Access Governance
- Joiner–Mover–Leaver lifecycle with approvals and auditability.
- Role-based access control, least-privilege, periodic access reviews.
- Unique user accounts; use of shared accounts requires strong secondary controls.
Compliance & Safety Management
Key Compliance Features
Security & Identity
- Federated SSO via customer IdP (SAML v2 / OIDC); MFA enforced by the IdP.
- Configurable session and inactivity timeouts.
- Optional IP allow/deny controls and network access restrictions.
Encryption
- TLS 1.2+ (TLS 1.3 preferred) for data in transit.
- AES-256 or stronger encryption for data at rest, including backups.
- Secure file transfer supported (e.g., SFTP) where applicable.
Compliance Benefits
Risk Reduction
Preventive controls, approvals and auditability help reduce operational and security risk.
Operational Efficiency
Standardised workflows streamline approvals and simplify evidence collection for audits.
Audit-Ready
Comprehensive logs, reviews and reports available to support internal and external audits.
Security & Governance Overview
Access Control
- Documented access administration with approvals and traceability.
- Least-privilege, job-aligned roles; periodic recertification of access.
- Strong credential handling; external users authenticated via IdP.
- High-privilege access governed through customer identity provider.
Information Security Governance
- Controls aligned to recognised frameworks (e.g., ISO 27001, SOC 2).
- Multi-tenant protections including logical isolation, RBAC and encryption.
- Security control health and status available to support customer monitoring.
- Contractual clarity on data ownership, roles and exit procedures.
Logging & Monitoring
- Audit logs capture user, action and timestamp with integrity protections.
- Security monitoring with alerting; KPI and SLA reporting where applicable.
- Protective controls include IDS/IPS, endpoint protection and anti-DDoS.
Incident Management
- Formal incident response procedures with rapid assessment and containment.
- Customer notification of security or privacy incidents in line with contract.
- Support for forensic preservation and audit requests under agreed terms.
Network & Application Security
- Layered defenses including WAF, firewalls, secure proxy and network segmentation.
- Separation of management and production traffic; hardened services and endpoints.
- Malware defenses with scheduled scanning and tamper-resistance.
Backup, DR & Business Continuity
Backups & Retention
- Regular full and incremental backups; encrypted at rest and tested.
- Schedules and retention configurable to customer policy.
Continuity Targets
- Service recovery aligned to defined RTO/RPO and documented runbooks.
- Redundancy and contingency plans maintained and periodically exercised.
Capacity, Patching & Vulnerability Management
Capacity & Availability Management
Scalable architecture with load balancing and monitoring to sustain peak loads.
Patch and Configuration Management
Change control with staged patching, configuration baselines and compliance tracking.
Vulnerability Management
Routine scanning, prioritised remediation and verification prior to closure.
Security & Compliance
Built with controls aligned to recognised standards, CARL helps protect data end-to-end and stay audit-ready.
Role-based access & audit trails
Federated SSO (SAML/OIDC) via your IdP
TLS in transit & AES-256 at rest
Access Governance
JML workflow, least-privilege RBAC, approvals and periodic recertifications.
Identity & SSO
Integrates with enterprise IdP (SAMLv2/OIDC). MFA and password policy enforced by directory.
Network & App Security
WAF, firewalls, IDS/IPS, segmentation, anti-DDoS and hardened endpoints.
Backups & DR
Encrypted full/incremental backups, tested restores; retention per policy and RPO/RTO.
Logging & Monitoring
Auditable logs with integrity protections and KPI reporting.
Hosting
Primary in-region hosting with secondary region for disaster recovery.