This page explains the controls we apply to our own platform and company. It focuses on how we protect data and identities, not a service description, but the safeguards that keep Baseline77 compliant and resilient.
Defence in depth
We layer controls across people, process, and technology, with prevention backed by detection, response, and continuous validation across every environment.
Least privilege by default
Access is role-based, time-bound, and auditable. Sensitive paths require elevation with approvals and are traced back to the individual or service identity responsible.
Security is iterative
We review controls alongside product delivery, run playbooks for high-risk changes, and refine posture through testing, monitoring, and lessons learned.
Every layer of data handling assumes encryption, AWS stewardship, and a strict separation between production and development. The controls below cover storage, transit, and the secrets that govern access.
Data at rest
- All data is encrypted at rest within storage (AWS S3), databases (AWS DynamoDB) and secret management (AWS Secrets Manager) using AES-256 with AWS KMS-managed keys.
- Production and development are isolated with separate networks, credentials, and keys; lower environments use dummy datasets.
Data in transit
- Traffic is encrypted in transit using TLS 1.2+ end-to-end
- Connections stay within AWS-managed networking to keep data flows inside our cloud perimeter.
- Production and development traffic are segregated with dedicated endpoints, certificates, and policies to prevent crossover.
Secure management of secrets
- Secrets are encrypted with AWS KMS in Secrets Manager and Parameter Store
- Secrets stay within AWS services we manage; retrieval is done with zero embedded credentials, in code or pipelines.
- Production and development secrets are stored separately, with full aidit trails
Our internal controls keep endpoints healthy, ensure every team member understands their security responsibilities, and centralize identity so access can be tightened or revoked in minutes.
Endpoint protection
Managed devices are enrolled in MDM with anti-malware, security alerting, disk encryption, and restricted admin access to keep fleet health consistent.
Awareness
Every team member receives security education, with refreshers aligned to emerging threats and the controls we expect in day-to-day work.
Identity and access
Google Workspace is our identity hub; SAML SSO is enforced wherever possible so access stays centralized, logged, and revocable in one step.