Who This Is For / When to Use
Use this article if you need an overview of how Kyrios Systems secures data, manages access, maintains uptime, handles compliance obligations, or responds to security incidents.
Security Objectives
Kyrios Systems’ security program is designed to achieve the following objectives:
Customer Trust and Protection – Protect customer data confidentiality and privacy.
Availability and Continuity of Service – Maintain high uptime and reduce service disruption risks.
Information and Service Integrity – Prevent unauthorized modification of customer data.
Compliance with Standards – Meet or exceed applicable industry and regulatory requirements.
Security Controls Overview
Kyrios Systems applies administrative, technical, and physical controls across infrastructure, applications, and operations. The sections below outline the most frequently referenced controls.
Infrastructure Security
Cloud Hosting Providers
Kyrios Systems does not host production systems in physical offices.
Infrastructure is hosted in the United States using:
Google Cloud Platform (GCP)
Amazon Web Services (AWS)
Security and compliance rely on provider-audited controls, including physical and environmental safeguards.
Google Cloud
Minimum 99.5% monthly uptime
Public compliance documentation available through Google’s Compliance Resource Center
AWS
99.95%–100% service reliability
SOC 2 Type 2 and ISO 27001 validated
Public compliance and audit reports available through AWS Cloud Compliance and AWS Artifacts
Network and Perimeter Security
Multi-layer filtering and inspection across applications and infrastructure
Logical firewalls and security groups deny access by default
Network access control lists prevent unauthorized access
Firewall rules are:
Managed through formal change control
Reviewed periodically to ensure necessity and accuracy
Configuration Management
Infrastructure is highly automated and scales on demand
Server configurations are embedded in hardened images and configuration files
Containers are provisioned with predefined security baselines
Configuration drift is automatically corrected within 30 minutes
Patch management is handled through:
Automated tools, or
Replacement of non-compliant instances
Logging
Application actions and events are centrally logged
Logs are indexed and retained based on data sensitivity
Security-relevant logs support investigation and incident response
Write access to log storage is restricted to authorized engineers only
Alerting and Monitoring
Automated monitoring detects:
Error rate anomalies
Abuse patterns
Application attacks
Alerts notify appropriate teams for investigation and response
Some triggers initiate automatic mitigation, such as:
Traffic throttling
Process termination
Application Security
Web Application Defenses
Application-layer monitoring identifies malicious behavior
Detection rules align with OWASP Top 10 guidance
Built-in protections mitigate DDoS attacks
Controls help ensure continued availability of hosted websites and applications
Development and Release Management
Continuous delivery pipeline with:
Code reviews
Automated testing
Merge approvals
Static code analysis prevents known misconfigurations
Dynamic security testing is performed periodically
Deployments follow this lifecycle:
QA environment testing
Segmented promotion to production
Automated deployment with rollback capability
Releases occur with no downtime
Major feature changes are communicated through in-app notifications
Vulnerability Management
Regular vulnerability scanning using industry-recognized tools
Adaptive asset discovery and updated detection signatures
Annual penetration testing of applications and infrastructure
Findings are assessed and remediated based on risk priority
Customer Data Protection
Data Classification
Customers are responsible for ensuring appropriate data collection
Kyrios Systems products must not be used to store:
Credit or debit card numbers
Financial account details
Social Security numbers
Passport numbers
Health information
(unless explicitly permitted)
Tenant Separation
Kyrios Systems operates as a multi-tenant SaaS platform
Customer data is logically separated using unique identifiers
Authorization rules are continuously validated
Authentication, access, and data changes are logged
Encryption
Data in transit
Encrypted using TLS 1.2 or 1.3
2,048-bit keys or stronger
Data at rest
Encrypted using AES-256
Passwords are hashed using industry best practices
Key Management
Encryption keys are securely managed within hardened systems
TLS keys are managed through content delivery partners
At-rest encryption keys are stored in a Key Management System (KMS)
Key rotation frequency varies by data sensitivity
Customer-supplied encryption keys are not supported
Data Backup and Disaster Recovery
System Reliability and Recovery
Infrastructure deployed across multiple availability zones
Redundant web, application, and database components
Point-in-time recovery capabilities enabled
Backup Strategy
Databases are backed up daily
Seven days of backups retained
Backup execution is continuously monitored
Failures generate alerts and are escalated immediately
Backup Protections
Backups are protected by:
Access controls
Write-once-read-many (WORM) protections
File system access control lists
Customer Data Restoration
Customers cannot initiate infrastructure-level recovery
Engineering teams manage disaster recovery
Customers can:
Restore deleted items from the recycle bin (up to 30 days)
Revert web pages, blogs, and emails using version history
Export data or sync using public APIs
Identity and Access Control
Product User Management
Customers can manage users within their portals
Granular role and permission assignment is supported
Product Login Protections
Native login enforces:
Minimum 8-character passwords
Uppercase, lowercase, numbers, and special characters
Two-Factor Authentication (2FA) is enforced for all users
Password policy cannot be modified by customers
Employee Access to Customer Data
Production Infrastructure Access
Role-Based Access Control (RBAC)
No direct network access to infrastructure
Access requires bastion hosts or assigned IAM roles
Persistent admin access is restricted
Customer Portal Access
Default access is limited for support staff
Just-in-Time Access (JITA) grants temporary access:
Maximum 24 hours
Logged and monitored
High-risk actions are restricted during JITA sessions
Corporate Authentication
Multi-Factor Authentication required for company systems
Password vaults manage administrative credentials
Access reviews are conducted regularly
Organizational and Corporate Security
Background Checks and Onboarding
Third-party background checks required before hiring
Employees must acknowledge:
Employee Handbook
Code of Conduct
Information Security responsibilities
Policy Management
Written Information Security Policy maintained
Policies cover data handling, privacy, and enforcement
Policies are reviewed and approved annually
Security Awareness Training
Mandatory cybersecurity training at onboarding
Annual refresher training
Includes phishing awareness
Vendor Management
Third-party vendors are vetted for security controls
Sub-processors are listed in the Data Processing Agreement
Endpoint Protection
Company-issued devices use full disk encryption
Mobile Device Management (MDM) enforces:
Configuration standards
Security policies
Compliance monitoring
Compliance and Privacy
Sensitive Data Processing
Kyrios Systems does not store or process credit card data
Payments are handled by PCI-compliant processors
Privacy
Personal data is not sold to third parties
Data handling aligns with the Privacy Policy
Data Retention and Deletion
Customer data is retained for active customers
Deletion requests are honored per legal requirements
Logs and metadata may be retained for compliance or security
Breach Response
Formal incident response procedures are in place
Customers are notified of breaches as required by law
GDPR
Kyrios Systems provides tools that support GDPR compliance
Use of the platform alone does not guarantee GDPR compliance
Customers are responsible for consent management and data deletion workflows
Common Questions and Answers
How is data secured in the cloud?
Data is hosted on GCP and AWS with audited security controls. All data is encrypted in transit and at rest, with strict access controls.
How are backups handled?
Backups run daily with seven days of retention. Recovery is managed by engineering teams using point-in-time restore capabilities.
How is unauthorized access prevented?
RBAC, encryption, logging, and enforced 2FA protect customer data and restrict access.
Are employees screened before access?
Yes. All employees undergo background checks and must acknowledge security policies.
Can customers manage their own users?
Yes. Customers can create users, assign roles, and control permissions within their portals.
Is Multi-Factor Authentication required?
Yes. Two-Factor Authentication is enforced for all users by default.