Epitome's security posture is designed to protect client data across infrastructure, application, and operational layers while giving enterprise customers a clear path for deeper diligence.
Hosting and infrastructure
Epitome is designed as a cloud-first platform built around Amazon Web Services. Current documentation describes a hosted architecture using services such as S3, CloudFront, ECS, Lambda, Aurora, and AWS-managed key services Available now. This cloud foundation supports resilience, scaling, and regional deployment options, while Epitome remains responsible for the security design, access model, application controls, and operating procedures implemented on top of the underlying cloud environment.
Where clients require specific hosting or deployment patterns, Epitome can support region-specific deployments and, in some cases, client-managed private cloud models Supported with configuration. These options should be confirmed during solution design and contracting rather than assumed by default.
Encryption and key management
Epitome's current documentation states that personal and sensitive data is encrypted at rest using AES-256 and protected in transit using TLS 1.2 or TLS 1.3, depending on the specific connection path Available now. Encryption key management is described as being handled through AWS Key Management Service Available now.
These controls apply to Epitome's application design and platform configuration. They are distinct from AWS's own certification and control environment, which supports but does not replace Epitome's responsibility for secure implementation.
Identity, access control, and administrator security
Epitome describes a least-privilege access model with role-based access control for platform and data access Available now. Administrative accounts are expected to use multi-factor authentication Available now, and the platform's current material also references dedicated authentication layers using AWS Cognito Available now.
Additional access controls may be applied for specific environments or customer deployments, including IP-based restrictions, SSO integration, and tighter administrative boundaries Supported with configuration. Where a client requires identity federation or custom access governance, that should be defined as part of implementation planning.
Logging and monitoring
Administrative actions, authentication events, and broader application or infrastructure activity are described as being logged centrally Available now. Current drafts also refer to immutable or tamper-resistant administrator logging, time-synchronised records, and monitoring for suspicious activity Available now.
From a buyer perspective, the key point is that Epitome intends to maintain an audit trail for security-relevant actions and to use monitoring as part of both operational assurance and investigation readiness. More detailed descriptions of log retention, monitoring workflows, and response processes are Available on request.
Secure development and vulnerability management
Epitome's current security material sets out a secure development approach that includes code review, threat modelling, dependency scanning, static and dynamic testing, and vulnerability management Available now. The platform is also described as following a DevSecOps model with security integrated into planning, development, testing, deployment, and operations Available now.
The present draft language also references continuous vulnerability scanning, severity-based remediation timelines, and annual penetration testing by independent testers Available now. Supporting summaries or deeper evidence for testing and remediation can be shared during diligence Available on request.
Business continuity, backup, and recovery
Epitome's current documents describe a layered backup and disaster recovery posture including encrypted backups, point-in-time recovery capabilities, and geographically distributed backup storage Available now. The current target recovery objectives are documented as RPO less than or equal to 12 hours and RTO less than or equal to 24 hours for critical services Available now.
Stricter recovery objectives or deployment-specific resilience models may be possible in some customer environments Supported with configuration, but should only be committed after design review.
Incident response
Epitome maintains an incident-response summary that describes severity levels, triage targets, containment expectations, client communications, and post-incident review Available now. The current draft also states that clients will be notified without undue delay following confirmed high-severity incidents affecting their environment or data Available now.
Detailed incident-response documentation, reporting formats, and evidence of exercises are Available on request.
Certifications and assurance posture
Epitome's current draft material presents the following status:
- CSA STAR Level 1 Available now
- ISO 27001 certification In progress
- SOC 2 Type II In progress
- Penetration-testing summaries or assurance material Available on request
It is also important to distinguish between Epitome's own status and the certifications held by its cloud providers. AWS certifications and attestations support the underlying infrastructure environment, but they are not a substitute for Epitome's own control design, operating procedures, or future assurance roadmap.