Appcircle Network Security Policy¶
Effective date: 2026-02-05 Last reviewed: 2026-02-05 Policy owner: Engineering Management (Security Program Owner)
Purpose¶
This policy defines Appcircle's requirements for securing its network infrastructure and data in transit. It establishes controls for encryption, network segmentation, firewall management, data loss prevention, and secure connectivity to protect the confidentiality, integrity, and availability of Appcircle systems and customer data.
Scope¶
This policy applies to:
- All Appcircle-operated network infrastructure and connectivity, including Google Cloud Platform (GCP) environments, Microsoft 365 services, Cloudflare (DNS and domain management), and corporate endpoint connectivity.
- All personnel connecting to Appcircle systems, whether from company-issued or personal devices.
- Third-party services that transmit Appcircle or customer data, where applicable.
Appcircle's production infrastructure is hosted on Google Cloud Platform. Network-level physical and environmental controls for that infrastructure are governed by Google and are evidenced by GCP's SOC 2 Type II report and related compliance documentation.
Policy principles¶
- Encryption by default: Data in transit between Appcircle systems and their users or integrations is encrypted using strong, industry-standard protocols.
- Least exposure: Network access is scoped to the minimum required; services are not publicly exposed unless necessary.
- Layered controls: Multiple security layers (firewalls, segmentation, monitoring) reduce the impact of any single control failure.
- Environment isolation: Production, development, and testing environments are logically separated to prevent unauthorised data flows across boundaries.
Encryption in transit¶
All data transmitted between Appcircle services, and between services and end users, is encrypted in transit using TLS (minimum TLS 1.2). AES-256 is used for GCP infrastructure and the Appcircle platform. Unencrypted protocols are not permitted for the transmission of sensitive data.
Employees connecting to Appcircle systems must use encrypted Wi-Fi connections (WPA2 or stronger). Public or unencrypted Wi-Fi connections are not permitted for Appcircle business activity.
Encryption at rest¶
Data stored on Appcircle production systems is encrypted at rest. GCP-managed encryption (AES-256) is applied to all production data stores and databases by default.
Endpoint devices used for Appcircle business must have full-disk encryption enabled:
- macOS devices: FileVault (AES-XTS)
- Windows devices: BitLocker (AES-256)
Key management¶
Encryption keys are managed using controls that ensure secure generation, limited access, storage, rotation, and destruction. Key management practices are reviewed periodically and apply to both Appcircle-managed keys and keys managed through GCP's key management services.
Sub-processors that handle Appcircle or customer data are required to apply equivalent encryption and key management standards in accordance with the Vendor Management Policy.
Network segmentation and firewall controls¶
Production infrastructure is logically segmented to limit the blast radius of any potential compromise. Network security controls on GCP include:
- VPC-level network isolation between environments.
- Firewall rules restricting inbound and outbound traffic to explicitly permitted flows.
- Production environments are separated from development and test environments.
Changes to firewall rules and network security group configurations follow the Change Management Policy and are logged as administrative actions.
Environment separation¶
Appcircle maintains distinct environments for development, testing, and production:
- Production data is not used in development or testing environments unless explicitly approved under documented controls.
- Access controls differ across environments; development access does not confer production access.
- Environment separation is enforced at the GCP project or namespace level where applicable.
Data loss prevention¶
Data loss prevention (DLP) controls are applied to Appcircle's corporate environment via Microsoft Purview to detect and restrict the transmission of sensitive data through email and collaboration services. DLP policies are reviewed and tuned periodically.
DNS and domain security¶
Appcircle's domain and DNS infrastructure is managed through Cloudflare. DNS configuration changes follow the Change Management Policy and are restricted to authorised personnel. Cloudflare's platform provides additional network-layer protections including DDoS mitigation for Appcircle's public-facing services.
Email security¶
Appcircle's email environment (Microsoft 365) is configured with SPF, DKIM, and DMARC controls to reduce the risk of email spoofing, phishing, and domain impersonation.
API security¶
Appcircle exposes APIs to customers and integrations. API endpoints are protected using authentication and authorisation controls consistent with this policy and the System Access Control Policy. API security considerations are addressed during the software development lifecycle in accordance with the SDLC Policy.
Roles and responsibilities¶
- Engineering Management (Policy Owner): Owns this policy; ensures review, updates, and communication; approves exceptions.
- Platform / Operations: Implements and operates network security controls; manages firewall rules, encryption configurations, and segmentation; monitors for anomalies.
- Engineering teams: Ensure applications and services adhere to encryption and network security requirements during development and operation.
- All personnel: Follow secure connectivity requirements; report suspected network security issues.
Regulatory alignment¶
This policy supports compliance with:
- SOC 2 (Trust Services Criteria — Logical and Physical Access Controls, Availability, Confidentiality)
- ISO/IEC 27001:2022 (A.8.20–A.8.23 Network security, A.8.24 Cryptography)
- GDPR (Article 32 — Security of processing, including encryption)
- KVKK (Article 12 — Data security obligations)
Exceptions¶
Exceptions to this policy must be:
- Documented with justification, scope, duration, and compensating controls.
- Approved by the policy owner or an authorised delegate.
- Reviewed before expiry and retired when no longer required.
Policy review and updates¶
This policy is reviewed at least annually and when significant changes occur to infrastructure, tooling, or regulatory requirements.
Note
This public policy describes Appcircle's network security posture at a high level. Detailed internal standards and procedures (including specific cipher suites, firewall rule sets, segmentation architecture, and DLP rule configurations) are maintained separately and may be shared under appropriate agreements when required.
Related policies¶
- Information Security Policy
- System Access Control Policy
- Encryption Policy
- Acceptable Use Policy
- Change Management Policy
- Logging and Monitoring Policy
- SDLC Policy
- Vendor Management Policy