Invictus

Security & Compliance

How we protect your data and maintain regulatory compliance

Certifications & Compliance

PCI DSSCompliant
SOC 2Type II
HIPAACompliant
PCI DSSiComply Certified

At Invictus General Partnership, protecting the security and privacy of our clients' data is foundational to everything we do. As a business process outsourcing provider handling sensitive information across industries including financial services, healthcare, and technology, we maintain rigorous security controls, compliance certifications, and operational safeguards that meet or exceed industry standards.

Our Security Commitment

Security is not an afterthought at Invictus - it is embedded in every layer of our operations, from facility access controls to application-level encryption, from employee onboarding to ongoing compliance monitoring. We take a defense-in-depth approach, implementing multiple overlapping security controls to ensure that no single point of failure can compromise your data.

Our security program is overseen by dedicated compliance and information security professionals who continuously monitor, assess, and improve our security posture in response to evolving threats and regulatory requirements.

Compliance Certifications and Standards

Invictus maintains compliance with the following industry standards and regulatory frameworks:

SOC 2 Type II

Our operations are audited annually against the SOC 2 Trust Services Criteria, covering Security, Availability, Processing Integrity, Confidentiality, and Privacy. SOC 2 Type II reports attest to the effectiveness of our controls over a sustained period, providing assurance that our security practices are not only designed but operating effectively.

HIPAA Compliance

For clients in the healthcare and pharmaceutical industries, Invictus implements the administrative, physical, and technical safeguards required by the Health Insurance Portability and Accountability Act (HIPAA). We execute Business Associate Agreements (BAAs) with applicable clients and maintain HIPAA-compliant workflows, access controls, and audit logging for all protected health information (PHI).

PCI DSS

Invictus complies with the Payment Card Industry Data Security Standard (PCI DSS) for clients who process, store, or transmit cardholder data. Our iComply-certified infrastructure ensures that credit card information and payment data are handled in accordance with PCI DSS requirements, including encryption, access control, network segmentation, and regular vulnerability assessments.

GDPR

For clients serving European Union data subjects, Invictus implements controls aligned with the General Data Protection Regulation (GDPR). This includes data processing agreements, data subject rights management, lawful basis documentation, data minimization practices, and cross-border data transfer safeguards.

Physical Security

Our facilities are designed and operated with enterprise-grade physical security measures:

  • Controlled facility access using electronic badge systems with role-based access restrictions. All entry and exit events are logged and monitored.
  • 24/7 CCTV surveillance throughout all facilities, including operations floors, server rooms, entry/exit points, and perimeter areas, with footage retained in accordance with our retention policies.
  • Visitor management protocols requiring valid identification, sign-in/sign-out procedures, escort requirements, and visitor badge issuance for all non-employees.
  • Clean desk and clean screen policies enforced across all operational areas to prevent unauthorized exposure of client data.
  • Restricted device policies prohibiting personal mobile phones, cameras, USB storage devices, and other removable media on the operations floor.
  • Dedicated secure areas for server rooms and network infrastructure with additional access controls, environmental monitoring, and fire suppression systems.

Network and Infrastructure Security

  • Encryption in transit and at rest. All data transmitted between our systems and client systems is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256 or equivalent encryption standards.
  • Network segmentation and firewalls. Our network architecture employs segmentation to isolate client environments. Enterprise-grade firewalls and intrusion detection/prevention systems (IDS/IPS) monitor and protect network traffic.
  • Endpoint protection. All workstations and servers are equipped with enterprise endpoint detection and response (EDR) solutions, anti-malware software, and are subject to automated patch management.
  • Vulnerability management. We conduct regular vulnerability scans and penetration testing of our infrastructure and applications, with findings prioritized and remediated according to defined SLAs.
  • Redundancy and business continuity. Our infrastructure includes redundant internet connections, uninterruptible power supplies (UPS), backup generators, and geographically distributed data backup capabilities to ensure service availability.
  • Logging and monitoring. Comprehensive logging across systems, applications, and infrastructure with centralized log management and real-time alerting on security-relevant events.

Data Protection and Privacy

  • Data classification. All client data is classified according to sensitivity level, and access controls, handling procedures, and retention policies are applied accordingly.
  • Access control. We implement the principle of least privilege across all systems. Access to client data is restricted to authorized personnel with a documented business need and is reviewed on a regular basis.
  • Multi-factor authentication (MFA). MFA is required for access to all critical systems, administrative interfaces, and remote access connections.
  • Data retention and disposal. Client data is retained only for the period specified in the applicable Client Agreement. Upon termination of services, client data is securely deleted or returned in accordance with contractual obligations, with certificates of destruction provided upon request.
  • Privacy by design. Our processes and technology solutions are developed with privacy considerations integrated from the outset, in alignment with the principles outlined in our Privacy Policy.

Employee Security Practices

  • Background checks. All employees undergo thorough background screening prior to employment, including criminal record checks and identity verification, in compliance with applicable law.
  • Security awareness training. All employees complete mandatory security awareness training upon hire and annually thereafter, covering topics including phishing, social engineering, data handling, incident reporting, and compliance requirements.
  • Confidentiality agreements. All employees and contractors are required to sign confidentiality and non-disclosure agreements as a condition of engagement.
  • Role-based access. System access is provisioned based on job function and is promptly revoked upon role change or termination of employment.
  • Acceptable use policies. Comprehensive acceptable use policies govern the use of company systems, email, internet access, and information handling.

Incident Response

Invictus maintains a documented incident response plan that defines procedures for the identification, containment, eradication, recovery, and post-incident review of security incidents. Key elements include:

  • Defined escalation procedures ensuring that security incidents are promptly reported to the appropriate internal teams and, where required, to affected clients and regulatory authorities.
  • Client notification. In the event of a confirmed security incident affecting client data, Invictus will notify the affected client without undue delay, in accordance with applicable contractual and legal obligations.
  • Root cause analysis. All significant incidents are followed by a thorough root cause analysis, with findings documented and corrective actions implemented to prevent recurrence.
  • Regular testing. Our incident response plan is tested and updated at least annually through tabletop exercises and simulated incident scenarios.

Business Continuity and Disaster Recovery

Invictus maintains comprehensive business continuity and disaster recovery plans to ensure the continued delivery of services in the event of disruption:

  • Redundant infrastructure including multiple internet service providers, backup power systems, and geographically distributed data backups.
  • Hybrid work capabilities enabling rapid transition to remote operations while maintaining security controls and service levels.
  • Recovery time objectives (RTOs) and recovery point objectives (RPOs) are defined for critical systems and reviewed with clients as part of service level agreements.
  • Annual testing of business continuity and disaster recovery plans, with results documented and plans updated accordingly.

Third-Party and Vendor Management

Invictus applies rigorous due diligence and ongoing oversight to all third-party vendors and service providers who may have access to client data or support our service delivery:

  • Security assessments are conducted prior to vendor engagement and periodically thereafter.
  • Vendors with access to sensitive data are required to maintain appropriate security certifications and agree to contractual security obligations.
  • Vendor access to systems and data is governed by the principle of least privilege and is subject to regular review.

Continuous Improvement

Our security and compliance program is subject to continuous monitoring and improvement. We regularly review and update our policies, procedures, and controls in response to changes in the threat landscape, regulatory requirements, industry best practices, and the findings of internal and external audits.

Questions or Concerns

If you have questions about our security practices, compliance certifications, or would like to request our SOC 2 report, please contact us:

Back to Home

This website uses cookies and other tracking technologies to enhance user experience and to analyse performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. If we have detected an opt-out preference signal then it will be honoured. Further information is available in our Privacy Policy.