Security

efficy has established a cross-functional security organization led by the Chief Information Security Officer (CISO) and supported by dedicated DevSecOps engineers and representatives from multiple departments across the company.

efficy has appointed a dedicated Chief Information Security Officer (CISO) with expertise in cybersecurity, as well as a dedicated Data Privacy Officer (DPO). Both serve as cross-functional advocates for data privacy and information security across the organization.

efficy has made significant investments to deploy and integrate specialised security tools that cover a wide range of areas, including:

• Compliance

• Identity and Access Management (IAM)

• Endpoint Detection and Response (EDR)

• Intrusion Detection Systems (IDS)

• Static Application Security Testing (SAST)

• Vulnerability Management (VM)

• And third-party application management.

We also maintain specific cybersecurity insurance coverage as an added layer of risk management.  

Our risk management process is a cornerstone of efficy’s security posture. It begins with an annual threat and risk analysis for each product line, enabling us to identify emerging risks and vulnerabilities within the evolving digital landscape. 

This is complemented by regular risk assessments integrated into our project management processes, which allows us to continuously evaluate potential impacts on our systems and services. 

Throughout the year, external audits are conducted by a range of stakeholders, including investors and key customers, providing valuable, multi-faceted insights into our security practices. 

We also perform internal audits, and together, these activities culminate in an annual management review, where we rigorously evaluate results and identify areas for improvement.

Secure management of third-party suppliers is a key part of our security strategy. This includes regular security audits, robust access controls, and secure integration processes where necessary.

We also continuously monitor our third-party landscape to prevent the use of non-approved parties, supported by ad hoc tools and formal approval processes. 

We believe that a strong security culture is fundamental to the success of our ISMS. To this end, we run a multi-tiered awareness program designed to educate and empower our employees at all levels of the organization. 

This program includes general security training for all employees, monthly sessions for our Security Ambassador Network, and specialised, role-specific training for technical roles. 

efficy places a strong emphasis on identity governance and management. 

Our identity framework enforces strict access controls to ensure that only authorised personnel can access specific systems and data. By applying principles like least privilege access, zero trust, and role-based permissions, we minimise the risk of unauthorised access and data breaches. 

efficy employs robust mechanisms to classify, store, and protect information throughout the data management lifecycle. We use automated tools to monitor data flows, detect anomalies, and enforce data protection policies in real-time. 

Additionally, we conduct regular data audits and implement encryption protocols to safeguard sensitive information, ensuring both its integrity and confidentiality. 

All customer data is encrypted both in transit and at rest, using only industry-accepted tools, standards, and best practices for data handling and security.

Customer data is logically segregated from all other customers’ data. Additionally, personally identifiable information (PII) is never required to take full advantage of efficy’s product features.

efficy also supports data deletion requests, covering both the data we control and the data we process on behalf of our customers.

efficy logs and stores every change, action, and event, including the deletion of data, to support easy auditing and root cause analysis.

efficy's solutions are designed to ensure seamless uptime and support enterprise-scale operations. We maintain a robust Business Continuity Plan (BCP) for each solution, prioritising resilience through strategic planning and ensuring critical operations remain uninterrupted, even during unforeseen disruptions.

Operational security is a cornerstone of efficy’s security strategy. We implement a robust operational security policy across all systems and processes, defining clear guidelines for access control, endpoint security, and network monitoring.

These measures help us maintain operational integrity and swiftly identify and deter malicious activities.

We proactively address potential security incidents through a clear, well-designed Incident Response Plan.

This plan includes predefined workflows for detecting, assessing, and responding to incidents, minimising disruption and enabling rapid recovery. We also conduct regular simulations to continually refine our response capabilities and ensure preparedness.

Our Secure Development Lifecycle (SDLC) is at the heart of efficy’s approach to product security.

By following industry standards, such as OWASP, CIS and CSA, we’ve established a comprehensive framework for developing secure solutions.

Our SDLC includes stringent security checks at every phase, from requirements analysis and design to implementation and testing, guaranteeing that vulnerabilities are identified and mitigated early in the development process.

efficy's Vulnerability Management (VM) program is designed to proactively identify, evaluate, and address vulnerabilities across our systems and applications.

Leveraging advanced scanning tools, we continuously monitor for potential weaknesses and address them promptly.

Our regular patching schedules and detailed risk assessments help us prioritise critical fixes and maintain a secure environment against evolving threats.

efficy runs an annual penetration testing (pentest) program for each product line, working with external security experts to thoroughly assess and validate the robustness of our systems against potential threats.

These independent evaluations are complemented by other tests conducted by our customers, allowing them to confirm that our solutions meet their specific security requirements.