Platform Security

Introduction

Our company values customers' privacy and takes important steps to protect all customer data. Our main job is to keep any data secure, from this point of view, securing customers' data is one of the crucial job our company does.

Keeping our systems and customers' data secure is vital to our operations and business. Please also review our Privacy Policy.

Data at Rest Encryption for Database

The Platform attaches importance to customer data and regularly fulfills its obligations in this regard. The company is fully integrated with ISO 27001, information security management processes, and regularly implements preventive measures in terms of security.

When using the Microsoft MSSQL database, the platform logically stores all customers’ data and keeps them safe. It uses the "transparent data encryption" method and 256-bit symmetric encryption key to keep the data safe.

It is technically almost impossible to decrypt these encrypted data in the database, however, if the database is exposed in some way, it does not seem possible to read this data.

Currently, details such as company name, address, URL, description are now kept encrypted.

For more information, please contact us.

Policies

Information Security Policy

Overview

This top-level information security policy is a key component of our overall information security management framework and should be considered alongside more detailed information security documentation including, system level security policies, security guidance and protocols or procedures.

Purpose

The objectives of our Information Security Policy are to preserve:

  • Confidentiality - Access to Data shall be confined to those with the appropriate authority.

  • Integrity – Information shall be complete and accurate. All systems, assets, and networks shall operate correctly, according to specification.

  • Availability - Information shall be available and delivered to the right person, at the time when it is needed.

The aim of this policy is to establish and maintain the confidentiality, integrity, and availability of information owned or held by us by:

  • Ensuring that all members of staff are aware of and fully comply with the relevant legislation as described in this and other policies.

  • Describing the principals of security and explaining how they shall be implemented in the organization.

  • Introducing a consistent approach to security, ensuring that all members of staff fully understand their own responsibilities.

  • Creating and maintaining within the organization a level of awareness of the need for Information Security as an integral part of the day to day business.

  • Protecting information assets under the control of the organization.

ISMS Scope

For the purpose of operating an effective ISMS, the context of the organization is bifurcated into internal and external related parties. It is important to understand the unique context of an organization before starting the planning and scoping of ISMS to ensure the implemented ISMS gives the best return on investment.

To establish the business context for ISMS, we have been identified and documented internal and external context that the organization must consider when they manage information security risks.

HR Policy

Information systems face threats from many sources, including the actions of people -employees and contractor personnel. The intentional and unintentional actions of these individuals can potentially harm or disrupt information systems and their facilities. These actions can result in the destruction or modification of the data being processed, denial of service to the end-users, and unauthorized disclosure of data, potentially jeopardizing the interest of us.

Purpose

The purpose of this policy is to ensure that all employees and contractors are qualified for and understand their roles and responsibilities of their job duties and that access is removed once employment is terminated.

Acceptable Use Policy

We have outlined the acceptable use of information and IT resources for our employee/contractor. All employees/contractors required to comply with the requirements in this policy.

Purpose

This policy is intended to limit the use of information and IT resources. The objective of this policy is to outline the acceptable use of computer equipment at our company. These rules are in place to protect the employee/contractor and our company. Inappropriate use exposes company to risks including virus attacks, compromise of network systems and services, and legal issues.

Access Control and Password Policy

The objective of this policy is to establish an access control capability throughout our company and its business units to help the organization implement security best practices with regard to password management, logical security, account management and remote access.

Scope

This policy applies to all our employees/contractors and affiliates.

This policy is applicable to all information technology resources owned or operated by our company.

Web Application Security Policy

Web application vulnerabilities account for the largest portion of attack vectors outside of malware. It is crucial that any web application is assessed for vulnerabilities and any vulnerabilities by remediated prior to production deployment.

Purpose

The purpose of this policy is to define web application security assessments within platform. Web application assessments are performed to identify potential or realized weaknesses as a result of inadvertent misconfiguration, weak authentication, insufficient error handling, sensitive information leakage, etc. Discovery and subsequent mitigation of these issues will limit the attack surface of our services available.

System Documentation Policy

This policy defines the level of system documentation required such as configuration information and services that are running.

Purpose

This policy is designed to provide for service stability by ensuring that system documentation is complete and current. This policy complements business continuity management and disaster recovery by ensuring that documentation is available in the event that systems should need to be rebuilt. This policy will help reduce troubleshooting time by ensuring that appropriate personnel is notified when changes are made to any system.

Supplier Security Policy

This policy specifies controls to reduce the information security risks associated with outsourcing.

Scope

Supplier security policy applies to our employees and outsourcers include: hardware and software support and maintenance staff, external consultants and contractors, IT or business process outsourcing firms, and temporary staff.

Remote Working Policy

This policy has been developed to protect sensitive or valuable data and maintain the overall security of our data and equipment whilst employees/contractors are working remotely. In addition, this policy recognizes and defines the duty of care of us to the remote working employees in regard to their health and safety and fair treatment.

Employees / contractors must ensure the security of information and systems accessed through mobile and remote working arrangements are given due consideration. This policy emphasizes the importance of staff understanding our current information security policies and procedures and each individual’s responsibilities in relation to these which must be adhered to at all times.

Media Protection Policy

The information resides in many forms and can be stored in different ways. Media controls are protective measures specifically designed to safeguard electronic data and hardcopy information. This policy addresses the protection, marking, sanitization, production input/output, and disposal of media containing sensitive information.

Scope

This policy applies to all our employees/contractors and affiliates.

Database Credentials' Security Policy

Database authentication credentials are a necessary part of authorizing an application to connect to internal databases. However, incorrect use, storage, and transmission of such credentials could lead to compromise of very sensitive assets and be a springboard to wider compromise within the organization.

Purpose

This policy states the requirements for securely storing and retrieving database credentials for use by a program that will access a database running on our networks. Software applications running on our networks may require access to one of the many internal database servers. In order to access these databases, a program must authenticate to the database by presenting acceptable credentials. If the credentials are improperly stored, the credentials may be compromised leading to a compromise of the database.

Data Protection Policy

We are committed to compliance with all relevant EU and Member State laws in respect of personal data, and the protection of the “rights and freedoms” of individuals whose information we collect and process in accordance with the General Data Protection Regulation (GDPR). To do this, we comply with the Data Protection Principles which are set out in this policy.

Purpose

The purpose of this policy is to set out our obligations in relation to the and to demonstrate its commitment to compliance with it. The policy aims to fulfill the data protection requirements for personal data which we collect and process in accordance with the General Data Protection Regulation (GDPR).

Cryptography Policy

The purpose of this Policy is to protect the confidentiality, integrity and availability of our information by applying appropriate levels of cryptographic controls.

Purpose

The scope of this policy applies to information system resources, including but not limited to data networks, servers, personal computers, mobile devices, located at our, and not our locations, where these resources are under the jurisdiction and/or ownership of ours. Third parties with access to high or critical data owned by us shall also adhere to this policy.

Configuration Management Policy

Configuration management manages the configuration of all hardware and software elements of information systems and networks and the security implications when changes occur. The initial configuration of the system or network must be documented in detail and all subsequent changes to any components must be controlled through a complete and robust configuration management process. This policy complements business continuity management and disaster recovery by ensuring that documentation is available in the event that systems should need to be rebuilt. This policy will help reduce troubleshooting time by ensuring that appropriate personnel are notified when changes are made to any system.

Clean Dest Policy

A clean desk policy can be an important tool to ensure that all confidential/restricted materials are removed from an end user workspace and locked away when the items are not in use or an employee/contractor leaves his/her workstation. It is one of the top strategies to utilize when trying to reduce the risk of security breaches in the workplace. Such a policy can also increase employee’s/contractor's awareness about protecting sensitive information.

Purpose

The purpose for this policy is to establish the minimum requirements for maintaining a clean desk – where sensitive/critical information about our employees/contractors, our intellectual property, our customers and our vendors is secure in locked areas and out of site. A Clean Desk policy is not only ISO 27001 compliant, but it is also part of standard basic privacy controls.

Change Management Policy

We recognise that changes (the addition, modification, or removal of anything) to the organisation, business processes, information processing facilities, and systems that affect information security needs to be effectively managed and is extremely important in ensuring the quality delivery of our services. We are aware that ineffective and uncontrolled change management could potentially result in significant system disruption, data corruption or loss. We have therefore, formulated this Change Management Policy / Process in order to address the opportunities and associated risks. We will continue to formally manage changes to its Information Technology (“IT”) / business resources to prevent disruptions to the stability, confidentiality, integrity and availability of our IT systems, business processes and data.

Cloud Asset Management Policy This policy template sets the expectation that cloud instances should be centrally managed, and that existing policies apply to software located in the cloud.

Cloud Asset Management Policy

We have developed this policy to provide guidance on the use of cloud technology.

The objectives of our cloud asset management program include:

  • Ensuring that cloud-based assets are included in the IT asset management program.

  • Optimizing the cost of and value received from cloud services.

  • Mitigating security and compliance risks posed by cloud services.

Procedures

Document Management Procedure

The purpose of this Procedure is to create a method to provide the necessary control for the preparation, approval, release, revision, and distribution of the documentation used for management systems and business processes.

Scope

This procedure covers Management Systems and Business Processes documentation.

Information Security Roles & Responsibilities

The purpose of this document is to clearly define the roles and responsibilities that are essential to the implementation and continuation of the information security system in our platform.

Risk Management Procedure

The purpose of this document is to define risk management methodology followed in our platform.

Risk is the function of a source of threat, the possibility of using an existing weakness, and the negative impact of this situation. We conduct risk management activities in order to control the negative effects of the risks associated with the information assets. On the other hand, these activities also have the potential to create opportunities for our platform in different areas.

Internal Audit Procedure

The purpose of this procedure is to explain the responsibilities and methods for the planning and implementation of internal audits in order to review, evaluate and assess the information security management system within our organisation.

Management Review Procedure

This procedure sets out the arrangements for conducting periodic formal management reviews of our information security management system.

Continual Improvement Procedure

To describe the process by which our Management System considers every problem such as systematic problems or opportunities for improvement, audit findings, etc. to ensure that the problem is identified, investigated and prevented from reoccurring.