4th Octet
Start a Conversation Client portal

Legal

Security

Last updated: 2026-05-23

We're an engineering-led managed services provider; security posture is part of the product. This page is operational, not aspirational — it documents what we actually do.

In transit

All public-facing traffic is TLS 1.2 or higher. Internal services use mutual TLS or are scoped to private network segments. We don't terminate TLS at intermediate hops we don't own.

At rest

  • Secrets and credentials live in Azure Key Vault, never in repository code.
  • Object storage uses provider-managed encryption (Cloudflare R2, RustFS S3).
  • Databases (PostgreSQL, etcd) use encryption-at-rest defaults of their respective platforms.
  • No customer data is stored on operator laptops.

Access control

  • All admin access uses Microsoft Entra ID SSO with hardware-key MFA required.
  • SaaS admin consoles (Cloudflare, HubSpot, Azure, GitLab) are gated by the same SSO + MFA.
  • Least-privilege scoped API tokens are stored in Key Vault, partitioned by purpose. The token managing zone redirects, for example, cannot edit DNS or deploy Workers.
  • Customer-facing dashboards (Grafana, Wazuh) use per-tenant isolation. We never cross-contaminate orgs.

Subprocessors

Companies that process data on our behalf. We notify clients before adding a new one in a path they depend on.

  • Cloudflare (delivery + edge security)
  • Microsoft Azure (identity, secrets, infrastructure)
  • HubSpot (CRM, marketing email)
  • HaloPSA (ticketing, billing)
  • DocuSeal (electronic signatures)
  • Self-hosted GitLab CE, n8n, observability stack on our infrastructure

Incident response

If we confirm a security incident affecting customer data, we commit to:

  • Notify affected customers within 72 hours of confirmation.
  • Provide a written post-incident report including root cause, timeline, scope, and remediation.
  • Cooperate with regulatory notifications required of you.

Vulnerability disclosure

If you find a security issue, email security@4thoctet.com. We aim to acknowledge reports within one business day and provide a disposition within 14 days. We don't currently run a paid bug bounty, but we'll credit reporters in our public advisories with permission.

Engineered for SOC 2 readiness

Our controls are engineered to SOC 2 Type II readiness from day one. Each of the following maps directly to the AICPA trust services criteria:

  • Encryption in transit (TLS 1.2+) and at rest (provider-managed across Azure, Cloudflare, RustFS).
  • MFA-required SSO via Entra ID on all admin surfaces, including SaaS consoles.
  • Least-privilege API tokens partitioned by purpose, stored in Azure Key Vault, scope-bounded so a leak has limited blast radius.
  • Structured access logs and centralized observability (Loki + Mimir + Grafana) with per-tenant isolation enforced at the query layer.
  • Named subprocessor inventory (see above) with change-notification commitment.
  • Documented incident-response runbooks with a 72-hour customer-notification SLA.
  • Code review on every change via mandatory MR review pipeline (AI-assisted plus human signoff); no direct pushes to production.
  • Immutable journaling of operational and security-relevant decisions with cross-repository drift detection.

We can produce a controls-to-framework matrix on request (SOC 2, ISO 27001, HIPAA, or your custom vendor questionnaire). Formal third-party attestation is the audit-cycle layer above this engineering; if your procurement requires SOC 2 Type II or another certification, let's scope the timeline together — the substantive controls are in place.

Contact

Security questions, contract reviews, vendor questionnaires:
security@4thoctet.com