Security

PCM treats client and project information as a critical trust. We operate a documented information-security program aligned with the principles of ISO/IEC 27001 and the NIST Cybersecurity Framework, scaled appropriately to the sensitivity of mission-critical, healthcare, and infrastructure engagements.

• Named security lead with executive accountability.
• Annual risk assessments covering people, process, and technology.
• Confidentiality and acceptable-use obligations in every employment and sub-consultant agreement.
• Mandatory security and data-protection training on hire and annually thereafter.

• Least-privilege access to project workspaces, granted per engagement and reviewed quarterly.
• Single sign-on and multi-factor authentication enforced on all production systems.
• Joiner / mover / leaver process with same-day revocation of credentials.

• Encryption in transit using TLS 1.2 or higher.
• Encryption at rest using AES-256 (or provider equivalent) for stored project data.
• Segregated client workspaces; no commingling of project records.
• Backups taken on a defined schedule with periodic restoration testing.

Production workloads run on reputable cloud providers operating SOC 2 Type II and ISO/IEC 27001-certified facilities. Network access is restricted via private networking, firewall rules, and continuous logging. System and dependency patches are applied on a risk-prioritised schedule.

• Version-controlled code with mandatory peer review.
• Automated dependency scanning and secret detection in CI.
• Separation of development, staging, and production environments.

We maintain a written incident-response plan covering detection, containment, eradication, recovery, and notification. Confirmed incidents affecting client data are communicated to the impacted client without undue delay and, where required by law, to the relevant supervisory authority.

Critical project documentation is replicated across geographically separated storage. Recovery objectives are reviewed with clients during engagement onboarding for projects with elevated continuity requirements.

We welcome reports from security researchers acting in good faith. If you believe you have identified a vulnerability affecting our website, portal, or services, please contact us via the contact page with the subject line Security Disclosure. We ask that you:

• Provide sufficient detail to reproduce the issue.
• Avoid privacy violations, service degradation, or destruction of data.
• Allow us a reasonable period to remediate before any public disclosure.

We will acknowledge receipt within five (5) business days and keep you informed of remediation progress.

For security questionnaires, due-diligence requests, or compliance documentation, please reach out via the contact page.