Security and compliance documentation for executives, insurance reviewers, legal teams, vendor-risk teams, and enterprise buyers. Public statements below; NDA-gated artefacts available on request within five business days.
EFROS operates as a cybersecurity-first managed service provider. Every engagement runs under documented controls aligned to recognised frameworks. Independent attestations and partner-tier letters are reviewed annually and provided under NDA to qualified prospects.
EFROS holds certifications and partner statuses across the major technology vendors and frameworks our clients require. Each is independently verified annually. Documentation, audit attestations, and partner-tier letters are available under NDA for qualified clients and their reviewers.
The following are released to qualified clients and their insurance, legal, or audit reviewers under mutual non-disclosure agreement.
Client data remains in the client's own tenant by default. EFROS engineers operate with the minimum-necessary access required for the engagement. Read-only auditor or global-reader roles are preferred where the task allows; elevated access is time-boxed, logged, and reviewed.
EFROS operates against GDPR, UK GDPR, CCPA / CPRA, HIPAA (where BAA in place), and PIPEDA expectations. Every engagement contract includes confidentiality covenants. Employees are bound by individual confidentiality agreements and trained annually on data-handling procedures.
If an incident affects a client environment, the 24×7 SOC contains first, communicates with the client's designated incident contact, and follows the runbook documented during the engagement onboarding.
EFROS carries cyber-liability, professional-indemnity, and commercial-general-liability coverage. Certificates of insurance are provided to qualified prospects under NDA. Carrier-specific attestations available for clients whose own cyber insurance requires vendor-side documentation (Beazley, Chubb, AIG, Travelers, and the major specialty markets).
For procurement reviewers, security questionnaires (SIG, CAIQ, SAQ, custom), and audit requests, route directly to our compliance team. We typically return completed questionnaires within five business days.
Security researchers reporting vulnerabilities in EFROS-operated systems or client environments under our scope are welcomed. We follow a coordinated disclosure model and do not pursue legal action against researchers who act in good faith.
Microsoft Solutions Partner status is verifiable via Microsoft Partner Center. AWS Partner status is verifiable via the AWS Partner Network directory. Cisco Premier status via the Cisco Partner Locator. ISO 27001 and SOC 2 attestations are released under NDA.
Yes. Standardised questionnaires (SIG, CAIQ) are returned within 5 business days. Custom questionnaires within 10 business days. We sign with evidence references, not with claims that exceed our actual controls.
Yes. We sign BAAs with every healthcare client and operate HIPAA-aligned controls as a default. The BAA is signed before any PHI-relevant systems are touched.
In your tenant. EFROS engineers operate against your Microsoft 365, Google Workspace, AWS, Azure, or Google Cloud tenant under read-only or scoped credentials. EFROS does not retain custody of client data outside the agreed retention window for evidence (typically 12 months) and destruction is verifiable.
All documentation, configuration, and runbooks remain in your tenant. EFROS retains evidence files under encryption for the contractually agreed retention period (default 12 months), then destroys them with verifiable sign-off. You can request earlier destruction at any time.
Every EFROS employee with production access undergoes a criminal background screening through a reputable vendor before starting. Renewed for sensitive engagements. References available under NDA.
Anonymized samples drawn from real engagements. Every artifact below is a representation of what an EFROS client receives as part of an assessment, incident-response retainer, or managed service. Not marketing slides — operational outputs.
Recommended: move to p=quarantine within 14 days after a 30-day aggregate-report review, then to p=reject. Owner: IT lead. Effort: 2 hours.
Defender for Endpoint blocks file-encryption pattern, isolates host from network. Initial alert fires in SOC console.
Identity, lateral-movement, and persistence indicators pulled from SIEM. Two additional endpoints flagged with matching IOCs.
Compromised user revoked, sign-in sessions terminated. All three endpoints isolated. Lateral targets pre-emptively isolated.
Notification per pre-agreed SLA. Bridge opened with client lead, EFROS IR lead, and SOC on the line. Initial scope and impact statement delivered.
Memory image, disk snapshot, and log preservation. TTPs matched against known affiliate. Initial-access vector identified (phished M365 account, no MFA).
Confirmed-clean baseline images deployed to a quarantine VLAN. Patient zero credential rotated, app-password reset across affected services.
Three-2-1 backup restored to clean infrastructure. Hash integrity verified, AV scan clean. User-facing systems back online on a watched VLAN.
Written report delivered: TTPs, IOCs, what worked, what didn't, mandatory hardening (MFA, Conditional Access, log retention). Lessons documented for tabletop.
Conditional Access policy 'Require MFA for all users' active
3 of 5 Global Admins still on SMS — schedule cutover
Policy active; 0 legacy-auth sign-ins last 30 days
Entra ID P2 features available but not configured
DMARC at p=quarantine; ready to move to p=reject in 30 days
Mailbox-intelligence on; 4 executives in protected-users list
Dynamic delivery on; click-time URL rewriting active
Transport rule not deployed — recommended for BEC defense
Defender P2; 248 of 248 devices reporting
Windows compliant; macOS and iOS compliance policies pending
ASR rules not enabled — high-leverage hardening
Purview unlicensed or unconfigured
DLP on email only — extend to Teams, SharePoint, OneDrive
Audit log on; retention at default 180 days — extend to 365
Alerts firing into a shared inbox no one watches at 2 AM
Production + on-prem repo + cloud repo for tier-1 systems
Evidence: Veeam job report: 100% of tier-1 systems with 3 copies
Disk-based repo + object-storage cloud tier
Evidence: Wasabi S3 immutable tier + local ReFS volume
Cloud copy in a region >300 km from primary site
Evidence: Cloud copy in EU-Central, primary in EU-West
Hardened repository or S3 Object Lock with retention period
Evidence: Object Lock at 14 days — recommended minimum is 30 days
SureBackup or recovery-verification job passes on every restore point
Evidence: 4 of 12 tier-1 jobs without verification configured
A complete restore-to-clean-infrastructure dry-run with documented timing
Evidence: Last test 11 months ago — overdue per policy
Recovery Time Objective per system, agreed with the business
Evidence: Tier-1: 4 hr · Tier-2: 24 hr · Tier-3: 72 hr (signed off)
Recovery Point Objective expressed in minutes/hours of data loss
Evidence: Tier-1: 15 min · Tier-2: 4 hr · Tier-3: 24 hr
A compromised domain admin must not be able to delete backups
Evidence: Veeam service account is a domain admin — high-risk finding
Alerts route to a 24×7 watched queue, not a shared inbox
Evidence: Veeam ONE → Wazuh → SOC ticketing pipeline live
For vendor-risk reviewers, audit teams, or enterprise procurement. We typically return completed questionnaires within 5 business days.