Security at Squash

Compliance program

Squash maintains a formal security and compliance program for company operations, product development, infrastructure, vendor management, and incident response.

The program is tracked in Vanta and supports ongoing SOC 2 and ISO 27001 readiness activities, including policy acceptance, employee security training, access review, risk review, and vendor evidence collection.

• Policies and acceptance

  Company policies cover code of conduct, data management, secure development, risk management, third-party management, and incident response.

• Readiness evidence

  Evidence is maintained for security training, access control, vendor review, risk tracking, policy ownership, and operational security controls.

• Ongoing review

  Security controls are reviewed as the product, team, vendors, and customer environments change.

Access control

Squash limits access to production systems, cloud infrastructure, repositories, and customer data based on job need. Administrative access is scoped, reviewed, and protected with strong authentication.

• SSO and MFA

  Administrative access uses identity-provider controls, multi-factor authentication, and role-based permissions where available.

• Least privilege

  Access is scoped to the systems and environments needed for the work. Break-glass access is restricted to exceptional administrative cases.

• Offboarding

  Employee and contractor access is removed when it is no longer needed.

Infrastructure security

Squash runs cloud infrastructure with environment separation, infrastructure-as-code review, and deployment controls. Production changes are intended to be auditable and repeatable.

• Infrastructure as code

  Cloud infrastructure is managed through reviewed Terraform changes instead of one-off console mutations.

• Encryption

  Squash uses HTTPS/TLS for data in transit and encryption at rest for managed cloud storage and database services where supported.

• Logging and monitoring

  Operational logs, audit records, and deployment history are used to investigate issues and monitor important system activity.

Product data protection

Squash is designed for MSP environments where customer data, ticket data, tenant records, privileged admin actions, and client-specific workflows need clear boundaries.

• Tenant boundaries

  Customer data is separated by tenant and customer context so work is performed inside the right MSP and client boundary.

• AI data use

  Customer data, prompts, and outputs are not used to train foundation models.

• Approval and audit trails

  Sensitive automation can require human approval, and execution records are retained to show what happened and why.

Vendors and incidents

Squash reviews vendors that support the product or company operations and maintains an incident response process for security events.

• Vendor review

  Relevant third-party providers are reviewed for security fit, data handling, and operational importance.

• Incident response

  Squash maintains an incident response plan for triage, containment, communication, remediation, and follow-up review.

• Vulnerability management

  Security issues are prioritized by severity and product impact, then remediated through the normal engineering workflow.