Security by Design

Security is a platform characteristic, not a feature layer.

CloudTwyst is built from the ground up for enterprise security requirements — from granular access control to data sovereignty, audit evidence, and secure integrations. Security is not added on top. It is structural.

Four security foundations

Enterprise security requirements — built into every layer.

CloudTwyst's security model is designed around four principles: controlled access, transparent audit, policy-driven governance, and secure data handling.

Role-Based Access Control
Granular permission models enforced at the workspace, module, and resource level. Every user sees only what their role permits — no trust-based access, no shared credentials.
  • Workspace-level role definitions with module scoping
  • Resource-level permission enforcement
  • SAML and OIDC federation with your identity provider
  • Attribute-based access for fine-grained data filtering
  • Administrative separation of duty enforcement
Immutable Audit Trails
Every action, approval, exception, and configuration change is logged with timestamp, actor identity, and full context. Tamper-evident records designed for regulatory evidence and forensic investigation.
  • Immutable log storage with cryptographic integrity verification
  • Full actor attribution for every platform action
  • Change management logging with before/after state capture
  • Exportable audit packages for compliance audits
  • Configurable retention with archival policy support
Policy-Driven Access Control
Zero-standing-access patterns enforced through the platform. Time-bound entitlements, just-in-time approval, and automated access expiry reduce the attack surface created by over-privileged accounts.
  • JIT access with configurable approval workflow
  • Automated time-bound access expiry
  • Privileged access review campaigns
  • Orphaned account detection and auto-remediation
  • Break-glass access with elevated audit logging
Secure Integrations & Data Handling
All cloud provider connections use OAuth 2.0 with least-privilege scopes. Data is encrypted at rest (AES-256) and in transit (TLS 1.3). BYOK encryption supported for regulated environments.
  • OAuth 2.0 with minimal permission scope per integration
  • AES-256 encryption at rest, TLS 1.3 in transit
  • BYOK encryption key management for regulated environments
  • Data residency controls — EU hosting available
  • No persistent storage of cloud provider credentials
Compliance framework support

Pre-mapped controls for the frameworks that matter to enterprise.

CloudTwyst maps platform controls to major compliance frameworks — reducing the effort required to demonstrate compliance and collect audit evidence.

Framework Support model Evidence collection Status
ISO 27001 — Information Security ManagementPre-mapped control library with continuous monitoringAutomated — real-timeNative
NIS2 — EU Network & Information SecurityRisk management and incident controls mapped to platformAutomated — real-timeNative
DORA — Digital Operational Resilience ActICT risk and resilience controls with policy enforcementAutomated — on-demandNative
GDPR — General Data Protection RegulationAccess control, audit trail, and data handling controlsAutomated — audit exportSupported
SOC 2 Type IISecurity, availability, and confidentiality trust criteriaAutomated — continuousSupported
CSRD — Carbon & Sustainability ReportingCarbon footprint reporting from cloud workload dataAutomated — scheduledNative
Security questions?

Review our full security documentation.

Book a security-focused technical session with the CloudTwyst team — we'll walk through our security model in detail and answer your organisation's specific questions.

Request Security Documentation Platform Architecture