Your Data. Our Responsibility.
Contour protects client data with enterprise-grade physical, network, and operational security controls.
Physical Security
Our office is a Grade A facility in Iloilo City with layered access controls. Every person who enters the building is identified, logged, and monitored.
- ID badge entry at all access points. No badge, no entry.
- CCTV monitoring throughout the facility, with footage retained per policy.
- Dedicated workstations assigned to individual staff. No shared desks or hot-desking.
- Clean desk policy enforced at end of every shift. No documents, notes, or client materials left on desks.
- Equipment physically secured to desks to prevent removal.
Network & Data Security
We assume every connection is a potential exposure point and build controls accordingly.
- Dual ISP fiber redundancy. If one provider drops, traffic routes through the second automatically.
- VPN-only access to client systems. Staff cannot reach client environments outside the VPN tunnel.
- No local data storage on workstations. Work happens on client systems and cloud platforms, not local drives.
- USB ports disabled on all workstations. No data leaves via removable media.
- Screenshot and screen capture tools blocked where required by client policy.
- Encrypted connections using TLS 1.2 or higher for all data in transit.
- No personal devices connected to client networks. Work devices are company-managed and locked down.
Employee Security
Every Contour employee goes through background verification and security onboarding before they access any client system.
Pre-Employment:
- NBI (National Bureau of Investigation) clearance required for all staff.
- Barangay clearance verification completed.
- Professional reference checks conducted during recruitment.
Onboarding:
- Non-Disclosure Agreement (NDA) signed before any client system access is granted.
- Acceptable Use Policy acknowledged and signed.
- Security awareness training completed during onboarding.
Ongoing:
- Annual security refresher training for all staff.
- Confidentiality obligations survive employment termination. NDAs remain binding after an employee leaves Contour.
Compliance Frameworks
We maintain compliance with Philippine law and align our operations with international standards that our clients require. Here is where we stand on each framework.
Certified / Registered
| Framework | Status | Details |
|---|---|---|
| Philippine Data Privacy Act (RA 10173) | Registered | Registered with the National Privacy Commission (NPC). Data Protection Officer appointed. Privacy Impact Assessments conducted. |
| ISO 9001:2015 | Certified | Quality management system in place governing recruitment, onboarding, and service delivery processes. |
Supported (Agreements Available)
| Framework | Status | Details |
|---|---|---|
| GDPR | Supported | We follow GDPR principles for EU client data. A Data Processing Agreement (DPA) is available on request. |
| HIPAA | Supported | A Business Associate Agreement (BAA) is available for healthcare clients. Staff handling PHI receive additional training. |
Aligned (Certification Planned)
| Framework | Status | Details |
|---|---|---|
| SOC 2 | Aligned | Operational controls aligned with SOC 2 Trust Service Criteria. Formal certification is planned. |
| ISO 27001 | Aligned | Information security management practices follow ISO 27001 guidelines. Formal certification is on our roadmap. |
If your organization requires a specific certification or compliance framework, contact us. We will tell you exactly where we stand and what we can accommodate.
Client-Specific Controls
Standard security works for most clients. Some need more. We accommodate custom requirements as part of every engagement.
- Custom security requirements accepted. If you have a specific policy or checklist, we will review it and implement what is needed.
- Dedicated VPN configurations per client. Each client environment is isolated.
- Role-based access control. Staff only access the systems and data their role requires. Nothing more.
- Activity logging and monitoring. We can implement time tracking, screen monitoring, or keystroke logging per your requirements.
- Regular security reviews. We conduct periodic reviews of access permissions and security controls with your team.
Incident Response
If something goes wrong, we move fast and communicate clearly.
- Dedicated incident response process documented and tested.
- Security incident notification within 24 hours of confirmed breach or suspected compromise.
- Full investigation and post-mortem report provided to affected clients.
- Remediation and prevention plan developed and implemented after every incident.
- Errors & Omissions (E&O) insurance coverage in place to protect clients financially.
We do not hide problems. If an incident occurs, you will know about it quickly, with full details and a clear plan to fix it.
Business Continuity
Iloilo City sits in a typhoon belt. We planned for that from day one.
Power:
- UPS battery backup at every workstation for immediate protection against outages.
- Generator power backup for extended outages. Operations continue without interruption.
Internet:
- Dual ISP with automatic failover. If the primary connection drops, the secondary takes over within seconds.
Typhoon Protocol:
- Advance preparation begins 48-72 hours before projected landfall.
- Work-from-home activation for staff when office access is not safe.
- Communication chain established with clients before, during, and after weather events.
Pandemic Protocol:
- Fully tested during COVID-19. All staff transitioned to remote work with no service interruption.
- Remote work capability maintained as a permanent contingency option.
Questions About Security?
We are happy to walk through our protocols with your IT or compliance team.
Schedule a Security Review