Security is a Branch Priority

We take security seriously at Branch. Learn more about our policies and find out how to report a vulnerability.

General Security

Branch Metrics is committed to adopting the following best practices for software development, business operations, and data privacy to provide a secure and safe platform service to our customers:


Branch has documented policies, procedures, and processes for the effective management of the Information Security program (ISMS). Security policies are approved by the Chief Operating Officer (COO) or Information Security Management Committee (ISMC). The Head of Security or ISMC should authorize any exception. Branch updates security policies at least annually.

General and Workplace Security Policy

Branch has installed a visitor check-in system at Branch’s offices, which will issue a visitor badge that visitors need to bring with them at all times.

Branch uses a Mobile Device Management system to secure assets and information access for work. Company-issued devices and laptops are secured using a tested image and are protected using anti-virus and malware scanning software. To protect business data from data theft or exploit, external USB storage devices for laptops are prohibited (mitigated by mobile device management tool). Under BYOD (Bring Your Own Device) policy, personal mobile devices are required to access a separate guest wifi network if used in the office.

Branch conducts Security Awareness Training annually.

Physical Security Policy

Branch implemented various physical security control measures such as access control, surveillance, and audits.

Branch maintains a formally documented access control program to ensure personnel's physical access is revoked immediately upon termination or when access is no longer required.

Employees need to use issued security access card to access office premises. There are physical locks inside the office building to secure network equipment and assets. Security surveillance recordings are for review in case of any incident.

Branch leverage AWS as our IaaS provider. AWS data center’s physical security controls can be found at

Lock and Key Control

Branch has enforced technical controls to secure physical access keys, cards, passwords, etc., used to enter or gain access to information systems and network hosting facilities.

Building Access Control

Branch maintains a formally documented access control program to ensure personnel's physical access is revoked immediately upon termination or when access is no longer required.

Employees need to use issued security access card to access office premises. There are physical locks inside the office building to secure network equipment and assets. Security surveillance recordings are for review in case of any incident.

Organization Controls

Branch creates, implements, and maintains policies and procedures, which will be documented and approved by its senior management, to support the hiring, termination, code of conduct, ethics, and background screening of all employees and contractors. Branch conducts a background check using reliable third-party services for each employee.

Branch conducts Security and privacy awareness program for employees annually.

Authorized Software Standards

Branch maintains a formal process for approving new Software and maintains a list of authorized Software Standard for internal use.

Branch implemented technical controls to restrict the installation of Unauthorized Software in the company-issued devices or environment.

Acceptable Use

Branch published an acceptable use policy that defines the acceptable use of information, electronic and computing devices, and network resources to conduct Branch business or interact with internal networks and business systems, whether owned or leased by Branch, a user, or a third party.

Mobile Device Acceptable Use

Branch has documented procedures, and technological restrictions for users who have legitimate business requirements to use a private or Branch-issued mobile device that can access Branch’s electronic resources.

Mobile Device Security Standards

Branch has documented mobile device security standards define specific rules and security configurations to be applied to all Branch-issued mobile devices.

Identity Theft

Branch has formally documented Identity Theft Program that includes minimum standards that must be maintained throughout the company to protect identity information and reduce identity theft risk. This helps protect Branch, its customers, partners, and other associated personnel from the loss or misuse of any identity information.

Network Security

Branch has documented network security policy that includes security controls related to network segregation, encryption, passwords, logical access, and remote access to the network.

Authentication and Password Policy Control

Branch enforces a strong and complex password policy that includes an MFA (Multi-factor Authentication). Account lockout policy is in place when users exceed the threshold of invalid login attempts.

System and Data Access

Branch has implemented secure system access and remote access mechanisms. Only authorized production and customer support can access our production systems backend and customer data on a need basis via a virtual private network (VPN) and multi-factor authentication (MFA).

Our Web services require the use of service accounts and secure API tokens.

Logical Data Access

Branch has adopted a logical system access provisioning process that meets or exceeds industry standards for all systems that access, process, or store customer data and confidential information.

Branch implemented a role-based security access control. Branch conducts access reviews periodically.

Operations Security

Secure Software Development Lifecycle Process

Branch has adopted a secure software development lifecycle process using an agile development methodology. This includes a periodic review of issues identified during static code analysis (aka SAST), web application vulnerability scanning (aka DAST), penetration testing, and container security vulnerability scanning automated in the build pipeline.

Branch engages third-party professional security firms to perform network and application penetration testing in the production environment annually. Besides, we also use security researchers from crowd-sourcing communities to identify exploits and security vulnerabilities.

Risk Management

Branch has formally documented policies for vendor and technology risk assessment and risk management. Branch’s due diligence process will ensure systems security and data privacy details are reviewed, and security risks are mitigated before adoption.

All identified risks are documented as a part of the risk register, and the correction or risk treatment plan is defined.

Backup and Restore

Branch has adopted a formal data backup and restoration process to secure business data. Nightly backups (snapshots) of data are made and stored in redundant locations. Only authorized personnel can access or restore any data from the backup datasets.

Security Monitoring and Logging

Branch implemented comprehensive system monitoring for our cloud applications and micro-services. Besides, Branch deployed a security information and event management (SIEM) system. Branch implemented vulnerabilities and network intrusion detection controls. These controls will generate proactive alerts to notify the platform infrastructure team about any system events and suspicious activities that may be potential security incidents.

Security Incident Response Process

Branch has formally documented incident response programs in place. The security incident response plan defines steps to be coordinated with the cross-functional incident response team to timely mitigate any security incident.

All verified security incidents will be reported to the security incident response team timely. Depending on the response levels and the customer agreement, customers will be notified timely about the status and the remediation.

Branch tests the security incident response process annually.

Business Continuity

Branch adopted a Business Continuity / Disaster Recovery Process that meets or exceeds industry standards and that provides a formal framework and methodology, including without limitation, a business impact analysis and risk assessment process to identify and prioritize critical business functions.

Branch conducts a Business Continuity test every twelve (12) months, including a review of the Business Continuity Plan, roles and responsibilities, business documentation requirements, recovery strategies, Mean Time to Recovery (MTTR), Recovery Time Objectives (RTOs), Recovery Point Objectives (RPOs), testing strategy and frequency.

Branch Business Continuity / Disaster Recovery Process owner is Ray Lai, Head of the Security

Change Management

Branch uses a change management system for documenting and tracking planned and emergency software changes. A workflow approval process in place to ensure change requests are prioritized and assigned.

Branch has adopted a security patch management process for periodic or ad hoc software and security updates. Branch also uses a system configuration management system to ensure continuous monitoring and evaluation of resource configurations.

Any high risk or critical systems changes to system configurations will undergo a formal approval process. Such approval process involves senior-level management (such as senior managers/directors) and head of Security.

Vulnerability Management

Branch maintain a security vulnerability management program that includes policies and procedures for identifying and managing security vulnerabilities from internal and external vulnerability assessments.

Branch's vulnerability management program covers vulnerability scans, external and internal penetration tests, and the vulnerability disclosure program (aka bug bounty).

Data Security and Privacy

Data Classification

Branch has a formal information classification process to classify or assign a label to customer and business data. Asset owners are responsible for assigning classification to information assets.

Data Retention and Destruction

Branch established company-wide requirements and practices for the retention of customer data, company records, including electronically stored documents and emails.

Branch follows industry security best practices (e.g., Amazon, NIST) for secure deletion or destruction of electronically stored data and physical records. This also includes laptop hard drives before disposal.

Data Encryption and Integrity

Branch uses industry-standard encryption algorithms to encrypt customer data and ensure information confidentiality in transit and at rest.

Branch has implemented logical data segregation that meets or exceeds industry standards to ensure customer data and confidential information is not viewable by unauthorized users.

Branch has implemented input and output validation for data protection in the Dashboard application. Business data is validated and checked for integrity in the backend micro-services and the API Web services. Data Leakage Prevention tool is deployed in our backend storage infrastructure to ensure data integrity.

Data Management and Protection

Branch classifies all customer data as confidential and has implemented different data protection controls to ensure data privacy. This includes protecting data at rest (data encryption), data in transit (secure data transport), and role-based system access control. Data access is restricted to authorized personnel, and production back-end systems can only be accessible using MFA, VPN, and company-issued laptops.

Branch has the necessary processes and procedures in place to execute Data Subject Requests regarding personal data in accordance with applicable law within 30 days to meet GDPR and ePrivacy requirements.

Data Privacy

A documented data privacy statement describes what data Branch captures, how the data is protected, and can be found under

Policy Owner : Ray Lai, Head of Security

Version: v3.1.1

Updated date: 2021-12-09

Review Our Policies

Privacy Policy GDPR Commitment