Security and trust,
built into how
we operate.
Intras Cloud Services delivers managed cloud, security, and AI-driven business operations to mid-market organizations. This Trust Center gives customers, prospects, and auditors transparent, evidence-backed visibility into our controls, certifications, and operating posture.
How we protect your data, end to end.
Our security program is built on layered defense, zero-trust access, and continuous monitoring — operationalized through Microsoft 365 E5 security, Azure-native controls, and documented policies.
Defense in depth
Layered controls across identity, endpoint, network, application, and data — built on Microsoft 365 E5 security, Defender XDR, and continuous SIEM monitoring.
Encryption by default
TLS 1.2+ in transit; AES-256 at rest. Customer secrets isolated in cloud-native key vaults with role-based access and audit logging.
Zero-trust access
MFA enforced for 100% of workforce identities. Conditional access, device compliance, and least-privilege role assignments reviewed quarterly.
Continuous monitoring
24x7 SIEM aggregation of identity, endpoint, network, and SaaS logs. Alerts triaged through documented incident response runbooks.
Personnel security
Background checks for all employees and contractors. Annual security and AML awareness training with documented completion tracking.
Documented program
Written information security policy, vendor management standard, incident response plan, and BCP/DR program reviewed at least annually.
SOC 2 Type II, verified — and only what's verified.
We maintain SOC 2 Type II to the AICPA Trust Services Criteria. Reports are shared with prospects and customers under mutual NDA. We do not claim other frameworks we have not formally achieved.
SOC 2 Type II
ActiveAICPA TSP 100, 2017 Trust Services Criteria
Security, Availability, and Confidentiality Trust Service Criteria covering managed cloud services, customer support, and internal business systems.
Scoped, mapped, and monitored.
Our SOC 2 Type II report covers the Security, Availability, and Confidentiality criteria. Processing Integrity and Privacy are explicitly out of scope today.
Security
Information and systems are protected against unauthorized access, unauthorized disclosure, and damage that could compromise availability, integrity, confidentiality, and privacy.
Availability
Information and systems are available for operation and use to meet the entity's objectives.
Confidentiality
Information designated as confidential is protected to meet the entity's objectives.
Processing Integrity
System processing is complete, valid, accurate, timely, and authorized to meet the entity's objectives.
Privacy
Personal information is collected, used, retained, disclosed, and disposed of to meet the entity's objectives.
Vendors who process data on our behalf.
We carefully select subprocessors and review them annually. Reach out to trust@intrascloudservices.com to be notified of additions or material changes.
| Subprocessor | Purpose | Data categories | Region | |
|---|---|---|---|---|
Microsoft Azure Cloud Infrastructure | Primary cloud hosting and managed services delivery | Customer configuration, telemetry, application data | United States (East US, South Central US) | Visit |
Microsoft 365 Productivity | Email, document collaboration, identity | Business email content, customer correspondence, files | United States | Visit |
Microsoft Defender XDR Cloud Infrastructure | Endpoint protection, EDR, identity threat detection | Endpoint and identity telemetry | United States | Visit |
Microsoft Sentinel Cloud Infrastructure | SIEM and security log aggregation | Security event logs and metadata | United States | Visit |
Zoho Corporation Business Systems | Business operations (Books, Projects, Desk, People, Campaigns, CRM) | Customer business contact and engagement data | United States | Visit |
GitHub Developer Tools | Source code management and CI/CD | Source code, deployment artifacts (no customer data) | United States | Visit |
Cloudflare Cloud Infrastructure | DNS, CDN, and DDoS protection for customer-facing properties | Connection metadata, request logs | Global edge | Visit |
Google Workspace Productivity | Calendar and supplemental collaboration for select teams | Calendar metadata, attendee email addresses | United States | Visit |
Perplexity AI / Analytics | AI-assisted internal research and operations tooling | Internal research prompts (no customer data submitted) | United States | Visit |
Primary cloud hosting and managed services delivery
Email, document collaboration, identity
Endpoint protection, EDR, identity threat detection
SIEM and security log aggregation
Business operations (Books, Projects, Desk, People, Campaigns, CRM)
Source code management and CI/CD
DNS, CDN, and DDoS protection for customer-facing properties
Calendar and supplemental collaboration for select teams
AI-assisted internal research and operations tooling
Continuous detection. Honest disclosure.
We do not currently engage a third-party penetration testing firm. Our vulnerability management program focuses on continuous detection, prioritization, and remediation across endpoints, identity, cloud workloads, and SaaS systems.
How we find and fix
Workforce endpoints, Microsoft 365 tenant, Azure subscriptions, customer-facing web properties, and internal business systems.
- Continuous vulnerability scanning
Microsoft Defender Vulnerability Management runs continuously across all enrolled endpoints and identifies CVEs against installed software inventory.
- Cloud security posture management
Microsoft Defender for Cloud monitors Azure subscriptions for misconfigurations and benchmarks against the Microsoft Cloud Security Benchmark.
- Endpoint detection & response
Microsoft Defender for Endpoint provides EDR coverage on 100% of managed workforce devices.
- SIEM correlation
Microsoft Sentinel ingests identity, endpoint, network, and SaaS logs. Alerts triaged through documented runbooks.
- Patch management
Critical OS and browser patches deployed within 14 days; high severity within 30 days; standard within 90 days.
- Responsible disclosure
Security researchers can report findings to security@intrascloudservices.com. We acknowledge within 2 business days.
Found a vulnerability? Email our security team. We acknowledge within 2 business days and won't pursue good-faith research.
security@intrascloudservices.comTraining across every role.
Our security awareness program is built into onboarding, refreshed annually, and reinforced with quarterly phishing simulations across the entire workforce.
Program at a glance
Internal Zoho-based learning paths combined with role-specific modules. Phishing simulations delivered through Microsoft Defender for Office 365 Attack Simulation Training.
Topics covered
- Acceptable use, password hygiene, and MFA
- Phishing, smishing, vishing, and AI-enabled social engineering
- Data classification, handling, and confidentiality
- Endpoint and physical device security
- Incident reporting expectations and channels
- AML / sanctions awareness for relevant roles
- Privacy, secure collaboration, and AI tool usage standards
A shared view of what's next.
Past and upcoming compliance milestones — audits, policy refreshes, training cycles, and program changes — visible to customers and auditors at any time.
- Audit·UpcomingMar 1, 2027
SOC 2 Type II annual renewal
Next 12-month observation window concludes; renewal report targeted by end of Q1 2027.
- Program·UpcomingSep 1, 2026
First third-party penetration test (planned)
Initial external penetration test engagement scheduled. Redacted summary to be published here on completion.
- Audit·UpcomingJul 1, 2026
Mid-year SOC 2 readiness checkpoint
Internal control walkthroughs and evidence sampling against SOC 2 controls.
- Training·UpcomingMay 15, 2026
Q2 phishing simulation
Quarterly phishing simulation across all workforce mailboxes.
- Audit·CompletedMar 12, 2026
SOC 2 Type II report issued
Final report covering March 2025 – February 2026 issued by independent auditor.
- Policy·CompletedFeb 15, 2026
Annual policy refresh
Information Security Policy, Access Control Standard, and Incident Response Plan reviewed and re-approved by leadership.
- Training·CompletedFeb 1, 2026
Annual security awareness training cycle
All employees and active contractors completed annual training and acknowledgment.
- Subprocessor·CompletedJan 10, 2026
Subprocessor list refresh
Subprocessor inventory reviewed; no new subprocessors added.
System availability, in the open.
Service availability and a transparent summary of any incidents over the trailing 12 months.
Recent incidents
- Nov 4, 2025·Duration: 27 min
Brief degraded performance on customer ticket portal
Impact — Slow response from one regional endpoint; no data loss
Resolution — Capacity issue with upstream SaaS provider. Failed over to secondary region; coordinated remediation with provider.
- Jun 18, 2025·Duration: 1h 12min
Email delivery delay
Impact — Outbound notifications delayed; queued and re-delivered
Resolution — Upstream Microsoft 365 transport delay. No customer data exposure. Internal alerting tuned.