An engineering-grade overview of how Infosec Tools protects customer data — encryption, isolation, identity, application security, audit logging, and alignment with ISO 27001:2022, GDPR and NIS2.
Infosec Tools is built and operated by information security practitioners. Security is not a layer added on top — it is part of how the product is designed, written, deployed, and run every day.
Security-by-design
Threats considered before features are written, not after
Least-privilege defaults for every new capability
Failure modes designed to fail closed, not open
Security reviews are part of every change
ISMS-driven operations
Internal practices follow our own ISO 27001:2022 framework
The platform we build is the platform we use to govern ourselves
Incident, change, risk and access processes are documented
Practices reviewed and updated as the threat landscape evolves
02
Data protection & encryption
Customer data is protected in transit and in storage, and is never shared outside the platform.
Encryption in transit
TLS 1.2+ enforced on every connection
HTTP Strict Transport Security enforced platform-wide
HTTP requests are unconditionally redirected to HTTPS
Modern cipher suites delivered at the edge
Encryption at rest
Sensitive database fields encrypted at the application layer
Backups encrypted at rest by the storage provider
Secrets stored outside the application code, with restricted file permissions
Credentials are never logged or returned in API responses
Data minimisation
Only the data needed for the ISMS is collected and processed
No advertising trackers, no third-party analytics
No data shared with brokers or advertisers — ever
Customer data is never used to train AI/ML systems
03
Tenant isolation
Every customer runs in a fully separated environment. Data, files, credentials, and email identity are independent. There is no shared application instance and no shared database.
Separation at every layer
Dedicated database per customer (separate MySQL schema and credentials)
Dedicated filesystem per customer (separate UNIX user, no shared writeable paths)
Dedicated subdomain per customer with its own TLS certificate
Dedicated email identity per customer (own SES verified sender)
No data crossover
Application credentials are scoped to the customer's database only
One customer cannot read or write another customer's data — by architecture, not configuration
Audit trail is kept per tenant; cross-tenant queries are not exposed to the application
Backups are taken and restored per tenant, never as a single bulk export
04
Identity & access
Strong authentication is mandatory. Permissions are enforced both in the user interface and in the server-side controllers.
Authentication
Two-factor authentication via authenticator apps (Google Authenticator, Authy, 1Password, etc.)
SMS available as an alternative second-factor delivery method
Password complexity enforced (length, character classes, common-pattern rejection)
Forced-reset path for first login and admin-initiated rotation
Failed-login throttling per account and per IP
Session security
Session cookies are scoped, encrypted in transit, and protected against cross-site reuse
Session integrity verified on every request
Idle timeout enforced; sessions destroyed on logout
Session identifier rotated on privilege changes
Authorisation
Role-based access control with multiple profiles, including dedicated profiles for Auditors and Suppliers
Training videos protected by signed, expiring URLs — no permanent public links
Application assets served from the same domain
07
Audit & accountability
Every action a user takes is recorded. Records are designed to satisfy ISO 27001:2022 expectations and to be exportable for internal and external audit.
What is logged
Every action, recorded with actor, timestamp, IP, and context
Logins, login attempts, and 2FA events
Permission changes and privileged operations
Data creation, modification, deletion, and export
Document approvals, acknowledgments, and review cycles
How it is preserved
Audit trail entries are append-only
Impersonation events keep both the operator and the simulated user identifiable
History is preserved when records are deactivated, not destroyed
Audit data is exportable in standard formats for evidence collection
08
Backups & resilience
We back up customer data daily, store it independently of production, and test that we can restore it.
Backup strategy
Daily backups of databases and uploaded files
Stored encrypted in a separate location, geographically isolated from production
90-day retention enforced via lifecycle policy
Per-tenant scope — customers can be restored independently
Monitoring & recovery
Uptime monitored externally with alerting on failure
Error rates and slow paths reviewed regularly
Restore procedures documented and exercised
Service status communicated to affected customers when relevant
09
Privacy & regulatory alignment
Privacy is a first-class concern, not a checklist. Customer data belongs to the customer; we are processors, not owners.
GDPR
Data Processing Agreement available on request
Data subject rights honoured: access, export, rectification, erasure, portability
Privacy-by-design and privacy-by-default
Sub-processors are documented and reviewed
Notification of affected customers in line with GDPR Article 33 timelines
NIS2
Practices aligned with the EU Directive 2022/2555 on network and information security
Risk management, incident handling, and supplier security treated as ongoing obligations
Incident notification flow tested and documented
Designed to support customers operating in NIS2-regulated sectors
ISO 27001:2022
The platform is built around the controls and clauses of ISO 27001:2022
Internal operations follow the same ISMS we deliver to customers
Annex A controls drive the product roadmap
Evidence and audit artefacts are first-class outputs, not afterthoughts
Sub-processors
Amazon Web Services (Ireland) — backups (S3) and email (SES)
Cloudflare — edge security, WAF, DDoS protection
Bunny Stream — encrypted video delivery for training content
Customers receive prior notice of material changes to the sub-processor list
10
Standards & frameworks
We work to recognised standards. We are clear about what we are aligned with versus what we are certified to.
Standard
ISO 27001:2022
The platform is engineered around the clauses and Annex A controls. Internal practices follow the same ISMS framework.
Regulation
GDPR
Aligned with EU Regulation 2016/679. DPA available on request. Data residency in the EU by default.
Directive
NIS2
Practices aligned with EU Directive 2022/2555 — risk management, incident handling, and supplier security as ongoing obligations.
A note on certifications. We use the language aligned with deliberately. Where a third-party certification has been formally obtained, we will say so — and link to the certificate. We do not claim certifications we do not hold.
11
Reporting a vulnerability
If you believe you have found a security issue in Infosec Tools, please tell us. We take every report seriously and will follow up.
Found something? Let us know.
Use the contact form to report any potential security issue. Please include a brief description, steps to reproduce, and any evidence you can share. Mark the message as [SECURITY] in the subject line so it is routed appropriately.
Please act in good faith. Do not access, modify, or delete data that is not your own. Do not run automated scans that could disrupt service. Give us reasonable time to investigate and remediate before public disclosure. We will not pursue researchers who report issues responsibly.
Last updated: 14 May 2026Infosec Tools — operated by PFC Consulting, Lda. (NIPC PT516223771), Setúbal, Portugal.
Security you can show your auditor.
See how Infosec Tools fits your organisation — from controls to evidence, in one place.
Request a demo
Tell us about your organisation and we'll be in touch.