1. Information Security Objectives

1.1. Confidentiality

Customer data, intellectual property, and sensitive information are strictly confidential. Access controls and encryption mechanisms are implemented to protect against unauthorized access.

1.2. Integrity

Data integrity is maintained through strict access controls and cryptographic measures. Measures are in place to prevent unauthorized alterations or modifications.

1.3. Availability

Services are designed to ensure high availability. Redundancy and failover mechanisms are implemented to minimize downtime, like load balances, database clusters, or backup servers.

2. Roles and Responsibilities

2.1. Management

Management oversees and enforces security policies. Each employee / user are granted only the required permissions to deliver the tasks they're responsible for.

2.2. Employees

Employees adhere to security policies such as password and encryption key management. Prompt reporting of security incidents is mandatory.

3. Physical Security

3.1. Data Centers

Physical security controls, including access controls and surveillance, are implemented. Environmental controls ensure optimal conditions for hardware. We do internal assessments on our external service providers to ensure they implement the required security controls.

3.2. Server Facilities

Server facilities are physically secured to prevent unauthorized access.

4. Network Security

4.1. Firewalls

Firewalls are deployed to monitor and control network traffic. Policies are in place to restrict unauthorized access.

4.2. Intrusion Detection and Prevention

Intrusion detection and prevention systems are active to identify and mitigate security threats.

4.3. Network Segmentation

Logical network segmentation is implemented to control access and limit the impact of incidents.

5. System Security

5.1. Server Hardening

Servers undergo regular hardening procedures to minimize vulnerabilities.

5.2. Patch Management

Systems are regularly patched to address known vulnerabilities.

5.3. Antivirus/Antimalware

Up-to-date antivirus and antimalware protection is installed on all servers and endpoints.

5.4. Logging and Monitoring

Logging and monitoring systems are implemented to detect and respond to security incidents.

5.5. Customize Configurations

Services configuration is customized and secured to avoid exposure to common attacks.

6. Data Security

6.1. Data Classification

Data is classified based on sensitivity.

6.2. Encryption

Sensitive data is encrypted during transmission and storage.

6.3. Backup and Recovery

Regular data backups are performed, and a robust recovery process is established.

7. Application Security

7.1. Secure Development Lifecycle

Applications are developed following secure coding practices.

7.3. Regular Audits and Scans

Regular security audits and scans of applications are conducted.

8. Incident Response

8.1. Incident Identification and Reporting

Procedures are in place for the identification and prompt reporting of security incidents.

8.2. Incident Investigation A structured incident investigation process determines the scope, impact, and root cause of security incidents.

8.3. Lessons Learned

After an incident, a thorough analysis identifies lessons learned, and improvements are implemented.

8.4. Reporting Procedures

Clear procedures are established for reporting security incidents.

9. Security Awareness Training

9.1. Employee Training

Regular security awareness training programs are conducted for all employees.

9.2. Periodic Training Programs

Periodic training programs ensure all personnel are up-to-date with the latest security protocols and procedures.

9.3. Periodic Disaster Recovery Simulations

Periodic simulations on how to proceed on possible disaster events of protocols and procedures.

10. Vendor Management

10.1. Security Assessments

All third-party vendors and service providers undergo comprehensive security assessments.

10.2. Monitoring and Review

Ongoing monitoring and periodic reviews of third-party vendors ensure ongoing compliance with security requirements.