Firnal's Security & Trust Framework
Firnal Security & Trust Framework
Updated: April 10, 2025
Protecting data. Securing operations. Earning trust.
At Firnal, we recognize that trust is earned through transparency, rigor, and relentless commitment to security. Our clients span governments, Fortune 500 companies, public agencies, and institutions handling sensitive data and mission-critical operations. This responsibility is at the heart of how we design systems, manage infrastructure, and engage with every client. Below is a comprehensive overview of Firnal’s core security policies, designed to give you confidence in our ability to protect your data, your operations, and your reputation.
Data Security & Protection
Data Encryption in Transit & At Rest
All client data is encrypted using AES-256 encryption at rest and TLS 1.2+ in transit. Whether stored in databases, archived backups, or transmitted between systems, data remains protected by industry-leading cryptographic protocols.
Access Controls & Role-Based Permissions
Firnal implements granular access control policies using a least-privilege model. Only authorized personnel are granted access to sensitive systems or data, based on job function and project requirements. All access events are logged, monitored, and regularly reviewed.
Data Isolation for Client Projects
Client data is logically and physically isolated from other projects using segmented environments. No data is ever shared between clients or used in cross-project operations without explicit contractual and legal authorization.
End-to-End Auditing & Activity Monitoring
All systems, APIs, and data platforms are continuously monitored for activity using SIEM (Security Information and Event Management) tools. Audit logs are immutable, time-stamped, and reviewed for anomalies and compliance.
Infrastructure Security
Cloud & On-Premise Architecture
Firnal utilizes hybrid infrastructure deployments, hosted across ISO 27001, SOC 2 Type II, and FedRAMP-compliant data centers. For government clients and critical sectors, we also offer sovereign or on-premise deployments with full infrastructure control.
Zero Trust Security Model
We follow a Zero Trust framework—verifying each device, identity, and interaction as if it originates from an untrusted environment. Firewalls, reverse proxies, and multi-factor access layers enforce continual verification across internal and external endpoints.
Third-Party Vendor Vetting
All cloud service providers, SaaS integrations, and infrastructure vendors undergo rigorous security reviews. We assess their compliance with GDPR, HIPAA, CCPA, and industry-specific standards before integration into any Firnal environment.
Application Security
Secure Development Lifecycle (SDLC)
Every product, dashboard, or software solution developed by Firnal goes through a secure development lifecycle that includes:
-
Threat modeling
-
Static code analysis
-
Penetration testing
-
Manual code reviews for critical modules
-
Third-party dependency scanning
Regular Penetration Testing
Firnal conducts bi-annual penetration tests using both internal red teams and third-party security firms to simulate real-world attacks and proactively identify vulnerabilities before malicious actors do.
API & Endpoint Hardening
All APIs are secured using token-based authentication, rate limiting, and encryption. Input validation and output sanitization protect against common attack vectors like SQL injection, XSS, and CSRF.
Compliance & Legal Assurance
Data Residency & Sovereignty Compliance
Firnal supports custom data localization for clients with residency requirements (e.g. GDPR, PDPA, Nigeria’s NDPR). We can geo-fence data infrastructure and ensure that no personally identifiable information (PII) leaves designated jurisdictions.
Privacy-by-Design
All products and internal processes follow Privacy-by-Design principles, ensuring that user privacy is embedded at every stage—collection, processing, storage, and sharing.
Contractual Security Clauses
All client contracts include data handling protocols, breach notification windows, indemnity coverage, and other legally binding assurances that meet or exceed international expectations.
Operational Security
Employee Training & Access Hygiene
All Firnal personnel undergo mandatory security training, including phishing awareness, incident response protocols, and data privacy compliance. Access to secure environments is contingent on successful completion of this training.
Endpoint & Device Security
Company-issued devices are secured with disk encryption, endpoint detection and response (EDR), and remote wipe capabilities. Personal device use is restricted and monitored via mobile device management (MDM) where applicable.
Internal Auditing & Security Drills
Firnal conducts quarterly internal security audits and biannual tabletop incident response simulations to ensure preparedness and alignment with our risk mitigation framework.
Incident Response & Business Continuity
Rapid Incident Response Protocols
We operate a 24/7/365 Security Incident Response Team (SIRT) with predefined escalation paths. Clients are notified within contractually defined windows, and incident forensics begin immediately.
Business Continuity & Disaster Recovery
All client environments are backed by geographically redundant backups, automated failover systems, and business continuity plans. Our RPO (Recovery Point Objective) and RTO (Recovery Time Objective) targets meet enterprise and government standards.
Breach Transparency & Remediation
In the unlikely event of a breach, Firnal commits to complete transparency, prompt disclosure, full forensic analysis, and tailored remediation plans—backed by executive oversight and legal support.
Trust & Partnership
We understand that entrusting a partner with your data, operations, and mission is an enormous responsibility. At Firnal, security is not a checklist—it’s a philosophy woven into every layer of our company. From how we architect systems, to how we engage with clients, to how we train our people—security, privacy, and accountability are foundational.
If you have additional questions or require a customized security briefing or compliance assessment as part of an engagement, our Trust & Security team is always available to collaborate.
Contact Our Security Team
Email: security@firnal.com
GPG Key: Available upon request
SLAs for security inquiries: < 24 hours