Appcircle Physical Security Policy¶
Effective date: 2026-02-05 Last reviewed: 2026-02-05 Policy owner: Engineering Management (Security Program Owner)
Purpose¶
This policy defines Appcircle's approach to protecting its information assets from unauthorised physical access. It establishes requirements for securing facilities, endpoint devices, and information assets across all locations where Appcircle operates or where its personnel work.
Scope¶
This policy applies to:
- Appcircle's office facility and any other locations operated by Appcircle.
- All endpoint devices and physical information assets used by Appcircle personnel.
- All Appcircle employees, contractors, and authorised visitors.
Appcircle's production infrastructure is hosted on Google Cloud Platform. Physical and environmental controls for GCP data centres (including access controls, surveillance, environmental protection, and media handling) are governed and operated by Google. These controls are evidenced by GCP's SOC 2 Type II report and related compliance documentation.
Operating environment¶
Appcircle operates with a predominantly remote workforce. The company maintains a physical office facility in Istanbul, which is used on a limited and flexible basis. Production systems and customer data reside entirely on cloud infrastructure managed by Google — no sensitive production data is stored on-premises.
Office facility controls¶
The following physical security controls apply to Appcircle's office facility:
- Access control: Access to the office is restricted to authorised personnel. Visitor access requires acknowledgement at reception or equivalent escort controls.
- Clean desk: Personnel are required to ensure sensitive information is not left unattended or visible when workspaces are not in use.
- Secure storage: Any physical documents containing sensitive or confidential information must be stored in locked storage when not in active use.
- Asset protection: Appcircle-owned devices must not be left unattended or unsecured in the office or in transit.
- Incident reporting: Any suspected unauthorised physical access, loss, or theft of physical assets must be reported to Engineering Management immediately.
Remote working¶
As the majority of personnel work remotely, physical security requirements extend to all remote working locations:
- Appcircle devices and any personal devices used for Appcircle business must be physically secured when not in use.
- Sensitive information must not be left visible where unauthorised individuals may see it (shoulder surfing protection).
- Lost or stolen devices must be reported to Engineering Management immediately to enable timely remote wipe and access revocation.
- Devices must not be used on unsecured public networks; encrypted Wi-Fi connections are required.
Endpoint device physical security¶
Endpoint devices are primary carriers of authentication credentials and may temporarily cache business data. Physical protection requirements include:
- Devices must have screen lock and auto-lock enabled.
- Full-disk encryption must be enabled (FileVault for macOS; BitLocker for Windows).
- Devices must not be shared with individuals outside of Appcircle.
- Any loss, damage, or suspected compromise of a device must be reported immediately.
Data centre physical controls¶
Physical and environmental security for Appcircle's production infrastructure is fully delegated to Google Cloud Platform. Appcircle reviews GCP's compliance certifications and SOC 2 Type II reports as part of its vendor management programme to maintain assurance over these delegated controls.
Roles and responsibilities¶
- Engineering Management (Policy Owner): Accountable for this policy; ensures review, updates, and communication; approves exceptions.
- Engineering / Platform / Operations: Responsible for monitoring and enforcement; handles reports of physical security breaches or concerns.
- All personnel: Read, acknowledge, and comply with this policy; report any physical security incidents, suspicious access, or lost/stolen devices promptly.
Regulatory alignment¶
This policy supports compliance with:
- SOC 2 (Trust Services Criteria — Logical and Physical Access Controls)
- ISO/IEC 27001:2022 (A.7 Physical and environmental security)
- GDPR (Article 32 — Security of processing)
- KVKK (Article 12 — Data security obligations)
Exceptions¶
Exceptions to this policy must be:
- Documented with justification, scope, duration, and compensating controls.
- Approved by the policy owner or an authorised delegate.
- Reviewed before expiry and retired when no longer required.
Policy review and updates¶
This policy is reviewed at least annually and when significant changes occur to Appcircle's operating locations, workforce arrangements, or regulatory requirements.
Note
This public policy describes Appcircle's physical security posture at a high level. Detailed internal procedures (including office access controls, device recovery processes, and GCP physical security documentation) are maintained separately and may be shared under appropriate agreements when required.
Related policies¶
- Information Security Policy
- Acceptable Use Policy
- Endpoint Device Security Policy
- Asset Management and Data Classification Policy
- System Access Control Policy
- Network Security Policy
- Vendor Management Policy