Security Practices

As a managed security service provider, we hold ourselves to the same standards we deliver for our clients. The controls below describe how 9 Realms Security protects client data, our infrastructure, and the portal environment that clients use to interact with us.

We review these practices annually and after any significant change to our environment or service delivery. If you have questions or concerns about a specific control, contact us at security@9realmssecurity.com.

All data in transit between clients and our systems is encrypted using TLS 1.2 or higher. We enforce HTTPS across all web properties and reject unencrypted connections.

Data at rest in our client portal environment is encrypted using AES-256. Backup data is encrypted using the same standard before transfer or storage.

Client credentials and session tokens are never stored in plaintext. Password hashing uses industry-standard algorithms with per-record salting.

Access to client data and production systems is granted on a least-privilege basis. Staff access is reviewed quarterly and revoked immediately upon role change or separation.

Multi-factor authentication is required for all staff access to production systems, client portals, and internal tooling.

Client portal access is isolated by organization. Users within one client organization cannot access data belonging to another client. Administrative roles within the portal are assigned and audited by 9 Realms staff.

We maintain audit logs of all administrative actions against client data and production infrastructure. Logs are retained for a minimum of 12 months and are protected against tampering.

9 Realms Security maintains a documented incident response plan that is tested at least annually. The plan covers detection, containment, eradication, recovery, and post-incident review.

In the event of a confirmed security incident affecting client data, we will notify affected clients within 72 hours of confirming the breach, consistent with applicable legal requirements.

Our incident response capabilities include the same Stellar Cyber XDR and SentinelOne Singularity tooling we deploy for clients, monitored by the same 24/7 SOC team.

We operate a responsible disclosure program for security researchers who identify vulnerabilities in our systems. If you believe you have found a security issue, please report it to security@9realmssecurity.com before public disclosure.

We commit to acknowledging receipt within two business days, working with researchers to understand and validate the finding, and providing a timeline for remediation.

We ask that researchers follow responsible disclosure principles: no unauthorized access to client data, no service disruption, and a reasonable disclosure window. See our full Responsible Disclosure Policy for full details.

Our service delivery practices are designed to support clients' compliance programs under PCI DSS, HIPAA, CMMC, SOC 2, and ISO 27001. We align our internal controls to the same frameworks we assess for clients.

We conduct annual third-party security assessments of our own environment, including penetration testing by external practitioners.

We are happy to provide documentation of our security practices, including completing vendor security questionnaires, as part of the onboarding process for enterprise clients.