishing Simulations: Periodic testing to enhance awareness of social engineering threats.

2.2 Policies & Governance

Information Security Policy: Defines security responsibilities and access controls.

Privacy Policy: Ensures compliance with GDPR.

Acceptable Use Policy (AUP): Defines the permitted use of company IT systems and data.

2.3 Vendor & Third-Party Risk Management

Vendor Security Assessments: Evaluation of third-party providers before integration.

Third-Party Security Agreements: Security and compliance clauses included in contracts.

Continuous Monitoring: Ongoing assessment of third-party security postures.

2.4 Continuous Improvement & Risk Management

Regular Risk Assessments: Ongoing identification and mitigation of security risks.

Security Monitoring: Continuous tracking of security threats using SIEM, IDS/IPS, and anomaly detection.

Bug Bounty & Responsible Disclosure: Encouragement of ethical hacking to improve security.