Security at MAST GRC

Security at MAST is governed by a documented ISMS aligned with ISO/IEC 27001:2022. Roles, responsibilities and risk appetite are defined by an information security committee chaired by the CISO. Controls are operated continuously and assessed by independent assessors at least annually.

• ISO/IEC 27001:2022 — Information Security Management System.
• ISO/IEC 27701:2019 — Privacy Information Management extension.
• SOC 2 Type II — Security, Availability and Confidentiality trust services.
• ISO/IEC 22301:2019 — Business Continuity Management.
• Independent penetration testing by a CREST-accredited provider — at least quarterly.

Certificates, SOC 2 reports and pen-test letters are available under NDA from security@mastgt.com.

The platform runs on a globally distributed edge runtime with regional data storage. Each tenant is logically isolated through a combination of row-level security on the database, scoped service-role keys, and per-tenant storage prefixes. Cross-tenant access is impossible by design — every privileged query is gated by a security-definer function that checks tenant membership.

• In transit — TLS 1.2+ everywhere, TLS 1.3 preferred; HSTS, modern cipher suites only.
• At rest — AES-256 for databases, object storage and backups.
• Secrets — managed by a hardware-backed key management service with strict IAM scopes.
• Backups — encrypted, geo-redundant, restore-tested at least quarterly.

Customer-facing authentication supports email + password, social sign-in and SAML 2.0 SSO. MFA is available on every account and enforceable by tenant administrators. Inside MAST, production access requires hardware FIDO2 keys, a documented break-glass procedure, and is reviewed quarterly. Role-based access control enforces least privilege for every internal action.

All application, infrastructure and authentication events are streamed to a central SIEM with 24×7 alerting. Anomalous sign-ins, privilege escalations, and admin actions trigger automated responses. Audit logs are immutable and retained for at least 12 months.

• Static analysis (SAST) and dependency scanning on every pull request.
• Container and infrastructure-as-code scanning before every deploy.
• Continuous dynamic scanning (DAST) of production endpoints.
• Critical fixes deployed within 24 hours, high within 7 days, medium within 30 days.

We follow a documented incident response plan based on NIST SP 800-61. Confirmed incidents affecting customer data are communicated to affected tenant administrators within 72 hours, together with the impact, containment status and remediation plan. A full root-cause analysis is shared on closure.

The platform targets an RTO of 4 hours and an RPO of 15 minutes. Failover plans are tested quarterly. Customer evidence stored in the document store is replicated across availability zones.

We welcome reports from security researchers. If you believe you have found a vulnerability, please email security@mastgt.com with a description, reproduction steps and any supporting material. Do not exploit the issue beyond what is necessary to demonstrate it and do not access data that does not belong to you. We will acknowledge within 2 business days and aim to remediate critical issues within 30 days. We will not pursue legal action against researchers acting in good faith.