Annature’s security practices are designed to safeguard customer data, uphold privacy, and ensure uninterrupted service delivery. As an ISO/IEC 27001-certified organisation, we implement layered security controls across our infrastructure, applications, and internal processes — continuously monitoring and refining how we detect, prevent, and respond to threats.
Infrastructure & Hosting
Annature is hosted exclusively on Amazon Web Services (AWS) within the ap-southeast-2 (Sydney) region. Our platform is containerised using Docker, orchestrated through AWS Elastic Container Service (ECS), and deployed within auto-scaling groups governed by CloudWatch alarms to ensure high availability and cost efficiency.
Instances are automatically replaced once they reach 30 days of uptime, ensuring patch compliance and image freshness. Operating system patches are applied automatically upon scale-in. Our secrets are managed securely using both AWS Secrets Manager and Systems Manager (SSM) Parameter Store, depending on the sensitivity and usage context.
Our platform is designed for fault tolerance, with a multi-AZ architecture, auto-healing infrastructure, and documented disaster recovery protocols governed by our Business Continuity Plan.
Security architecture
Annature applies a defence-in-depth model to protect our environment:
- Web Application Firewall (WAF): We use AWS WAF across our infrastructure with IP-based blocking, rate limiting, and attack detection controls.
- DDoS Protection: AWS Shield is enabled by default to defend against large-scale distributed denial-of-service attacks.
- Vulnerability Scanning: Our infrastructure and containers are scanned regularly using industry-standard tools and frameworks, ensuring timely identification and remediation of known vulnerabilities.
- Penetration Testing: We conduct annual penetration tests in line with our ISO 27001 requirements. These are performed by independent third parties to ensure unbiased analysis and full coverage of risks.
- Dependency Monitoring: All third-party libraries and packages are continuously monitored for vulnerabilities using industry-standard practices. We maintain a proactive patching policy for critical and high-severity issues.
Identity & Access management
Access to systems and customer data is governed by strict role-based access controls (RBAC), the principle of least privilege, and enforced multi-factor authentication (MFA):
- MFA is mandatory for all internal systems regardless of classification.
- We use Google Workspace for internal identity and access federation.
- The customer-facing Annature dashboard supports both SSO and MFA. Customers can enable and enforce their own authentication policies for added control.
All access events are logged and monitored for anomalies, and permissions are reviewed periodically.
Secure development & CI/CD
Annature’s development process prioritises both speed and security:
- We use GitHub for source control and Jenkins for CI/CD deployments.
- Our CI/CD pipeline is isolated, monitored, and protected by automated access controls.
- Every code change is peer-reviewed through pull requests.
- Our deployment pipeline enforces rigorous testing before changes reach production. We deploy to production multiple times per day, enabling fast iteration while maintaining stability and control.
Security awareness
Security isn’t just a technical concern — it’s part of our culture. All employees undergo regular security awareness training as part of our ISO 27001-aligned ISMS. This includes modules on phishing prevention, social engineering, data handling, and secure software development practices.
Regular phishing simulations and behavioural testing are conducted to measure security awareness and ensure staff are equipped to recognise and respond to evolving threats.