IntuitionLabs
IntuitionLabs Security practices and controls

Security at IntuitionLabs

How we protect client data, application code, and production infrastructure — encryption, access control, secure development lifecycle, monitoring, and incident response designed for regulated life sciences engagements.

Book a Meeting

Our Security Operating Model

Least-Privilege Access
Every production identity is scoped to the smallest set of permissions needed to do its job. MFA is mandatory. Access grants are reviewed on role change and revoked at engagement close.
Encryption Everywhere
TLS 1.2+ in transit, AES-256-equivalent at rest, secrets held in dedicated secret managers. Public properties enforce HSTS and a strict Content Security Policy.
Secure by Default SDLC
Peer code review, CI security gates, dependency scanning, static analysis, and infrastructure-as-code review for every change — aligned with NIST SSDF and OWASP ASVS.
Inherited Platform Controls
Production workloads inherit ISO/IEC 27001, HIPAA-eligible, and FedRAMP-authorized controls from AWS, Google Cloud, Vercel, and Cloudflare. The inherited-control matrix is documented.

Security as a first-class requirement

In pharma and biotech, security failures are not just reputational — they are regulatory findings, recall triggers, and patient-safety events. We treat security the same way our clients treat Part 11 validation: as a design input, not a deployment afterthought. Threat modelling happens at the start of a feature, not at the end. Security review gates are embedded in the CI pipeline so they cannot be skipped. Every engineer is accountable for the controls inside their code.
Security architecture review session

Individually attributable access

Every identity is named. Access to cloud consoles, source repositories, production databases, and client environments is tied to an individual engineer, protected by MFA, and logged for audit. Shared credentials are not used. When engineers leave an engagement or the company, access is revoked on the same day.
Identity and access management review

Defence in depth

No single control carries the security posture. The edge provides WAF, rate limiting, and DDoS mitigation. The application layer enforces authentication, authorization, and input validation. The data layer enforces row- and column-level controls where the platform supports them. The infrastructure layer enforces network segmentation, private networking, and VPC isolation. A compromise of any one layer still leaves meaningful controls between an attacker and client data.
Defence in depth network architecture

Technical Controls

A non-exhaustive list of the technical controls applied across our engagements. Exact implementation is tailored to the workload, client requirements, and regulatory classification.

TLS 1.2+ Everywhere

All public endpoints enforce TLS 1.2 or higher with modern cipher suites. Legacy protocols are disabled at the edge. HSTS with preload is enabled on production domains.

Encryption at Rest

Block storage, object storage, and managed databases use provider-managed encryption with AES-256 equivalent strength. Backups are encrypted with keys separate from live data.

Centralised Secret Management

API keys, database credentials, and signing keys live in AWS Secrets Manager, Google Secret Manager, or platform-native vaults — never in source code or build artefacts.

MFA on Every Identity

Multi-factor authentication is required for every cloud console, identity provider, source repository, and deployment pipeline. MFA bypass requires a documented, time-boxed exception.

Role-Based Access Control

Authorization is modelled as roles with explicit permission sets. Role definitions are version controlled. Access reviews happen on role change, engagement transition, and at a defined cadence.

Centralised Logging

Application, platform, and access logs are centralised with sufficient retention for forensic review and regulatory obligations. Security-relevant events are tagged for alerting.

WAF and DDoS Mitigation

Public properties are fronted by Cloudflare's enterprise edge, which provides a managed Web Application Firewall, rate limiting, bot management, and always-on DDoS mitigation.

Dependency Scanning

Every build scans for known vulnerabilities in first- and third-party dependencies. High-severity findings block merge and are triaged against defined remediation SLAs.

Static Application Security Testing

SAST runs on every pull request and on the default branch nightly. Findings are triaged by the engineering lead and patched, mitigated, or risk-accepted with documentation.

Secure Software Development Lifecycle

Security is built into every phase of delivery, from the first design sketch to the post-release retrospective. Our SDLC is aligned with NIST SSDF and OWASP ASVS, and layered with GAMP 5 lifecycle controls for regulated-system work. Security reviews are not an optional late-stage step — they are gates inside the CI pipeline.

Design-Time Threat Modelling

Every new feature begins with a lightweight threat model covering assets, trust boundaries, threats, and mitigations.

Code-Time Controls

Peer code review is mandatory. Branch protection rules prevent direct pushes to production branches. No exceptions, no shortcuts.

Pipeline-Time Gates

CI runs SAST, dependency scanning, secret scanning, and infrastructure-as-code linting on every commit. Failing gates block merge.

Infrastructure security

Production workloads run in private network segments with egress controls and no unnecessary public surface. Compute nodes are provisioned from hardened base images, patched on a defined cadence, and replaced rather than mutated when security updates warrant a rebuild. Network access is restricted to explicit allow-lists; ingress to sensitive services requires either a private network path or an authenticated, MFA-gated jump host.
Cloud infrastructure security architecture

Application security

Applications authenticate every request at the edge, authorise every action at the service boundary, and validate every input at the API layer. Output encoding, parameterised queries, and CSRF tokens are baseline. Session tokens are short-lived and rotated. Errors are logged without leaking sensitive information to end users. API endpoints enforce rate limits appropriate to their threat model.
Application security testing and code review

Data security

Client data is segregated by tenant, encrypted at rest and in transit, and retained only for the period specified in the MSA. Backups are encrypted and stored in a geographically separate region. Export and bulk-download capability is gated behind additional authorization steps and logged. At engagement close client data is returned or securely destroyed per the contractual schedule, with a certificate of destruction provided on request.
Data security and encryption controls

Platform Providers and Inherited Controls

Client workloads ride on specialist infrastructure providers whose certified control environments we inherit at the platform layer.

AWS

Primary hosting, compute, object storage, and managed databases. Inherits ISO/IEC 27001, HIPAA-eligible, and FedRAMP-authorized controls at the underlying platform layer.

AWS compliance programs

Google Cloud Platform

Selected AI, data pipeline, and analytics workloads. Inherits ISO/IEC 27001 and HIPAA BAA coverage where applicable to the workload.

GCP compliance programs

Cloudflare

Enterprise edge for all public properties — WAF, DDoS mitigation, bot management, TLS termination. Inherits ISO/IEC 27001 coverage.

Cloudflare Trust Hub

Vercel

Next.js production deployments with immutable build artefacts and signed deployments. HIPAA-eligible platform coverage available.

Vercel security

GitHub

Source code management with branch protection, mandatory peer review, and signed commits. Inherits platform-level security controls from GitHub Enterprise.

GitHub security

Identity and SSO

Corporate identity is centralised through an SSO provider with MFA enforcement, conditional access policies, and session monitoring.

Request control narrative

Monitoring, Detection and Response

Visibility is a security control. We invest in logging and detection so that when something goes wrong we know quickly and can act decisively.

Centralised Observability
Application, platform, and access logs are aggregated into a central store. Dashboards cover availability, error rates, authentication events, and egress anomalies. Security-relevant events are tagged for focused alerting, and retention meets the longer of contractual and regulatory requirements.
Alerting Without Fatigue
Alerts are tuned to catch real anomalies — authentication bursts, privilege escalations, unusual data egress, new admin actions — rather than generate noise. Noisy rules are retired or refined, not ignored. On-call engineers own both the alerts they receive and the quality of those alerts.
Incident Response Runbooks
We maintain runbooks for the common categories — credential compromise, data exposure, availability event, supply chain compromise — covering classification, escalation, containment, communications, eradication, and recovery. Runbooks are reviewed at least annually and updated after every real incident.
Forensics and Post-Mortem
After every confirmed security incident we perform a root cause analysis, produce a written post-mortem, and track corrective and preventive actions to closure. Post-mortems are blameless, focused on systems and controls, and shared with affected clients under the applicable notification terms.
Tabletop Exercises
At least once a year we run a tabletop exercise simulating a high-severity incident — typically a credential compromise or a data exposure scenario — and capture lessons learned. The exercise exposes gaps in runbooks, communication trees, and decision authority before a real incident forces the issue.
Responsible Disclosure
Vulnerability reports received at [email protected] are acknowledged within one business day and handled under an ISO/IEC 29147-aligned process. Reporters are kept informed through triage, remediation, and any public advisory, and are credited when they wish to be.

Securing the AI supply chain

AI introduces a new class of security concerns: prompt injection, model exfiltration, training-data leakage, and dependency on third-party model providers whose own security posture matters. We route production LLM traffic through a controlled proxy that enforces authentication, budgets, logging, and provider diversity. Prompts and responses that could contain client data are treated with the same care as the data itself. Model selection and provider selection are documented engineering decisions, not casual defaults.
AI supply chain security architecture

Third-party and supply-chain risk

Every sub-processor and critical vendor is assessed against security, privacy, data residency, and support-quality criteria before onboarding and re-assessed annually. Build systems pin dependency versions, verify checksums where available, and scan for known vulnerabilities on every build. Release artefacts are immutable and signed. We keep the sub-processor footprint deliberately small to reduce the blast radius of any upstream compromise.
Software supply chain risk management

People are part of the stack

The strongest technical controls can be undone by a phishing email. Every engineer receives security awareness briefings covering phishing, social engineering, device hygiene, and incident reporting. Devices used for client work are encrypted, patched, enrolled in endpoint management, and protected by screen-lock policies. Offboarding includes immediate revocation of credentials, device return, and review of recent access.
Security awareness training for engineering team

Frequently Asked Questions

All client-facing connections use TLS 1.2 or higher with modern cipher suites, enforced at the edge by Cloudflare and at the origin by our application platforms. Data at rest is encrypted using provider-managed keys (AES-256 equivalent) on AWS S3, RDS, and Google Cloud Storage. Secrets are stored in dedicated secret managers (AWS Secrets Manager, Google Secret Manager, or platform-native equivalents) — never in source code, environment dumps, or shared documents. HSTS, secure cookies, and a strict Content Security Policy are enabled on public properties.
Access to production systems and client data is limited to engineers assigned to the engagement, is granted on the principle of least privilege, and is revoked on role change or engagement close. Multi-factor authentication is required for every identity provider, cloud console, source repository, and production jump host. Production access is logged and auditable. Shared accounts are prohibited.
We maintain an inventory of first- and third-party components and monitor for advisories via provider feeds, GitHub Dependabot, and NVD subscriptions. Critical and high-severity vulnerabilities are triaged within defined SLAs and patched or mitigated on documented timelines. Static application security testing runs on every pull request; dependency scanning runs on every build. Internet-facing services receive periodic external review.
Yes. Our SDLC follows the principles of NIST SSDF (SP 800-218) and OWASP ASVS for application security verification. Every change goes through peer code review, automated testing, and a CI/CD pipeline with mandatory controls before deployment. Infrastructure-as-code is version controlled and reviewed the same way as application code. For regulated-system work we layer GAMP 5 lifecycle controls on top of this baseline.
Application code is written against the OWASP Top 10 as a floor. We use parameterized queries and ORM-level protections against injection, output encoding and CSP against XSS, anti-CSRF tokens, short-lived JWT or session tokens with rotation, rate limiting at the edge, and input validation at the API boundary. Dependencies are scanned for known CVEs on every build.
Production environments are logically and network-isolated from development and staging. Private workloads live in VPCs with no direct public egress where feasible. Public surface is limited to documented endpoints fronted by Cloudflare's enterprise edge, which provides WAF, DDoS mitigation, and bot management. Inter-service calls use authenticated, TLS-encrypted connections; secrets never flow through client-side code.
We centralize application logs, platform logs, and access logs. Security-relevant events — authentication, privilege changes, admin actions, deploys, configuration changes — are captured with sufficient context for forensic review. Retention periods meet the longer of client contractual requirements and regulatory obligations. Alerting is tuned to reduce fatigue while still surfacing anomalies in authentication, egress, and data-access patterns.
Our incident response process defines severity tiers, an on-call rotation, an escalation chain, and client-notification timelines. For confirmed security incidents affecting client data we notify the client within the contractually agreed window, provide preliminary findings, and follow up with a full root cause analysis and corrective action plan. We retain runbooks for common incident categories (credential compromise, data exposure, availability event, supply chain compromise) and review them at least annually.
Email [email protected] with a description of the issue and reproduction steps. We acknowledge every report within one business day and follow a coordinated-disclosure process aligned with ISO/IEC 29147. We commit to keeping reporters informed on triage, remediation, and any advisory, and to crediting researchers who wish to be credited. We ask researchers to act in good faith, avoid privacy violations and service disruption, and give us reasonable time to remediate before any public disclosure.
Yes. IntuitionLabs maintains Errors and Omissions (professional liability), commercial general liability, and cyber liability coverage appropriate for life sciences consulting engagements. Certificates of insurance and coverage limits can be provided under NDA as part of vendor onboarding.
Need a deeper security review?
Need a deeper security review? image

Need a deeper security review?

Book a session with our team and we will walk your security or risk function through our control narrative, inherited-control matrix, and engagement-specific safeguards.

Book a Meeting

© 2026 IntuitionLabs. All rights reserved.

Privacy PolicyTerms of ServiceBook Meeting