Berwyn Group maintains a SOC 2 Type II attestation that is renewed annually, with bridge letters covering the period between audits. The SOC 2 examination covers the Security, Availability, and Confidentiality trust services criteria. The most recent report is available to customers and prospects under NDA through the Berwyn Trust Center.
Berwyn aligns its security program with the NIST Cybersecurity Framework (CSF) and the Cloud Security Alliance (CSA) Cloud Controls Matrix (CCM). To support customers whose programs map to common frameworks, Berwyn provides pre-filled standardized questionnaires, including CAIQ, CIS Top 20, and SIG.
An independent, CREST-approved third party performs penetration testing annually and following any major release.
Your data is always stored and processed in the United States on Amazon Web Services (AWS), in the US-EAST-1 region across multiple Availability Zones for high availability. Data is logically segmented by application and by customer.
Berwyn applies layered controls to protect customer data, beginning with strong per-customer data isolation.
1. Data isolation: Customer PII is stored in a specialized, field-level encrypted datastore in which each customer has its own data encryption key (DEK), keeping it isolated from other data and from other customers.
2. Encryption everywhere that matters: All data is encrypted in transit and at rest using FIPS 140-2 compliant encryption, across cloud storage, the corporate network, endpoint devices, and networks. Data in transit is protected with TLS 1.2 or higher; data at rest is protected with AES-256, consistent with NIST-approved encryption standards.
3. Network protections: A web application firewall (WAF) protects against brute-force and other application-layer attacks, and geo-based access restrictions block traffic from high-risk regions.
4. Access controls: Production access is restricted to a limited set of personnel, governed by least-privilege, MFA, and privileged access management. Any access to customer data requires a documented business need and is logged.
Yes. Berwyn supports configurable access controls.
Internal applications: Berwyn’s internal applications leverage single sign-on (SSO) and mutual TLS (mTLS) and operate on a least-privilege basis. Access permissions are reviewed and verified through Berwyn’s SOC 2 audit.
Client applications: Multi-factor authentication (MFA) is enabled by default. Federated identity and SSO are available at no cost and support SAML 2.0 and OIDC.
Customer-owned access decisions: Customer administrators control which users at their organization have access to data stored in Berwyn applications and can deprovision users at any time through the application or via Berwyn support.
Berwyn retains customer data only while it serves a business purpose. Data is destroyed in accordance with NIST SP 800-88 media sanitization guidelines.
Berwyn applies a layered approach to limiting retention covering our applications, infrastructure, project, and continuous monitoring workflows. At any time, customers can request that Berwyn execute a certificate of destruction, signed by the CIO.
Yes. Berwyn’s Trust Center is available at trust.berwyngroup.com and is the primary destination for customers and prospects to learn about Berwyn’s security posture.
Through the Trust Center, authorized parties can request access to Berwyn’s SOC 2 Type II report and bridge letters, view executive summaries of recent penetration testing, and request completed industry-standard security questionnaires, including SIG, CAIQ, and CIS Top 20.
Yes. Berwyn’s privacy policy describes how personal information is collected, used, shared, and protected. It is available at https://berwyngroup.com/privacy-policy/.
Yes. Berwyn maintains operational, application, and security logs for diagnostic, audit, and incident response purposes. Logs are piped into our SIEM and retained for three years. Logs are accessed only by authorized personnel with a documented business need and are used to support troubleshooting, monitoring, and SOC 2 controls. PII is not logged.
Please report security or related concerns to help@berwyngroup.com. Confirmed security incidents are escalated through Berwyn’s documented Incident Response process, and affected customers are notified in accordance with contractual obligations.
