Security

Security Policy

1. Overview

This Security Policy defines the administrative, technical, and physical safeguards implemented to protect the confidentiality, integrity, and availability of customer data and platform services.

2. Data Protection & Tenant Isolation

  • Each customer’s data is logically isolated in a multi-tenant environment.
  • Strict access controls prevent unauthorized cross-tenant data access.
  • Database access is restricted to authorized services and personnel only.
  • Production data is never shared across tenants.

3. Encryption

3.1 Data in Transit

  • All traffic between clients and servers is encrypted using HTTPS with TLS.
  • Secure API communication is enforced at all endpoints.

3.2 Data at Rest

  • Database storage is encrypted at rest using industry-standard mechanisms provided by our hosting environment.
  • Secrets, API keys, and credentials are stored using secure secret management solutions.

4. Authentication & Access Control

  • Access is enforced based on defined pages and data access rules.
  • Password policies require minimum complexity and rotation where applicable.
  • Authentication tokens are securely generated, validated, and expired.
  • Administrative access is restricted, logged, and periodically reviewed.
  • The principle of least privilege is enforced across all systems.

5. Application Security

  • Dependencies and security patches are reviewed and applied on a regular basis.
  • A Web Application Firewall (WAF) is implemented at the network and application edge with enforced OWASP rulesets.
  • The WAF inspects inbound and outbound HTTP/HTTPS traffic to detect and block malicious requests in real time.
  • Controls are implemented to mitigate common web application risks, including:
    • SQL Injection
    • Cross-Site Scripting (XSS)
    • Cross-Site Request Forgery (CSRF)
    • Authentication and authorization bypass
  • Input validation and server-side enforcement of business rules are mandatory.
  • Bot protection controls are applied at the edge to help detect and limit automated abusive traffic without relying solely on IP-based blocking.
  • Distributed Denial-of-Service (DDoS) mitigation controls are in place at the network edge to help absorb and limit volumetric and protocol-based attacks, without guaranteeing uninterrupted service under all attack conditions.

6. Logging, Monitoring & Auditing

  • All application and API requests are logged.
  • Security-relevant events are continuously monitored.
  • Access to sensitive systems is auditable and retained for forensic review.

7. Vulnerability Management

  • Security risks are identified through periodic reviews and testing activities.
  • Identified vulnerabilities are risk-rated and remediated in a timely manner.
  • Third-party components are monitored for published security advisories.

8. Backup

  • Automated backups of production databases.
  • Backups are encrypted and securely stored.

9. Incident Response

  • Security events are investigated without undue delay.
  • Customer notifications are issued in accordance with applicable legal obligations.
  • Post-incident reviews are performed to strengthen preventative controls.

10. Third-Party Services

  • Third-party providers are assessed for security practices before integration.
  • Only trusted vendors with acceptable security standards are used.
  • Access granted to third parties is limited and reviewed regularly.

11. Employee Access Security

  • Access to production systems is limited to authorized personnel.
  • Access rights are revoked immediately upon employee offboarding.

12. Compliance

Our security practices are designed to align with generally accepted security principles and applicable data protection regulations, where required by law. This policy does not claim formal certification unless explicitly stated elsewhere.

13. Customer Responsibilities

  • Customers are responsible for safeguarding their login credentials.
  • Customers should ensure that authorized users follow internal security best practices.
  • Any suspected unauthorized access should be reported immediately.

14. Policy Updates

We may update this Security Policy from time to time to reflect changes in technology, regulatory requirements, or security practices. Material changes will be communicated through appropriate channels.

15. Security Contact

For security-related issues, vulnerability reports, or abuse concerns, please contact:

Email: admin@skizzlehr.tech
Contact Type: Admin