Data Security: How Cat Media Protects Your Data
At Cat Media, we understand that data is one of your most valuable assets. We take security seriously across the data we manage internally and the data we process for clients. As a HubSpot Solutions Partner and Microsoft Cloud partner, we use established cloud platforms, access controls, encryption, device management, and operational security practices to help protect client data and support compliant service delivery.
Here are some of the measures we take to protect your data
At Cat Media, we implement a robust security model called Zero Trust to safeguard our digital infrastructure and sensitive information. The Zero Trust approach is based on the principle of "Never trust, always check" which means that we continuously validate and verify the authenticity of every user, device, and connection, regardless of their location or access privileges. This methodology enables us to minimise potential risks and provide enhanced security across our entire network.
To achieve the highest level of protection in line with the Zero Trust model, we utilise an array of cutting-edge tools and services. These include Microsoft Entra ID, formerly Azure Active Directory, which serves as the backbone of our identity and access management, ensuring secure authentication and authorisation for all users. Single Sign-On (SSO) streamlines access to multiple applications with just one set of credentials, simplifying the user experience while bolstering security.
Additionally, Conditional Access allows us to enforce context-aware policies, granting or denying access based on factors such as user location, device health, and risk levels. We also incorporate Cloudflare Zero Trust to protect our web applications from external threats and secure our Internet traffic. Hardware Encryption is another key component in our security stack, as it safeguards data stored on our devices, preventing unauthorised access even if the hardware is compromised.
Segment
We segment our team and assign roles and permissions based on the principle of least privilege. This means that each member and team only has access to the data they need to perform their tasks, and nothing more. This reduces the risk of unauthorized access or misuse of data.
Azure Active Directory
We use Azure Active Directory with Conditional Access to manage our identity and access management. Azure AD is a cloud-based service that provides single sign-on (SSO), multi-factor authentication (MFA), passwordless authentication, conditional access policies, identity protection, and more. Conditional Access allows us to enforce granular rules based on user, device, location, app, or risk level to grant or deny access to resources.
MFA
We use Multi-Factor Authentication by default. By combining something the user knows, such as a password or PIN, with something they have, like a physical token or smartphone app, and something they are, such as a biometric identifier like a fingerprint or facial recognition. This layered approach to security makes it significantly more difficult for cybercriminals to gain access to sensitive information.
Centralise
We centralise all our assets in our SharePoint, a cloud-based platform that allows us to store, share, and collaborate on documents securely. SharePoint has built-in features such as version control, encryption, auditing, backup, and recovery that help us safeguard our data. Our data is mirrored up to three times to significantly reduce the possibility of losing data if something goes wrong.
Always up to date
We always keep our Windows, Mac and iOS devices up to date to avoid security vulnerabilities. We only run on supported versions of the software we use and decommission devices when they are at their end of support. Our centralised identity and device management controls help us audit device compliance and manage access based on security requirements.
Bit Locker
We also use Trusted Platform Module (TPM), Secure Boot, and Windows Hello to protect our data. TPM provides hardware-based security features such as storing encryption keys, digital certificates, and passwords. Secure Boot ensures that the firmware and operating system boot loader are signed and verified by a trusted authority before they are executed. Windows Hello is a feature that provides passwordless authentication using biometrics such as facial recognition, fingerprint, or PIN.
We also encrypt all our Windows-based workstations and servers using BitLocker encryption, which prevents unauthorized access to our data if a device is lost or stolen. BitLocker encrypts the device’s drive so that only authorised users can unlock it with approved authentication methods or a recovery key managed through Cat Media’s Microsoft environment.
Secure Enclave
We use Apple devices with Secure Enclave for our top-tier workstations and mobile devices. The Secure Enclave is a system on chip (SoC) that is included on all recent Apple Silicon-powered devices as well as those with the Apple T2 Security Chip. It provides the foundation for the secure generation and storage of the keys necessary for encrypting data at rest and protects and evaluates biometric data for Face ID and Touch ID.
By using these machines with Secure Enclave technology built-in, we ensure that our data is protected by hardware security features designed to keep our software and information safe. This includes a Boot ROM that forms a hardware root of trust for secure boot and an AES engine that performs fast inline encryption and decryption as files are written or read.
Encrypt
We encrypt all our data in transit and at rest using industry-standard protocols such as SSL/TLS and AES. This means that your data is protected from eavesdropping or tampering while it travels over the internet or while it is stored on our servers.
Enterprise AI and managed tools
Cat Media uses AI-enabled tools only within secure business, enterprise, private, or contractually controlled environments. We do not use client personal data or confidential information in free, personal, public, or unmanaged consumer AI accounts for service delivery.
Cat Media’s proprietary and managed tools are hosted and operated within Cat Media’s Microsoft environment. These tools may use Microsoft Azure AI services, Microsoft Foundry / Azure AI Foundry, Azure OpenAI models, and other Microsoft enterprise services.
Where approved commercial AI services such as OpenAI business services, the OpenAI API, Anthropic/Claude commercial services, or HubSpot AI/Breeze within client-owned HubSpot portals are used, they are used only for agreed service delivery and subject to appropriate confidentiality, access control, security, data protection, platform, and subprocessor obligations.
Cat Media does not use client personal data or confidential information to train public, shared, or third-party foundation models.
ZeroTrust
In addition to Conditional Access, we use Argo Tunnels with CloudFlare Zero Trust, a solution that secures every connection without relying on VPNs or firewalls. CloudFlare Zero Trust verifies every request using multiple factors such as identity, device posture, geolocation, time of day, etc., before granting access to applications or data.
By implementing these measures, we help protect data against unauthorised access, misuse, loss, and compromise. Our security practices are designed to support compliance with applicable data protection requirements, including GDPR, and are informed by recognised security frameworks and industry best practices, including principles from ISO/IEC 27001. Cat Media is not currently ISO/IEC 27001 certified, but we continue to mature our internal security governance, documentation, and controls.
Cat Media is committed to delivering secure, reliable, and well-governed HubSpot, CRM, data, integration, RevOps, and technical implementation services. We use trusted platforms such as HubSpot, Microsoft, Cloudflare, and approved enterprise-grade tools to support secure and compliant delivery for our clients.
To learn more about our security practices or how we support secure HubSpot and data operations, please contact us.
