Security Policy
Last Updated: January 2, 2025
Caldorentis is committed to protecting the security and integrity of your data. This Security Policy outlines the measures we implement to safeguard your information and maintain the confidentiality, availability, and integrity of our services.
1. Information Security Framework
1.1 Security Governance
We maintain a comprehensive information security program that includes:
Risk Assessment: Regular evaluation of security risks and vulnerabilities across our systems and infrastructure.
Security Policies: Documented policies and procedures governing data protection, access control, and incident response.
Compliance Monitoring: Ongoing monitoring to ensure adherence to security standards and regulatory requirements.
Third-Party Audits: Periodic independent security assessments and penetration testing.
1.2 Security Team
Our dedicated security team is responsible for monitoring threats, implementing protective measures, and responding to security incidents. Team members receive ongoing training in the latest security practices and emerging threats.
2. Data Protection Measures
2.1 Encryption
We employ industry-standard encryption to protect your data:
Data in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.2 or higher protocols.
Data at Rest: Sensitive data stored on our servers is encrypted using AES-256 encryption or equivalent standards.
Database Encryption: Database contents are encrypted to protect against unauthorized access.
2.2 Access Controls
We implement strict access control measures including:
Authentication: Multi-factor authentication requirements for accessing sensitive systems and data.
Authorization: Role-based access controls ensuring users can only access data necessary for their functions.
Principle of Least Privilege: Users and systems are granted the minimum level of access required.
Access Logging: Comprehensive logging of all access to sensitive data and systems.
2.3 Data Segregation
Customer data is logically segregated to prevent unauthorized access between different customer accounts and environments.
3. Infrastructure Security
3.1 Network Security
Our network infrastructure includes:
Firewalls: Advanced firewall systems protecting against unauthorized network access.
Intrusion Detection: Real-time monitoring systems to detect and respond to suspicious network activity.
DDoS Protection: Distributed denial-of-service mitigation systems to ensure service availability.
Network Segmentation: Separation of production, development, and administrative networks.
3.2 Server Security
Our servers are protected through:
Hardening: Servers are configured according to security best practices with unnecessary services disabled.
Patch Management: Regular application of security updates and patches to operating systems and software.
Antivirus Protection: Enterprise-grade antivirus and anti-malware solutions deployed across all systems.
Monitoring: Continuous monitoring of server performance and security events.
3.3 Physical Security
Our data centers maintain strict physical security including:
Access Control: Biometric authentication and security personnel restricting physical access.
Surveillance: 24/7 video monitoring of facilities.
Environmental Controls: Fire suppression, climate control, and power redundancy systems.
4. Application Security
4.1 Secure Development
We follow secure coding practices including:
Code Reviews: Peer review of code changes to identify security vulnerabilities.
Security Testing: Automated and manual security testing during development.
Vulnerability Scanning: Regular scanning of applications for known vulnerabilities.
Dependency Management: Monitoring and updating third-party libraries and dependencies.
4.2 Input Validation
All user inputs are validated and sanitized to prevent injection attacks, cross-site scripting, and other common vulnerabilities.
4.3 Session Management
User sessions are secured through encrypted session tokens, automatic timeouts, and secure cookie handling.
5. Backup and Recovery
5.1 Data Backup
We maintain regular backups of your data:
Frequency: Automated daily backups of all critical data.
Retention: Multiple backup versions retained according to our retention schedule.
Encryption: All backups are encrypted during transmission and storage.
Geographic Distribution: Backups stored in geographically diverse locations.
5.2 Disaster Recovery
Our disaster recovery plan includes:
Recovery Procedures: Documented procedures for restoring services following disruptions.
Regular Testing: Periodic testing of backup restoration and recovery processes.
Redundancy: Redundant systems to minimize service interruption.
6. Incident Response
6.1 Security Monitoring
We maintain 24/7 security monitoring to detect potential security incidents, including:
Log Analysis: Centralized collection and analysis of security logs.
Anomaly Detection: Automated systems to identify unusual patterns or behaviors.
Threat Intelligence: Integration of global threat intelligence feeds.
6.2 Incident Management
When security incidents occur, we follow a structured response process:
Detection and Analysis: Rapid identification and assessment of the incident scope and impact.
Containment: Immediate action to prevent further damage or data exposure.
Remediation: Elimination of the threat and restoration of normal operations.
Investigation: Thorough analysis to determine root cause and prevent recurrence.
Communication: Notification to affected parties as required by law or policy.
6.3 Breach Notification
In the event of a data breach affecting your information, we will:
Notify affected users promptly upon discovery and assessment of the breach.
Provide details about the nature of the breach and data affected.
Outline steps taken to address the breach and prevent future incidents.
Recommend actions users should take to protect themselves.
Comply with applicable breach notification laws and regulations.
7. Personnel Security
7.1 Background Checks
We conduct appropriate background checks on employees with access to sensitive systems and data, in accordance with applicable laws.
7.2 Security Training
All personnel receive:
Initial Training: Security awareness training during onboarding.
Ongoing Education: Regular updates on security best practices and emerging threats.
Role-Specific Training: Specialized training for personnel handling sensitive data.
7.3 Confidentiality Agreements
All employees, contractors, and partners with access to sensitive information sign confidentiality and non-disclosure agreements.
8. Vendor and Third-Party Security
8.1 Vendor Assessment
We evaluate the security practices of third-party vendors and service providers before engagement, including review of their security certifications, policies, and controls.
8.2 Contractual Requirements
Contracts with third parties include security and privacy requirements, including data protection obligations and incident notification provisions.
8.3 Ongoing Monitoring
We regularly review vendor security practices and compliance with contractual obligations.
9. Security Certifications and Compliance
9.1 Standards Compliance
We align our security practices with recognized industry standards and frameworks, which may include:
ISO/IEC 27001 Information Security Management
SOC 2 Type II Trust Service Criteria
Industry-specific security requirements applicable to our services
9.2 Regular Audits
Independent third-party auditors periodically assess our security controls and practices to verify compliance with applicable standards.
10. User Responsibilities
10.1 Account Security
Users are responsible for:
Password Protection: Creating strong passwords and keeping them confidential.
Account Monitoring: Reviewing account activity for unauthorized access.
Prompt Reporting: Immediately reporting suspected security incidents or unauthorized access.
Secure Devices: Ensuring devices used to access our services are secure and updated.
10.2 Multi-Factor Authentication
We strongly recommend enabling multi-factor authentication for enhanced account protection. Certain account types may require multi-factor authentication.
11. Data Retention and Deletion
11.1 Retention Periods
We retain your data only as long as necessary for business purposes, legal obligations, or as specified in our agreements with you.
11.2 Secure Deletion
When data is deleted:
Data is removed from active systems within a reasonable timeframe.
Backup copies are deleted according to our backup retention schedule.
Deletion methods prevent recovery of the data.
Physical media containing data is securely destroyed when retired.
12. Security Updates and Improvements
12.1 Continuous Improvement
We continuously evaluate and enhance our security measures to address evolving threats and incorporate new technologies and best practices.
12.2 Vulnerability Management
We maintain a vulnerability management program including:
Regular vulnerability scanning and assessment
Prioritized remediation based on risk
Tracking and verification of security patches
13. Reporting Security Concerns
13.1 Vulnerability Disclosure
If you discover a security vulnerability in our services, please report it to us immediately at support@caldorentis.com. We appreciate responsible disclosure and will work with you to address valid security issues.
13.2 Security Contact
For security-related inquiries or to report security incidents, contact us at:
Email: support@caldorentis.com
Phone: +27215303300
Address: R1834 Prince Mangosuthu Buthelezi Road Section 7, Madadeni, Newcastle, 2940, South Africa
14. Limitations
14.1 No Absolute Security
While we implement comprehensive security measures, no system can be completely secure. We cannot guarantee absolute security of data transmitted or stored through our services.
14.2 User Actions
We are not responsible for security breaches resulting from user actions, including sharing passwords, using insecure devices, or falling victim to phishing attacks.
15. Policy Updates
15.1 Modifications
We may update this Security Policy to reflect changes in our practices, technologies, legal requirements, or other factors. Significant changes will be communicated through our website or direct notification.
15.2 Review
We encourage you to review this policy periodically to stay informed about how we protect your information.
16. Contact Information
For questions about this Security Policy or our security practices, please contact us:
Caldorentis
R1834 Prince Mangosuthu Buthelezi Road Section 7
Madadeni, Newcastle, 2940
South Africa
Email: support@caldorentis.com
Phone: +27215303300
This Security Policy demonstrates our commitment to protecting your data and maintaining the trust you place in our services. Your security is our priority.