Security Policy

1. Our Security Commitment

We commit to maintaining the highest standards of information security across our platform, infrastructure and operations. Security is embedded throughout our development lifecycle, infrastructure management and business processes.

2. Organisational Security

• Dedicated security team with experienced cybersecurity professionals.
• Executive-level ownership of security with a CISO reporting to leadership.
• Security awareness training for all employees upon onboarding and annually.
• Background checks conducted for all employees with access to sensitive systems.
• Access to customer data is strictly need-to-know and role-based.

3. Infrastructure Security

• All infrastructure hosted on ISO 27001-certified cloud providers.
• Network segmentation and firewall rules enforced across all environments.
• Intrusion detection and prevention systems (IDS/IPS) deployed.
• 24/7 infrastructure monitoring with automated alerting.
• Regular vulnerability scanning of all infrastructure components.
• Patch management policy requiring critical patches within 24 hours.

4. Application Security

• Secure Software Development Lifecycle (SSDLC) integrated into engineering processes.
• Static and dynamic application security testing (SAST/DAST) in CI/CD pipelines.
• Code reviews with mandatory security sign-off for sensitive changes.
• Annual third-party penetration testing by accredited security firms.
• OWASP Top 10 mitigation controls applied to all web applications.
• Dependency scanning to detect and remediate vulnerable third-party libraries.

5. Data Security

• All customer data encrypted at rest using AES-256.
• All data in transit encrypted using TLS 1.2 or higher.
• Database access restricted to authorised services and personnel only.
• Sensitive data masked or tokenised where possible.
• Data backups performed daily with encrypted, geographically redundant storage.

6. Access Control

• Multi-factor authentication (MFA) required for all internal systems.
• Role-based access control (RBAC) enforced across all platforms.
• Privileged access management (PAM) for administrative accounts.
• Access reviews conducted quarterly to ensure least-privilege principle.
• All access activity logged and monitored in a centralised SIEM.

7. Incident Response

We maintain a documented Incident Response Plan tested through regular tabletop exercises. In the event of a security incident affecting customer data, we commit to notifying affected customers within 72 hours of detection, providing regular updates, and a full post-incident report upon resolution.

8. Business Continuity & Disaster Recovery

Our platform is designed for high availability with target uptime of 99.9%. We maintain documented Business Continuity and Disaster Recovery plans with regular testing. Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined and tested annually.

9. Compliance & Certifications

• ISO/IEC 27001:2022 – Information Security Management (in progress).
• SOC 2 Type II – Security, Availability and Confidentiality.
• GDPR compliance for customers in the European Union.
• Regular internal audits and third-party compliance assessments.

10. Vendor & Third-Party Security

All third-party vendors with access to our systems or customer data undergo security assessments before onboarding. We maintain a vendor risk register and conduct periodic reviews. Vendors must comply with our security standards and sign appropriate data processing agreements.

11. Reporting Security Issues

If you discover a security vulnerability in our systems, please report it responsibly through our Responsible Disclosure Policy. We commit to acknowledging all reports within 48 hours and working collaboratively to resolve confirmed vulnerabilities. Please visit /privacy/responsible-disclosure for details.