PropoDoc provides self-help document templates and tools. It is not a law firm and does not provide legal advice. Learn more.
Skip to main content
Example
guide

Technical Security Plan Example — SaaS Platform

Example document for Technical Security Plan. Use this as a reference when creating your own.

Professional Review Recommended

This document may have legal or financial implications. We recommend having a qualified professional review the final version before use.

Document: Technical Security Plan

Example Document

Last updated 6/4/2026

Technical Security Plan — Tidecast SaaS Platform

System / product: Tidecast — a multi-tenant scheduling SaaS for clinics Owner: Priya Nair, Head of Engineering Version: 1.2 Last reviewed: 28 May 2026 Next review: 28 November 2026


1. Scope & overview

This plan covers the Tidecast production platform: the web application, its API, the primary database, the file store for clinic documents, and the supporting infrastructure on our cloud provider. It does not cover employee laptops or the corporate email system, which are governed by the company-wide IT policy. Engineering owns this plan; the Head of Engineering is accountable.

2. Assets & data classification

AssetData it holdsClassificationOwner
Primary databaseClinic accounts, patient appointment recordsConfidentialEngineering
File storeUploaded consent forms and clinic documentsConfidentialEngineering
Analytics warehouseDe-identified, aggregated usage metricsInternalData team
Marketing sitePublic pagesPublicMarketing

Patient names and contact details are treated as Confidential. We do not store payment card data; billing is delegated to a PCI-compliant payment provider.

3. Access control & least privilege

  • Identity: Staff authenticate through our identity provider with mandatory MFA. Customers log in to the app with email and password plus optional MFA.
  • Roles: Three internal roles — Support (read-only on a single tenant when a ticket is open), Engineer (no standing production data access), and Admin (break-glass only, two-person approval).
  • Least privilege: Production database access is default-deny. Engineers request time-boxed, audited access through a just-in-time tool; access expires automatically after four hours.
  • Service-to-service: Each service uses a scoped credential stored in the secrets manager. No shared "god" keys exist.
  • Review cadence: Access is reviewed monthly. Leavers are de-provisioned within one hour of their last day via the identity provider.

4. Data protection & encryption

  • At rest: Database and file store are encrypted with provider-managed keys (AES-256). Backups inherit the same encryption.
  • In transit: TLS 1.2+ enforced on all public endpoints; internal service traffic runs over mutual TLS.
  • Secrets: All credentials and keys live in a managed secrets store, rotated every 90 days; nothing sensitive is committed to source control, enforced by a pre-commit scan.
  • Backups: Encrypted nightly backups are retained for 30 days in a separate region with restricted access.

5. Network & infrastructure security

  • Segmentation: Production runs in an isolated network. Staging and development are separate accounts with no path to production data.
  • Ingress / egress: Only the load balancer is internet-facing. Databases sit in private subnets with no public route. Egress is restricted to known endpoints.
  • Hardening: Services run from patched, minimal base images rebuilt weekly; default accounts and unused ports are disabled.

6. Monitoring & logging

  • What is logged: Authentication and MFA events, admin and break-glass actions, data-access queries, and application errors.
  • Where logs go: A centralised log store that engineers can read but not modify; log integrity is protected.
  • Retention: Security logs are kept for 12 months.
  • Alerting: Failed-login spikes, break-glass use, and disabled-control events page the on-call engineer through the alerting channel within minutes.

7. Vulnerability management

  • Dependency scanning: Automated scans run on every pull request and nightly against the deployed images.
  • Patch cadence: Critical findings are patched within 48 hours, high within 7 days, routine within 30.
  • Triage: The on-call engineer triages findings; severity follows CVSS, adjusted for our exposure.

8. Incident response plan

StepActionOwner
DetectAlert fires or a report arrives; declare an incident in the response channelOn-call
ContainRevoke affected credentials, isolate the affected service, snapshot evidenceIncident lead
EradicateRemove the root cause (patch, rotate keys, close the gap)Engineering
RecoverRestore from clean state, confirm controls, monitor closelyEngineering
ReviewBlameless post-incident review within 5 working days; track fixes to closureHead of Engineering

Escalation contacts: On-call engineer (rotation), Incident lead (Priya Nair), and the executive sponsor for customer-impacting events. Notification: Customers affected by a confirmed data breach are notified without undue delay, with the facts known and the steps being taken; regulatory notification follows applicable law.

9. Compliance mapping

ControlFramework referenceStatus
Monthly access reviewsSOC 2 — Logical accessImplemented
Encryption at rest and in transitSOC 2 — ConfidentialityImplemented
Centralised, tamper-evident loggingSOC 2 — MonitoringImplemented
Documented incident responseSOC 2 — Incident managementImplemented
Formal risk assessment cycleISO 27001 — Risk treatmentIn progress

Notes

An illustrative worked example for a fictional SaaS platform; the controls shown are examples and this document is not a compliance certification.

About this Example

Part of the Technical Security Plan document collection

Document Type

Technical Security Plan

The controls, policies, and responses that protect your systems and data.

Complexity

moderate

Risk Level

medium