Security, controls and operational assurance
This page summarises Capantra’s security posture in a procurement-friendly format. It covers access controls, logging, incident response, and supporting operational practices.
Note: This material is informational and non-exhaustive. Control implementation may vary by product, deployment model, and customer configuration. For evidence packs or questionnaires, contact Capantra.
Access control and identity
Access to systems and customer data is governed by role-based access and least-privilege principles. Administrative access is restricted and logged. Customers should apply their own governance to user access within their tenant.
- Role-based access controls (RBAC) aligned to job function.
- Administrative actions restricted and audited.
- Support access governed via process and scoped to need.
- Separation of customer environments where applicable to deployment model.
- Maintain appropriate user access governance (joiners/movers/leavers).
- Use strong authentication controls (per configuration).
- Ensure lawful and authorised use of any customer-provided datasets and campaigns.
- Apply least privilege for internal users and agencies.
Logging, monitoring and auditability
Operational logs and telemetry support troubleshooting, service assurance, and security monitoring. Logging practices may vary by environment and product; we aim to balance observability with minimisation.
- Authentication and administrative events (where supported).
- Operational workflow and activity events.
- Service health/availability signals and alerting events.
- Security-relevant indicators to support investigation and response.
- Access and administrative actions should be attributable to a user identity where feasible.
- Retention and access to logs governed by policy and operational need.
- Investigations follow a documented approach with appropriate approvals.
Incident response and breach handling
Capantra maintains an incident response approach aligned to operational best practice. Incidents are triaged, contained, investigated, and remediated, with customer communications appropriate to severity, contract scope, and legal obligations.
- Detection and triage (severity assessment).
- Containment and mitigation actions.
- Root-cause analysis and remediation.
- Customer communication and post-incident review.
- Notification timing depends on facts, severity and applicable law.
- We aim to share actionable information that supports customer risk decisions.
- For formal processes, contact procurement for incident disclosure terms.
Vulnerability management
We aim to identify, prioritise and remediate vulnerabilities based on risk. Processes may include dependency patching, configuration hardening, and security testing appropriate to product maturity.
- Patch management for dependencies and infrastructure components.
- Secure configuration baselines and change control.
- Security review for sensitive changes (as applicable).
- Vulnerability reports can be coordinated via support/procurement channels.
- We assess and respond based on severity and exploitability.
- Evidence and timelines may be provided as part of procurement packs where appropriate.
Business continuity and resilience
Resilience measures support availability and recovery. Backup and recovery practices are designed to meet service assurance requirements and may vary by product/deployment model.
- Backups and recovery processes (per environment).
- Monitoring and alerting for service health.
- Change control to reduce operational risk.
- RTO/RPO targets depend on product tier and deployment model.
- Formal BCP/DR documentation can be provided on request where applicable.