Schedule a demo
Schedule A Demo

Information Security

BURQ’s information security framework is built on cloud-native defense-in-depth principles. Hosted on Microsoft Azure, BURQ benefits from the platform’s secure foundation while implementing additional controls across its infrastructure, application layer, and operational workflows. The goal is clear: to protect customer data, ensure service continuity.  and comply with global security standards.

Our approach covers all critical aspects of information security, including encryption, identity and access management, audit logging, endpoint protection, threat detection, and incident response. We regularly review, test, and refine our controls in line with industry standards such as ISO 27001, ISO 27701, and GDPR.

Security Governance & Strategy

BURQ operates a comprehensive, organization-wide Information Security Management Framework designed to protect systems, data, and customer assets.

  • Information Security Policy- BURQ maintains a centrally governed Information Security Policy that outlines the standards for managing and protecting information assets. This policy covers access control, data classification, system use, and incident handling. It is reviewed on a semi-annual basis and updated as needed to reflect changes in regulatory requirements, threat landscapes, or operational needs.
  • Dedicated Security Team- Security at BURQ is led by a specialized security function, which includes roles responsible for governance, risk management, compliance, and incident response. This team oversees the implementation of controls, monitors for threats in real time, conducts internal audits, and ensures adherence to security policies across all departments.
  • Security Oversight & Accountability- Security leadership reports directly to executive management. All major security initiatives and incidents are escalated to the appropriate governance committees to ensure accountability and timely response.
  • Security Awareness & Training- All BURQ employees undergo mandatory security training upon onboarding and receive regular updates on secure practices, social engineering awareness, and role-specific security responsibilities. Compliance is monitored and enforced through internal policy controls.
  • Continuous Improvement Program- BURQ’s security strategy is designed to evolve. We routinely assess our controls through internal risk assessments, independent audits, and penetration tests. Outcomes are reviewed to guide policy updates, system hardening, and process enhancements.

Identity & Access Management

BURQ enforces strict controls over user and system access through fine-grained policies and automation:

  • Role-Based Access Control (RBAC): Access to platform resources is provisioned based on job functions, following the principle of least privilege.
  • Multi-Factor Authentication (MFA): Enforced for all privileged accounts and encouraged for all users. Compatible with TOTP-based authenticators.
  • Single Sign-On (SSO): Supports SAML 2.0 and OpenID Connect integration with major identity providers like Azure AD, Google Workspace, and Okta.
  • Password Policy: Passwords must meet strong complexity requirements and are never stored in plaintext. Accounts are locked out after repeated failed attempts.
  • Access Reviews: Periodic (at least quarterly) user access reviews are conducted to verify alignment with job responsibilities.

Data Encryption

BURQ encrypts all customer data both in transit and at rest using industry-standard protocols:

  • In Transit: Data is encrypted using TLS 1.2 or higher, ensuring secure communications between services and client endpoints.
  • At Rest: All data, including configuration metadata, is encrypted using AES-256 via Azure’s storage encryption mechanisms.
  • Secrets Management: Sensitive credentials are stored securely in Azure Key Vault, with strict access policies.
  • BYOK Support: For enterprises with compliance needs, BURQ offers Bring Your Key (BYOK) capabilities using customer-managed keys in Azure Key Vault.

Logging, Monitoring & Threat Detection

BURQ uses centralized tools for continuous monitoring, audit logging, and proactive threat detection.

  • Audit Trails: All user actions, integration changes, and configuration updates are logged with user identity and timestamp. Logs are immutable and retained for at least one year.
  • SIEM Integration: Logs are aggregated in a managed ELK (Elasticsearch, Logstash, Kibana) stack integrated with Azure Monitor, allowing real-time detection and correlation of anomalies.
  • Threat Detection Tools:
    • Anomaly Detection: Behavioral analytics are used to identify abnormal usage patterns.
    • Intrusion Detection/Prevention: Azure Defender for Cloud provides host-level and network-level intrusion detection.
  • Endpoint Detection & Response (EDR): Company-managed devices include EDR solutions to detect and remediate malware and suspicious activities in real time.

Endpoint Security

BURQ ensures strong protection across all employee workstations and administrative access points.

  • Anti-Malware: All workstations with access to production environments have anti-malware tools installed, offering:
  • Full Disk Encryption: All company-managed devices utilize full-disk encryption to safeguard data in the event of loss or theft.
  • Endpoint Monitoring: Access to infrastructure is controlled through hardened devices, jump hosts, and VPN connections with logging and session auditing.

Incident Response

BURQ maintains a comprehensive Incident Response Plan (IRP) to detect, contain, and remediate security incidents swiftly and effectively.

  • Security Monitoring: The platform is monitored 24/7 via automated alerting and manual reviews by the Security team.
  • Structured Response Process: The IRP includes defined phases:
    • Detection & Triage
    • Containment
    • Eradication
    • Recovery
    • Post-Incident Review
  • Roles & Responsibilities: The IRP defines clear roles, escalation procedures, and stakeholder communication guidelines.
  • Tabletop Testing: Incident response readiness is validated through regular tabletop exercises.
  • Customer Notification: In the event of a data breach affecting customer data, BURQ will notify affected parties in accordance with contractual and regulatory obligations (e.g., within 72 hours under GDPR).
  • Security Contact: Customers and researchers can report vulnerabilities via email to [Insert email]