Security

Security at
Settio

Settio handles personal and immigration data for international hires. We design our infrastructure, code, and operations around the assumption that this data must stay private, available, and tamper-resistant. This document summarises the controls we have in place. For our security questionnaire (CAIQ-style), audit summary, or pen-test letters, write to [email protected].

Effective:18 April 2026Last updated:18 April 2026

1. Our security approach

We follow a defence-in-depth model: independent layers of controls across infrastructure, application, identity, monitoring, and people, so that the failure of any one layer does not expose customer data. Our program is aligned with the principles of ISO 27001 and SOC 2 (Security, Availability, Confidentiality), and will pursue formal certification as we scale.

2. Infrastructure & hosting

  • EU/EEA only — Customer Data is stored and processed in the EU/EEA, with our primary region in Stockholm, Sweden. Backups remain in the EU.
  • Reputable cloud provider — hosted on a tier-1 EU cloud with ISO 27001, ISO 27017, ISO 27018, SOC 1/2/3 attestations.
  • Network isolation — production is segmented from development and staging; data-plane traffic stays inside private networks; public endpoints sit behind a WAF and DDoS protection.
  • Hardened images — minimal base images, regular patching, automated vulnerability scanning of containers and hosts.

3. Encryption

  • In transit: TLS 1.2+ enforced for every external endpoint; modern cipher suites; HSTS preloaded.
  • At rest: AES-256 for databases, object storage, file uploads, and backups.
  • Key management: keys held in a managed KMS, with periodic rotation, hardware-backed protection, and audit logging.
  • Secrets: stored in a dedicated secret manager, never in source code, scoped per-environment, and rotated.

4. Identity and access

  • SSO + MFA on all admin tooling, code hosting, cloud consoles, observability, and email.
  • Least privilege: role-based access, just-in-time elevation for production, all production access logged.
  • Quarterly access reviews; immediate offboarding of departing staff.
  • Customer-side: SSO support, MFA enforcement, granular role permissions, and audit logs available to customers.

5. Application security

  • Secure SDLC: design review for sensitive features, mandatory peer code review, branch protection, signed commits where supported.
  • Static analysis & dependency scanning in CI; critical/high vulnerabilities block deploys.
  • Penetration testing by an independent third party at least annually and after major changes.
  • OWASP Top 10 mitigations baked into the framework: parameterised queries, output encoding, CSRF protection, strict CSP.
  • Multi-tenant isolation: row-level isolation with strict tenant scoping, automated tests guarding tenant boundaries.

6. Logging and monitoring

  • Centralised, tamper-evident logs covering authentication, authorisation, data access, and administrative actions.
  • Anomaly detection and alerting routed to on-call.
  • Customer-facing audit log of activity inside their workspace.

7. Resilience and backups

  • High-availability deployment across multiple EU availability zones.
  • Automated daily encrypted backups; restore procedures tested regularly.
  • Documented business continuity and disaster recovery plans with target RTO and RPO; reviewed annually.

8. People and process

  • Background checks (where lawful) for staff with production access.
  • Mandatory security and privacy training at onboarding and annually thereafter.
  • Confidentiality obligations in every employment / contractor agreement.
  • Documented information security policies, reviewed at least annually.

9. Incident response

  • Documented incident response runbooks with severity tiers and on-call rotation.
  • Internal triage target of 24 hours; controller breach notification within 48 hours of becoming aware (and as required by Article 33 GDPR).
  • Post-incident reviews with corrective actions tracked to completion.

Report a vulnerability

We welcome responsible disclosure. Email [email protected] with reproduction steps. We don’t pursue legal action against good-faith security researchers and will credit you in our advisory if you wish.

10. Vendor and subprocessor management

  • Risk-based reviews of every subprocessor before onboarding, including security posture, certifications, and data location.
  • Data Processing Agreements with EU SCCs in place where required.
  • Up-to-date list at /subprocessors.

11. Compliance roadmap

  • GDPR — operational today, with a documented controller/processor model and DPA available.
  • NIS2 readiness — controls aligned with NIS2 cybersecurity risk management measures relevant to our service.
  • ISO 27001 / SOC 2 — control framework in place; certification roadmap available on request.
  • EU AI Act — internal program covering risk classification, transparency obligations, human oversight, and documentation. See our AI & Responsible Use policy.

12. Get our security pack

For procurement teams

Email [email protected] to request:

  • completed security questionnaire (CAIQ-style);
  • summary penetration test letter;
  • certifications and attestations as they become available;
  • countersigned DPA with SCCs.

Need something more for your procurement review?

Email [email protected] for our DPA, security questionnaire responses, subprocessor list, or to request a custom audit-ready summary.

Visit Trust CenterTalk to us