Security Policy

Last Updated: 2026-02-25

1. Security Framework

Our security programme is grounded in globally recognised standards and proven methodologies, ensuring that the confidentiality, integrity, and availability of the platform and your data are never compromised. We employ a layered defence strategy spanning technical controls, physical safeguards, and organisational governance to counteract an ever-changing threat landscape.

1.1 Compliance Standards

• ISO 27001: Certified Information Security Management System aligned to international benchmarks
• SOC 2 Type II: Independent attestation covering Security, Availability, and Confidentiality trust principles
• GDPR: Adherence to European Union data protection regulations
• POPIA: Full conformity with South Africa's Protection of Personal Information Act
• NIST Framework: Implementation guided by the NIST Cybersecurity Framework

2. Data Protection

2.1 Data Encryption

• At-Rest Encryption: AES-256 cipher applied to every piece of stored information
• In-Transit Encryption: TLS 1.3 secures all network communications end to end
• Database-Level Protection: Transparent encryption active across all database engines
• Document Security: Full end-to-end encryption covering every uploaded file and attachment
• Backup Safeguards: All backup archives are encrypted using independently managed keys

2.2 Key Management

• HSM Infrastructure: Hardware Security Modules handle key generation and custody
• Automated Rotation: Cryptographic keys are rotated on a predetermined schedule
• Restricted Key Access: Only authorised processes and personnel may interact with key material
• Comprehensive Logging: A tamper-evident audit trail records every key lifecycle event

3. Access Control and Authentication

3.1 User Authentication

• Multi-Factor Authentication (MFA): Mandatory across every user account without exception
• Password Standards: A minimum of 12 characters incorporating complexity rules
• Credential Storage: Passwords are hashed with bcrypt and a unique salt per entry
• Session Governance: Cryptographically secure session tokens with enforced time-outs
• Brute-Force Mitigation: Accounts are locked automatically after repeated failed attempts

3.2 Role-Based Access Control (RBAC)

• Five-Tier Hierarchy: Granular role system comprising LiteClient, Client, Guard, Admin, and Owner
• Least Privilege Enforcement: Each role is granted only the permissions essential to its function
• Inherited Permissions: Elevated roles automatically include the capabilities of subordinate tiers
• Live Permission Evaluation: Access decisions are computed in real time against current policies
• Periodic Entitlement Reviews: Scheduled audits ensure permissions remain appropriate

3.3 Administrative Access

• Privileged Access Management (PAM): Centralised control over all elevated credentials
• Bastion Hosts: Dedicated secure gateways for reaching production infrastructure
• Ephemeral Elevation: Temporary privilege grants that expire automatically
• Dual Authorisation: Sensitive operations require sign-off from multiple authorised individuals

4. Infrastructure Security

4.1 Cloud Security

• Hosting Platform: Google Cloud Platform delivering enterprise-grade security controls
• Network Isolation: Virtual Private Cloud architecture for complete tenant separation
• Service Segmentation: Discrete network zones isolate individual service components
• Volumetric Attack Defence: Automated DDoS mitigation with intelligent traffic scrubbing
• Traffic Distribution: Redundant load balancers performing continuous health verification

4.2 Network Security

• Advanced Firewalls: Next-generation firewalls providing deep application-layer inspection
• Anomaly Detection: Ongoing traffic analysis to identify and flag suspicious patterns
• Secure Remote Access: Encrypted VPN tunnels for all administrative connectivity
• Continuous Surveillance: Around-the-clock network monitoring backed by automated alerting

4.3 Application Security

• WAF Protection: A Web Application Firewall deflects common attack vectors
• API Hardening: Enforced rate limits, token-based authentication, and strict input validation
• Container Integrity: Verified container images coupled with runtime protection policies
• Automated Code Analysis: Both static (SAST) and dynamic (DAST) security testing in every build

5. Monitoring and Incident Response

5.1 Security Monitoring

• SIEM Platform: Centralised Security Information and Event Management for log correlation
• 24/7 Operations: A dedicated security operations centre staffed around the clock
• Threat Intelligence Feeds: Continuous ingestion of global threat intelligence data
• Event-Driven Alerts: Automated notifications triggered by anomalous security events
• Log Correlation: In-depth log aggregation, analysis, and cross-source correlation

5.2 Incident Response

• Response Squad: A purpose-built team trained to handle security incidents end to end
• Documented Playbooks: Predefined response procedures for every identified incident category
• Stakeholder Communication: Clearly defined escalation paths and notification protocols
• Digital Forensics: In-house forensic capability for thorough post-incident investigation
• Service Restoration: Detailed recovery plans to return operations to normal swiftly

5.3 Breach Notification

• Early Detection: Automated systems engineered to surface breaches at the earliest opportunity
• Impact Evaluation: Rapid scoping of breach severity, affected data, and impacted parties
• Timely Disclosure: Prompt communication to all affected individuals and organisations
• Regulatory Filings: Compliance with all statutory notification obligations and deadlines

6. Data Center and Physical Security

6.1 Physical Access Controls

• Tier IV Facilities: Operations hosted in certified data centres meeting the highest resilience tier
• Biometric Entry: Server room access governed by multi-modal biometric verification
• On-Site Guards: Professional security personnel and comprehensive CCTV coverage at all times
• Visitor Protocols: Strict sign-in procedures, identity verification, and escorted access for all guests

6.2 Environmental Controls

• Temperature Regulation: Fully redundant HVAC systems maintaining optimal conditions
• Fire Mitigation: State-of-the-art detection and suppression technology deployed facility-wide
• Power Resilience: Uninterruptible power supplies complemented by diesel backup generators
• Asset Decommissioning: Certified destruction procedures for retired storage media and hardware

7. Development and DevOps Security

7.1 Secure Development Lifecycle

• Security-First Design: Threat modelling and security requirements embedded from the outset
• Peer Review: Every code change undergoes a mandatory security-focused review
• Static Analysis Tools: Automated scanners evaluate source code before each merge
• Supply Chain Scanning: Third-party libraries are continuously checked for known vulnerabilities
• External Penetration Tests: Independent specialists conduct regular offensive security assessments

7.2 DevOps Security

• Pipeline Hardening: CI/CD workflows incorporate security gates at every stage
• Infrastructure as Code: All environment configurations are version-controlled and auditable
• Image Assurance: Container images are signed, scanned, and validated before deployment
• Secrets Vault: Credentials and tokens are stored in a dedicated vault with automated rotation

8. Business Continuity and Disaster Recovery

8.1 Backup and Recovery

• Scheduled Backups: Automated, encrypted snapshots taken at regular intervals
• Multi-Region Storage: Backup copies distributed across geographically separate locations
• Restoration Drills: Routine exercises validate backup integrity and recovery procedures
• RTO/RPO Targets: Recovery Time Objective of under 4 hours; Recovery Point Objective of under 1 hour

8.2 High Availability

• Component Redundancy: Critical systems are duplicated to eliminate single points of failure
• Automatic Failover: Standby resources activate instantly when a primary component fails
• Geographic Distribution: Workloads are spread across multiple regions for resilience
• Health Monitoring: Continuous probes verify system availability and trigger alerts on degradation

9. Employee Security

9.1 Personnel Security

• Pre-Employment Vetting: Thorough background and reference checks for every hire
• Ongoing Awareness Training: Mandatory security education refreshed on a regular cycle
• Non-Disclosure Obligations: All staff sign binding confidentiality and NDA agreements
• Offboarding Procedures: System access is revoked immediately upon separation from the organisation

9.2 Security Awareness

• Structured Programmes: Recurring workshops and e-learning modules on current threats
• Simulated Attacks: Periodic phishing and social engineering exercises to test readiness
• Bulletins and Advisories: Timely internal communications on emerging risks and best practices
• Clear Reporting Channels: Well-publicised procedures for escalating suspected security events

10. Third-Party Security

10.1 Vendor Management

• Due Diligence: In-depth security evaluations performed before onboarding any vendor
• Contractual Obligations: Binding security clauses written into every vendor agreement
• Continuous Oversight: Ongoing monitoring of each vendor's security posture and compliance
• Joint Incident Handling: Pre-agreed coordination plans for cross-organisational security events

10.2 Integration Security

• Secure API Connectivity: All third-party integrations authenticated and encrypted by default
• Data Flow Governance: Strict policies governing what data may be shared externally
• Periodic Reassessment: Scheduled reviews of every active third-party integration
• Risk Profiling: Continuous evaluation of the risk each external relationship introduces

11. Compliance and Auditing

11.1 Regular Audits

• Internal Reviews: Routine internal security assessments conducted by our governance team
• Independent Audits: Annual engagements with accredited third-party audit firms
• Compliance Evaluations: Systematic checks against applicable regulatory frameworks
• Finding Resolution: Timely remediation of every identified gap or non-conformity

11.2 Regulatory Compliance

• GDPR: Comprehensive alignment with EU data protection mandates
• POPIA: Ongoing adherence to South African personal information legislation
• Industry Benchmarks: Conformity with recognised security industry frameworks and standards
• Compliance Reporting: Transparent documentation and periodic reporting to stakeholders

12. Customer Security Responsibilities

12.1 Account Security

• Robust Passwords: Select strong, unique credentials for every account you operate
• MFA Activation: Switch on multi-factor authentication for all users in your organisation
• Permission Hygiene: Conduct regular reviews and adjustments of user access rights
• Staff Awareness: Ensure every team member receives adequate security guidance

12.2 Data Protection

• Classification Discipline: Label and handle sensitive data according to its risk level
• Internal Controls: Apply access restrictions that match the sensitivity of the information
• Prompt Reporting: Notify us without delay if you suspect a security incident
• Regulatory Alignment: Maintain compliance with all laws applicable to your operations

13. Security Incident Reporting

Should you identify a security vulnerability or become aware of a potential incident, please notify us without delay:

14. Contact Information

For any enquiries relating to this Security Policy or our broader security practices, please reach out: