Security and compliance documentation for executives, insurance reviewers, legal teams, vendor-risk teams, and enterprise buyers. Public statements below. NDA-gated artefacts available on request within five business days.
EFROS's external security posture is rated continuously by SecurityScorecard's automated assessment platform. The score below reflects our public-facing infrastructure: DNS, email authentication, TLS, application security, network endpoints, patching cadence, IP reputation, and hacker chatter. No self-reporting. Signals are observed by third parties. Click the badge to view the live public report.
How to interpret this score
Methodology source: SecurityScorecard 10 Risk Factors. Independent ratings updated continuously by SecurityScorecard. No EFROS self-reporting.
EFROS is a cybersecurity-first managed service provider. Every engagement runs under documented controls aligned to recognised frameworks. Independent attestations and partner-tier letters are reviewed annually and provided under NDA to qualified prospects.
EFROS operates against the certifications, partner programs, and frameworks listed below. Supporting evidence (Statement of Applicability, attestation report, partner-tier letter, engineer credentialing) is released under mutual non-disclosure agreement to qualified clients and their insurance, legal, or audit reviewers.
The following items are released to qualified clients and their insurance, legal, or audit reviewers under mutual non-disclosure agreement.
Client data stays in the client's own tenant by default. EFROS engineers operate with the minimum access required for the engagement. Read-only auditor or global-reader roles are preferred where the task allows. Elevated access is time-boxed, logged, and reviewed.
EFROS operates against GDPR, UK GDPR, CCPA / CPRA, HIPAA (where BAA in place), and PIPEDA expectations. Every engagement contract includes confidentiality covenants. Employees sign individual confidentiality agreements and complete annual data-handling training.
If an incident hits a client environment, the 24×7 SOC contains first, communicates with the client's designated incident contact, and follows the runbook documented at engagement onboarding. Severity classification and SLA targets are the canonical P1-P4 matrix below (Section 6a).
Priority bands and response SLAs for incident response under EFROS Fortress SOC engagements. Lower-tier programs (Core IT, Secure Operations) follow the same bands with business-hours-only coverage on P3 and P4.
| Priority | Definition | Acknowledge | Containment status | Mitigation target | Formal notification |
|---|---|---|---|---|---|
| P1 — Critical | Customer-impacting outage or active confirmed incident | 30 minutes | 1 hour | 4 hours | ≤ 24 hours |
| P2 — High | Degraded service or contained security alert | 1 hour | 4 hours | 1 business day | If regulatory clock applies |
| P3 — Medium | Non-urgent issue or standard change request | 4 business hours | n/a | 3 business days | n/a |
| P4 — Low | Informational, scheduled change or maintenance | 1 business day | n/a | 5 business days | n/a |
Regulatory-notification clocks (HIPAA OCR, NYDFS Part 500 §500.17 72-hour, GDPR/UK GDPR 72-hour, state breach statutes) run in parallel with this matrix and are tracked per-incident against jurisdiction. Performance against this matrix is reported quarterly under NDA via the Trust Center.
EFROS carries cyber-liability, professional-indemnity, and commercial-general-liability coverage. Certificates of insurance are provided to qualified prospects under NDA. Carrier-specific attestations are available for clients whose own cyber insurance requires vendor-side documentation (Beazley, Chubb, AIG, Travelers, and the major specialty markets).
For procurement reviewers, security questionnaires (SIG, CAIQ, SAQ, custom), and audit requests, route directly to our compliance team. We return completed questionnaires within five business days.
Security researchers reporting vulnerabilities in EFROS-operated systems or client environments under our scope are welcome. We follow a coordinated disclosure model and do not pursue legal action against researchers acting in good faith.
Microsoft Solutions Partner status is verifiable via Microsoft Partner Center. AWS Partner status is verifiable via the AWS Partner Network directory. Cisco Partner status (Cisco 360 Partner Program, 2026) via the Cisco Partner Locator. ISO 27001 and SOC 2 attestations are released under NDA.
Yes. Standardised questionnaires (SIG, CAIQ) are returned within 5 business days. Custom questionnaires within 10 business days. We sign with evidence references. Never with claims that exceed our actual controls.
Yes. We sign BAAs with every healthcare client and run HIPAA-aligned controls as a default. The BAA is signed before any PHI-relevant systems are touched.
In your tenant. EFROS engineers operate against your Microsoft 365, Google Workspace, AWS, Azure, or Google Cloud tenant under read-only or scoped credentials. EFROS does not retain custody of client data outside the agreed evidence retention window (typically 12 months). Destruction is verifiable.
All documentation, configuration, and runbooks stay in your tenant. EFROS retains evidence files under encryption for the contractually agreed retention period (default 12 months), then destroys them with verifiable sign-off. You can request earlier destruction at any time.
Every EFROS employee with production access completes a criminal background screening through a reputable vendor before starting. Renewed for sensitive engagements. References available under NDA.
Anonymized samples drawn from real engagements. Every artifact below is a representation of what an EFROS client receives as part of an assessment, incident-response retainer, or managed service. Operational outputs, not marketing slides.
Recommended: move to p=quarantine within 14 days after a 30-day aggregate-report review, then to p=reject. Owner: IT lead. Effort: 2 hours.
Defender for Endpoint blocks file-encryption pattern, isolates host from network. Initial alert fires in SOC console.
Identity, lateral-movement, and persistence indicators pulled from SIEM. Two additional endpoints flagged with matching IOCs.
Compromised user revoked, sign-in sessions terminated. All three endpoints isolated. Lateral targets pre-emptively isolated.
Notification per pre-agreed SLA. Bridge opened with client lead, EFROS IR lead, and SOC on the line. Initial scope and impact statement delivered.
Memory image, disk snapshot, and log preservation. TTPs matched against known affiliate. Initial-access vector identified (phished M365 account, no MFA).
Confirmed-clean baseline images deployed to a quarantine VLAN. Patient zero credential rotated, app-password reset across affected services.
Three-2-1 backup restored to clean infrastructure. Hash integrity verified, AV scan clean. User-facing systems back online on a watched VLAN.
Written report delivered: TTPs, IOCs, what worked, what didn't, mandatory hardening (MFA, Conditional Access, log retention). Lessons documented for tabletop.
| Status | Area | Control | Note |
|---|---|---|---|
| Implemented | Identity MFA enforced for all licensed users Conditional Access policy 'Require MFA for all users' active | ||
| Partial | Identity Privileged accounts on FIDO2 or Authenticator with number-match 3 of 5 Global Admins still on SMS — schedule cutover | ||
| Implemented | Identity Conditional Access blocks legacy authentication Policy active; 0 legacy-auth sign-ins last 30 days | ||
| Missing | Identity Risk-based sign-in policy and user-risk policy enabled Entra ID P2 features available but not configured | ||
| Partial | Email security SPF / DKIM / DMARC at p=reject with aggregate reporting DMARC at p=quarantine; ready to move to p=reject in 30 days | ||
| Implemented | Email security Anti-phishing impersonation protection (Defender for Office 365) Mailbox-intelligence on; 4 executives in protected-users list | ||
| Implemented | Email security Safe Links and Safe Attachments policies tuned Dynamic delivery on; click-time URL rewriting active | ||
| Missing | Email security External-sender warning banner on inbound mail Transport rule not deployed — recommended for BEC defense | ||
| Implemented | Endpoint Defender for Endpoint or third-party EDR on all devices Defender P2; 248 of 248 devices reporting | ||
| Partial | Endpoint Intune compliance policy gates Conditional Access Windows compliant; macOS and iOS compliance policies pending | ||
| Missing | Endpoint Attack Surface Reduction rules in audit-then-block mode ASR rules not enabled — high-leverage hardening | ||
| Missing | Data Sensitivity labels with auto-classification on top 3 categories Purview unlicensed or unconfigured | ||
| Partial | Data DLP policies for credit-card / SSN / health data DLP on email only — extend to Teams, SharePoint, OneDrive | ||
| Implemented | Audit Unified audit log enabled and retention extended to 1 year+ Audit log on; retention at default 180 days — extend to 365 | ||
| Missing | Audit Alert policies routed to SOC or 24×7 monitoring Alerts firing into a shared inbox no one watches at 2 AM |
| Status | Rule | Detail | Evidence |
|---|---|---|---|
| Pass | 3 copies of every protected workload Production + on-prem repo + cloud repo for tier-1 systems Evidence: Veeam job report: 100% of tier-1 systems with 3 copies | ||
| Pass | 2 different storage media Disk-based repo + object-storage cloud tier Evidence: Wasabi S3 immutable tier + local ReFS volume | ||
| Pass | 1 copy off-site, geographically separated Cloud copy in a region >300 km from primary site Evidence: Cloud copy in EU-Central, primary in EU-West | ||
| Warn | 1 copy immutable (object-lock or air-gap) Hardened repository or S3 Object Lock with retention period Evidence: Object Lock at 14 days — recommended minimum is 30 days | ||
| Fail | 0 backup verification errors SureBackup or recovery-verification job passes on every restore point Evidence: 4 of 12 tier-1 jobs without verification configured | ||
| Warn | Quarterly full-restore test, written record A complete restore-to-clean-infrastructure dry-run with documented timing Evidence: Last test 11 months ago — overdue per policy | ||
| Pass | RTO target documented per workload tier Recovery Time Objective per system, agreed with the business Evidence: Tier-1: 4 hr · Tier-2: 24 hr · Tier-3: 72 hr (signed off) | ||
| Pass | RPO target documented per workload tier Recovery Point Objective expressed in minutes/hours of data loss Evidence: Tier-1: 15 min · Tier-2: 4 hr · Tier-3: 24 hr | ||
| Fail | Backup credentials separated from production AD A compromised domain admin must not be able to delete backups Evidence: Veeam service account is a domain admin — high-risk finding | ||
| Pass | Backup repository monitored by SOC Alerts route to a 24×7 watched queue, not a shared inbox Evidence: Veeam ONE → Wazuh → SOC ticketing pipeline live |
For vendor-risk reviewers, audit teams, or enterprise procurement. Stefan responds personally within 1 business day with the NDA and the requested artifact.
Related
ISO 27001, SOC 2, vendor partner-tier letters, and the frameworks EFROS operates against.
OpenThe 60-question template. What we ask our own vendors, and what we answer for yours.
OpenWhat the AICPA Trust Services Criteria look like in evidence form.
OpenThe named individuals on the engagement and the credentials they hold.
OpenThe engagement model, SLAs, and what to expect through onboarding.
OpenData handling, sub-processors, and regional jurisdiction details.
Open