Security & Trust
Clients trust Sun Life Tech with access to important business systems, devices, cloud services, and technical information. We operate a documented Information Security Management System and publish clear limits around what we do and do not claim publicly.
Documented controls • Restricted access • First-party declaration only
Our ISMS
Documented security governance tied to service delivery, client access, and continual review.
Sun Life Tech maintains a documented Information Security Management System, or ISMS, covering the people, processes, technology, suppliers, and safeguards used to provide managed IT, cybersecurity, cloud, website, and compliance-readiness services.
Sun Life Tech self-declares conformity of its Information Security Management System with ISO/IEC 27001:2022.
The public declaration is intentionally narrower than the internal ISMS records. It explains the scope and responsibility statement without exposing confidential operating evidence, client details, or security-sensitive documentation.
Sun Life Tech self-declares conformity of its Information Security Management System with ISO/IEC 27001:2022 within its defined scope.
Not independently certified by an accredited certification body.
Trust summary
The declaration is supported by defined governance artifacts and operating evidence, while confidential records remain private.
Credentials
Access practices are structured to reduce unnecessary credential handling whenever the platform and engagement allow.
Sun Life Tech does not routinely maintain client passwords at its office. Where technically possible, access is completed through client-controlled authentication, delegated administrative access, temporary credentials, multi-factor authentication, authenticator verification, or one-time security codes.
Client credentials remain under the client’s control whenever the platform and engagement allow.
Physical security
Physical access controls matter because business systems and client information depend on them.
Sun Life Tech operates from a dedicated home-office workspace located in a separate locked room. Access to the office and company devices is restricted to the owner and authorized personnel. At present, the owner is the sole authorized user of Sun Life Tech business devices.
Core practices
Security messaging stays specific, limited to what is documented, and grounded in controls that can be maintained.
Administrative and business-critical access is designed around stronger verification and reduced reliance on single-factor access.
Access decisions are scoped to business need, role, and system responsibility rather than broad standing access.
Business devices are managed with a baseline that supports secure use, updates, and incident response.
Systems, accounts, and supporting assets are tracked so decisions are based on a current operating picture.
Security priorities are tied to documented risk rather than generic tool lists or fear-based messaging.
Key suppliers and supporting platforms are reviewed as part of the overall service-delivery and risk picture.
Security events are handled through defined triage, communication, containment, and follow-up practices.
Recovery planning focuses on coverage, restoration priority, and operational continuity rather than backup assumptions.
Continuity planning considers the systems and workflows clients depend on when issues interrupt operations.
User and privilege reviews help reduce stale access and clarify who should retain administrative capabilities.
Internal review is used to confirm whether controls, records, and operating practices remain supportable over time.
Gaps and improvement items are formally tracked so issues are not lost after the initial review.
Security work is treated as an operating discipline that improves through review, evidence, and follow-through.
Security governance
The public page explains the governance structure without exposing sensitive operational details.
Sun Life Tech does not publicly expose confidential policies, client details, asset identifiers, supplier weaknesses, control gaps, internal IP addresses, passwords, system architecture, or security-sensitive evidence.
Responsibility model
Clear boundaries matter because supportable security depends on both sides doing their part.
Security is a shared responsibility. Sun Life Tech applies safeguards within the systems and services under its control. Clients remain responsible for following security guidance, protecting their accounts, approving authorized users, maintaining required licenses, and notifying Sun Life Tech of personnel, technology, or risk changes.
FAQ
Visible answers for the trust questions clients commonly ask before sharing access.