Security & Compliance

Built for sovereign deployment.

Sirius is designed for the most security-conscious organisations in Singapore — defence, public safety, critical infrastructure. On-premise by default. Air-gap capable. Your data never leaves your network.

ISO 27001-aligned
Controls mapped to ISO 27001:2022. Third-party audit available on request.
Air-Gapped Ready
Zero outbound connections required. Deploys inside classified networks.
Data Sovereign
Data stays on your infrastructure. No cross-border transfer. No cloud dependency.
Full Audit Trail
Every operator action, every alert, every configuration change logged immutably.
99.9% Uptime SLA
Production deployments backed by 99.9% uptime SLA with credits and reporting.
Penetration Tested
Annual third-party penetration testing. Remediation reports shared under NDA.
01 · Security Controls

Four pillars. One hardened platform.

01 / Identity & Access

Authentication & Authorization

  • SSO via SAML 2.0 / OIDC — integrates with your IdP
  • Multi-factor authentication (TOTP, FIDO2)
  • Role-based access control — per-site, per-camera, per-feature
  • Just-in-time access workflows with approval chains
  • Service account isolation for API integrations
02 / Data

Encryption & Storage

  • AES-256 encryption at rest (LUKS for full-disk, per-object for archives)
  • TLS 1.3 for all internal traffic; mTLS between services
  • Configurable retention by data class (video, metadata, events)
  • Cryptographic audit log signing — tamper-evident
  • Data locality pinning for multi-region deployments
03 / Network

Deployment & Isolation

  • On-premise installation on your hardware or ours
  • Air-gapped deployment — no outbound connectivity required
  • Network segmentation for classified environments
  • IPv4/IPv6 dual stack; hardened OS baseline
  • Offline update channel via signed package bundles
04 / Operational

Audit & Compliance

  • Immutable audit log — every action, every user, every time
  • Forensic export packages for post-incident inquiry
  • Session recording for high-privilege operations
  • Regulator-ready compliance reports (BCA, ISO, internal)
  • SBOM & CVE tracking for every release
02 · Deployment Models

Choose your security posture.

Same platform. Three deployment modes. Most customers start with on-premise; defence customers begin air-gapped from day one.

Most Common

On-Premise

Installed on your infrastructure. Full operator control. Optional vendor-managed patching via secure channel. Ideal for enterprise and government.

Linux · Bare metal or VM · No external connectivity required
Defence & Classified

Air-Gapped

Fully isolated. No outbound connections. Offline update packages delivered via signed physical media. Used in classified defence deployments.

Hardened OS · SBOM attestation · Signed updates
Hybrid

Edge + Central

Edge Sirius nodes at each site, federated to a central operator instance. Site data stays local; events and metadata aggregate centrally.

Distributed · Site-local retention · Central visibility
03 · Compliance & Certifications

Frameworks we align to.

Sirius is built to the controls enterprise and government procurement teams actually check. Status below updated quarterly — full evidence available under NDA.

Framework
Region
Scope
Status
ISO/IEC 27001:2022
International
Information security management
In Audit
ISO/IEC 27017
International
Cloud & on-prem controls
Aligned
SOC 2 Type II
Global (AICPA)
Security · Availability · Confidentiality
In Audit
Singapore PDPA
Singapore
Personal Data Protection Act
Compliant
IM8 · Govt TRM
Singapore · GovTech
Government IT security baseline
Aligned
CSA STAR Level 2
International
Cloud Security Alliance attestation
Planned Q3
GDPR
European Union
Data subject rights · processor obligations
Compliant
NIST CSF 2.0
US (reference)
Cybersecurity Framework controls
Mapped
04 · Vulnerability Management

Continuous assurance, not annual paperwork.

Independent penetration tests, responsible disclosure, and a real vulnerability management SLA — because a compliance badge isn't the same as operational security.

Annual VAPT

Third-party penetration testing

Full black-box and grey-box penetration tests conducted by a CREST-accredited Singapore firm every 12 months. Critical releases trigger targeted re-tests. Findings classified by CVSS severity with remediation SLA attached.

  • CadenceAnnual full-scope + per-release delta
  • MethodBlack-box · grey-box · authenticated
  • AuditorCREST-accredited, SG-based
  • Report accessExecutive summary shared under NDA
Remediation SLA

Fix windows by severity

Every finding gets an owner, a patch window, and verification. SLAs are contractual for enterprise deployments. Monthly assurance reports delivered to security stakeholders.

  • CriticalPatch within 72 hours · hotfix channel
  • HighPatch within 14 days
  • MediumPatch within 30 days
  • LowPatch within 90 days or next release
Supply Chain

SBOM & CVE monitoring

Every Sirius release ships with a signed Software Bill of Materials. Dependencies monitored continuously against CVE feeds (NVD, GitHub Advisory DB). Known-vulnerable components flagged in release notes.

  • SBOMCycloneDX 1.5 · cryptographically signed
  • MonitoringDaily CVE feed scan
  • Disclosure7-day lead time on affected customer notices
  • Base OSHardened Linux · CIS-benchmark aligned
Responsible Disclosure

Coordinated reporting channel

Security researchers can report findings via our responsible disclosure policy. Acknowledgement within 48 hours, initial triage within 5 business days. No prosecution for good-faith research within scope.

  • Contactsecurity@nete2asia.com (PGP)
  • Ack SLA48 hours
  • Triage5 business days
  • ScopeProduction infra · demo site · API
Security Review

Need a security review, audit pack, or the evidence?

Architecture document, latest SBOM, pen-test executive summary, compliance evidence — shared under NDA within 48 hours of request.

Request Security Pack Book Security Briefing