Information Security
at FluidLabs

FluidLabs is certified under ISO/IEC 27001:2022. This standard defines how to build and maintain an Information Security Management System (ISMS). Our ISMS is reviewed regularly by internal teams and external auditors. The certification confirms that we follow documented procedures for managing data security.

We also comply with GDPR requirements and enter into Business Associate Agreements (BAAs) when handling PHI under HIPAA. For relevant projects, personnel complete mandatory HIPAA and GDPR training.

We perform regular risk assessments to identify and address threats to our information systems. Risks are rated using impact and likelihood, tracked in a risk register, and reviewed quarterly. Our defined risk appetite is moderate. Risks outside tolerance are treated with mitigation plans, technical controls, or policy updates.

Third-party providers undergo due diligence before engagement. Data Processing Agreements and contractual clauses are used to ensure security alignment. Third-party access is restricted, logged, and periodically reviewed.

Before hiring, we verify applicant information, including employment history and references. When required by clients, we also conduct background checks.

All employees sign a Non-Disclosure Agreement (NDA) and complete mandatory security awareness training on their first day. Annual refresher training is required. The training includes topics such as phishing, social engineering, and data handling procedures.

We test training effectiveness through internal simulations and targeted follow-up training for high-risk areas. Employees working on specific regulated projects may also complete additional training (e.g., PCI DSS, OWASP Top 10).

FluidLabs applies a Zero Trust Model and uses role-based access control (RBAC). All systems enforce multi-factor authentication (MFA). Access is reviewed periodically and adjusted based on role and responsibility.

Cloud and internal systems are segmented. Project data is isolated in logically separated environments. Sensitive resources require VPN access and are protected by firewalls and traffic inspection.

We use a centralized Security Information and Event Management (SIEM) system to collect logs and monitor activity across infrastructure, endpoints, and applications. Events are analyzed and escalated based on severity. Logs are stored in a tamper-resistant environment.

We follow the NIST incident response process. The security team investigates incidents, documents findings, and performs root cause analysis. If needed, long-term remediation actions are tracked through the internal project management system.

We perform regular internal and external vulnerability scans. Findings are prioritized based on criticality and impact. Patches are tested and deployed following a defined change control process.

The security team monitors vendor notifications, mailing lists, and industry advisories to stay informed about new vulnerabilities and required updates.

All endpoints are protected with DNS filtering, anti-malware software, and host firewalls. Disk encryption is enforced on portable and personal devices connected to corporate systems. Devices are monitored by an Endpoint Detection and Response (EDR) platform.

Our network infrastructure uses firewall-based segmentation. VPN and SASE tools are used to enforce secure access, even for mobile or remote users. Data centers are geographically distributed and include redundancy for high availability.

Cloud systems are evaluated using a four-step approval process. We follow the NIST 800-53 control framework for managing security in cloud environments.

Access to offices and data centers is controlled using access cards, facial recognition, and visitor escorts. Surveillance systems monitor all entry points. Server rooms have restricted access and backup power through generators.

Business Continuity and Disaster Recovery

We maintain documented Business Continuity Plans (BCP) and Disaster Recovery Plans (DRP). These plans are tested and updated on a scheduled basis. Plans cover pandemic response, IT outages, and crisis communication procedures.

All data in transit and at rest is encrypted using current encryption standards. We support protected data transfer using tools such as Azure RMS, AIP, Sensitivity Labels, and Office 365 Message Encryption.

Employees are trained on how to select and apply protection labels when sending internal or external communications.