PaQva logo
PaQva

Security & trust

Security posture

How we protect our systems and how we help protect yours.

Request a security reviewView services

Principles

How we design security

Foundational principles that guide our internal stack and client engagements.

Least privilege by default

Defense-in-depth across identity, network, and app

Secure-by-default configurations with reviewed exceptions

Auditability with traceable changes and approvals

Recovery readiness through tested restores and runbooks

Internal controls

How we operate internally

Operational controls we run inside PaQva, with evidence and cadence.

Evidence-backed

Identity & Access

MFA/2FA on admin surfaces, scoped roles, and SSO where supported.

  • RBAC for consoles, code, and data with quarterly access reviews
  • Hardware-based or app-based MFA for administrators
  • Least-privilege service accounts with rotation playbooks
Frequency: Quarterly access reviewsEvidence: Audit logs, review records

Backups & Recovery

Encrypted backups with clear RPO/RTO targets and restore drills.

  • Daily encrypted backups for core systems; retention per system tier
  • Documented RPO/RTO targets with variance tracking
  • Quarterly restore tests with evidence of outcomes
Frequency: Restore tests quarterlyEvidence: Restore reports, backup dashboards

Endpoint & Patch Management

Managed updates, EDR/AV coverage, and baseline hardening.

  • OS and browser patch windows with rollout waves
  • EDR/AV alerts triaged with response playbooks
  • Baseline hardening for laptops/servers (disk encryption, screensaver locks)
Frequency: Weekly patch windowsEvidence: Patch reports, EDR coverage

Monitoring & Logging

Centralized alerts with retention tuned to risk and compliance needs.

  • Health and security alerts with documented severities
  • Log retention by system criticality; clock sync enforced
  • Runbook links embedded in alerts for faster response
Frequency: Continuous monitoringEvidence: Alert history, log retention settings

Change Management

Reviews and approvals for code, infra, and access changes.

  • Peer review required for infrastructure and app changes
  • Rollback and maintenance windows documented pre-change
  • Access elevation requests recorded with expiry
Frequency: Per changeEvidence: Pull requests, change tickets

Incident Response

Playbooks, roles, and communications ready for containment and recovery.

  • Named roles for incident command, comms, and forensics
  • Tabletop drills for critical scenarios (quarterly)
  • Customer and stakeholder comms templates prepared
Frequency: Tabletops quarterlyEvidence: Drill notes, playbooks

Client controls

Controls we recommend for clients

Sized to your org, industry, and stack.

We tailor controls to company size, industry, and existing stack.

MFA and password policy

Enforce MFA, password managers, and scoped admin roles.

Backup strategy with restores

Define RPO/RTO by system; test restores on a cadence.

Device compliance

Baseline hardening, disk encryption, and EDR coverage.

Vulnerability scanning

Light scanning with prioritization and patch SLAs.

Email security

Phishing controls, DMARC/SPF/DKIM, and user reporting.

Firewall and access policies

Least privilege for networks, VPN/zero trust where applicable.

Least privilege for apps

RBAC, scoped API keys, and offboarding hygiene.

Security awareness

Short trainings and phishing drills with metrics.

90-day plan

Typical 90-day plan

Sequenced for quick wins, hardening, monitoring, and handoff.

Roadmap cadence

Weeks 1-2

Baseline + quick wins

  • Access and asset inventory; MFA baseline
  • Backup verification and critical restores
  • Email security checks (DMARC/SPF/DKIM)

Weeks 3-6

Hardening + monitoring

  • Endpoint hardening and patch SLAs
  • Logging and alert routes with owners
  • Vulnerability scan with remediation list

Weeks 7-10

Audits + drills

  • Access review and least-privilege clean-up
  • Backup restore drill with RPO/RTO check
  • Tabletop or phishing drill with actions

Weeks 11-12

Documentation + handoff

  • Runbooks and escalation paths finalized
  • Metrics and next-quarter plan
  • Handoff with owners and KPIs

Certifications

Certifications and credentials

No claims without verification. Status is transparent and evidence can be shared under NDA.

Certifications and attestations can be shared or validated under NDA.

We follow industry frameworks for alignment only (not as formal certifications).

SOC 2

Planned

Not certified; control mapping available upon request.

ISO 27001

Planned

Not certified; roadmap available upon request.

CIS Controls / NIST CSF alignment

In progress

Alignment of practices; no certification implied.

Customer security questionnaires

In progress

Completed upon request with evidence-backed answers.

Certifications available upon request

We provide questionnaires or attestations with evidence on request.

Request a security review

Policies

Policies and documents (on request)

Shared privately under NDA; not published publicly.

  • Security overview (under NDA)
  • Incident response summary
  • Backup and DR policy summary
  • Access review procedure snapshot

FAQ

Security FAQ

Clear answers without over-promising.