ISO 27001:2022 Certified

Security & Trust at
Bluepineapple

At Bluepineapple, security is foundational to everything we build. We are committed to protecting our customers' data through a comprehensive Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022. Our cloud-first, risk-aware culture embeds security into our people, processes, and technology — from secure software development and infrastructure hardening to continuous monitoring and third-party audits.

ISO 27001:2022
Certified
SOC 2 Type I
In Progress
49 Controls
Security Framework
India & Australia
Global Operations
About

About Bluepineapple

Bluepineapple (Nebbia Technologies India Pvt. Ltd. and Bluepineapple Pty Ltd) helps businesses adopt efficient cloud-based technologies. Headquartered in Pune, India, with a subsidiary in Australia, we deliver technology and consulting services to clients across Australia, New Zealand, and the United States.

🔒

Information Security Management System

Our ISMS is designed, implemented, and maintained in accordance with ISO/IEC 27001:2022, covering the design, delivery, and support of technology and consulting services.

🛡️

Risk Management

We follow a structured risk management process — identifying, assessing, treating, and monitoring information security risks across all assets, processes, and third-party relationships.

☁️

Cloud-First Security

Leveraging AWS and Azure native security controls — encryption at rest and in transit, IAM, logging, monitoring, and automated backup and disaster recovery — to protect customer workloads.

👥

People & Culture

All employees complete security and privacy awareness training. Background verification, confidentiality agreements, role-based access controls, and a clear code of conduct govern our team.

📋

Continuous Improvement

Internal audits, management reviews, incident post-mortems, and corrective action processes drive ongoing improvement of our ISMS and security posture.

🔐

Data Protection

Data is classified, encrypted, and retained according to policy. Access is granted on a least-privilege basis with multi-factor authentication enforced across all systems.

Security

Security Controls

Our security controls map to ISO 27001:2022 Annex A and SOC 2 Trust Services Criteria, covering governance, people, technology, and physical security.

📋 Governance & Policy 10

  • ISMS Policy aligned with ISO 27001:2022
  • Information security roles and responsibilities defined
  • Segregation of duties and conflict of interest controls
  • Management review of ISMS at planned intervals
  • Internal audit programme for ISMS
  • Document control and version management
  • Continuous improvement / non-conformity and corrective action process
  • Vendor and third-party risk management
  • Legal, statutory, regulatory and contractual compliance
  • Information security in project management

🔐 Access Control & Identity 6

  • Role-based access control (RBAC) across all systems
  • Privileged access management with approval workflows
  • Multi-factor authentication enforced for all accounts
  • Automated joiner, mover, leaver (JML) provisioning
  • Periodic access reviews and recertification
  • Password policy enforcing strength, expiry, and uniqueness

🔒 Data Protection & Encryption 5

  • Data classification framework (Confidential, Internal, Public)
  • Encryption at rest using AWS KMS / Azure Key Vault
  • Encryption in transit (TLS 1.2+) for all communications
  • Key management with rotation, revocation, and access logging
  • Data retention, secure deletion, and disposal procedures

☁️ Cloud & Infrastructure Security 8

  • Cloud security policy covering AWS and Azure environments
  • Secure configuration baselines and hardening (CIS benchmarks)
  • Network segmentation, firewalls, and IDS/IPS
  • Vulnerability scanning and patch management
  • IT hardening procedure for laptops, servers, and endpoints
  • Mobile device management (MDM) via Intune
  • Anti-malware protection on all endpoints
  • Secure software development lifecycle (SDLC) with code review

📡 Monitoring & Incident Response 6

  • Centralized log collection and monitoring (SIEM)
  • Alert rules for anomalous behaviour and security events
  • Incident management lifecycle: detect, contain, eradicate, recover
  • Post-incident analysis and lessons learned
  • Threat intelligence feed integration
  • Time synchronization across all systems (NTP)

🔄 Business Continuity & Resilience 4

  • Business Impact Analysis (BIA) for critical processes
  • Cloud-first disaster recovery strategy with defined RPO/RTO
  • Automated backup and restore procedures (AWS / Azure)
  • BCP/DR plan with annual testing and review

🏢 Physical & Environmental Security 5

  • Physical security perimeters and access control at office premises
  • Visitor management and escort policy
  • Clean desk and clear screen policy
  • Equipment and media handling procedure
  • Environmental protection against fire, flood, and power failure

👤 Human Resources Security 5

  • Pre-employment screening and background verification
  • Confidentiality and code of conduct agreements
  • Information security awareness training (onboarding + annual)
  • Disciplinary process for security breaches
  • Exit management with access revocation and asset return
Compliance

Compliance & Certifications

Bluepineapple is committed to maintaining internationally recognized security and privacy standards. Our compliance journey is audited by independent third parties.

ISO/IEC 27001:2022

Information Security Management
✅ Certified
Design, delivery, and support of technology and consulting services. Request the certificate via the Resources tab.

SOC 2 Type I

Security, Availability, Confidentiality
🔄 In Progress
Audit underway with expected completion in Q3 2026.

DPDPA (India)

Digital Personal Data Protection Act
⚙️ Compliant
Privacy controls integrated into ISMS, covering data principal rights and consent management.

AU Privacy Act (APP)

Australian Privacy Principles
⚙️ Compliant
Australian Privacy Principles for client personal information, covered in Data Privacy Policy.
Audit

Audit & Assessment Cadence

Ongoing validation of our security controls through internal and external assessments.

📅

Internal Audits

Quarterly internal audits of ISMS processes and controls, with findings tracked to closure.

📋

Management Reviews

Bi-annual management review meetings evaluating ISMS performance, risks, and improvement opportunities.

🔍

External Audits

Annual surveillance audits by accredited certification body for ISO 27001:2022 maintenance.

🛡️

Penetration Testing

Annual third-party penetration tests of external-facing infrastructure and applications.

Library

Document Library

Key security documents available upon request. Please submit an access request and our security team will share the documents you need — typically within one business day.