Skip to content

Appcircle Endpoint Device Security Policy

Effective date: 2026-02-05 Last reviewed: 2026-02-05 Policy owner: Engineering Management (Security Program Owner)

Purpose

This policy establishes Appcircle's requirements for securing endpoint devices used to access Appcircle systems and data. Endpoint devices represent a significant risk surface: they may store authentication credentials, temporarily cache sensitive data, and serve as entry points for malware or unauthorised access. Consistent application of endpoint security controls reduces these risks across Appcircle's predominantly remote workforce.

Scope

This policy applies to:

  • All devices used to access Appcircle systems or data, including company-issued laptops, mobile devices, and personal devices used under the Bring Your Own Device (BYOD) provisions of the Acceptable Use Policy.
  • All Appcircle employees, contractors, and authorised third parties using such devices.

Device management

Appcircle manages endpoint devices through policy-based controls and employee compliance. Device security requirements are defined in this policy, communicated to all personnel during onboarding and security awareness training, and verified through periodic management review. The following requirements apply to all in-scope devices:

Encryption

Full-disk encryption must be enabled on all endpoint devices:

  • macOS: FileVault (AES-XTS)
  • Windows: BitLocker (AES-256)
  • Linux: LUKS2 full-disk encryption (dm-crypt)

Endpoint protection

  • Anti-virus and malware protection must be active and up to date on all endpoint devices. macOS devices include Apple XProtect and Gatekeeper as built-in malware protection. Windows devices must have Windows Defender enabled. Linux devices must be protected by an approved anti-malware solution, for example ClamAV, where appropriate.
  • Devices must be protected against malware, ransomware, and other endpoint threats.

Operating system and patch management

  • Devices must run a supported operating system version.
  • Operating system and application security patches must be applied in a timely manner.
  • Devices with critically outdated or unsupported operating systems are non-compliant and may be restricted from accessing Appcircle systems.

Screen lock and access controls

  • Automatic screen lock must be configured to activate after a short period of inactivity.
  • Devices must require authentication (password, PIN, or biometric) to unlock.
  • Devices must be locked when left unattended, even briefly.

Authentication

  • MFA must be applied to all system access via Microsoft Entra ID.
  • All passwords must be managed through the approved enterprise password manager (vaultwarden).
  • Passwords and device credentials must not be shared.

Data handling on devices

  • Sensitive and customer data must not be downloaded or stored on local device drives.
  • Approved cloud storage services must be used for Appcircle business data.
  • Confidential information must not be visible to unauthorised individuals (shoulder surfing protection applies).

Network connectivity

  • Devices must not connect to Appcircle systems over public or unencrypted Wi-Fi.
  • Encrypted Wi-Fi connections (WPA2 or stronger) are required for all Appcircle business activity.

Device lifecycle

Provisioning

Company-issued devices are configured by Engineering/IT before being issued, with required security controls pre-applied. Employees must not modify security configurations without authorisation.

Lost, stolen, or compromised devices

Any loss, theft, or suspected compromise of a device must be reported to Engineering Management immediately. Upon notification, remote wipe and access revocation procedures are initiated without delay.

Disposal and decommissioning

Before disposal or reassignment, all sensitive data, files, and stored credentials must be completely erased. Secure wipe procedures are followed to ensure no recoverable data remains.

BYOD

Personal devices used for Appcircle business must meet the same security requirements as company-issued devices. BYOD devices are subject to compliance review. No confidential or customer data may be stored locally on BYOD devices.

Compliance monitoring

Device compliance is monitored through periodic management review and onboarding verification. Engineering Management is responsible for confirming that newly issued devices meet policy requirements before granting access to Appcircle systems. Non-compliance is reported to Engineering Management for follow-up.

Roles and responsibilities

  • Engineering Management (Policy Owner): Accountable for this policy; ensures implementation, enforcement, and review; approves exceptions.
  • Engineering / Platform / Operations: Provisions and manages devices; verifies policy compliance at onboarding; monitors and reports on device health.
  • All personnel: Maintain devices in compliance with this policy; report incidents, device loss, or theft immediately; complete applicable security training.

Regulatory alignment

This policy supports compliance with:

  • SOC 2 (Trust Services Criteria — Logical and Physical Access Controls, Common Criteria)
  • ISO/IEC 27001:2022 (A.8.1 User endpoint devices)
  • GDPR (Article 32 — Security of processing)
  • KVKK (Article 12 — Data security obligations)

Exceptions

Exceptions to this policy must be:

  • Documented with justification, scope, duration, and compensating controls.
  • Approved by the policy owner or an authorised delegate.
  • Reviewed before expiry and retired when no longer required.

Policy review and updates

This policy is reviewed at least annually and when significant changes occur to device management tooling, workforce arrangements, or regulatory requirements.

Note

This public policy describes Appcircle's endpoint device security posture at a high level. Detailed internal standards, device configuration baselines, and compliance check procedures are maintained separately and may be shared under appropriate agreements when required.

  • Information Security Policy
  • Acceptable Use Policy
  • Network Security Policy
  • System Access Control Policy
  • Physical Security Policy
  • Asset Management and Data Classification Policy