Security Policy

1. Security Principles

Our security program is built on these principles:

• Defense in Depth: Multiple layers of controls across networks, applications, and infrastructure
• Zero Trust: Assume breach; verify every access request with MFA and least privilege
• Confidentiality, Integrity, Availability: Protect data from unauthorized access, modification, and loss
• Continuous Monitoring: Real-time threat detection and incident response
• Transparency: Regular security reports and third-party audits

2. Data Encryption

2.1 In-Transit Encryption

• TLS 1.2+: All communication between your browser, applications, and our servers uses TLS 1.2 or higher
• HTTPS Enforcement: The entire site and platform operate under HTTPS; HTTP traffic is redirected
• Certificate Management: Certificates are issued by trusted certificate authorities; we monitor expiration and renewal
• Forward Secrecy: Session keys are ephemeral; past traffic cannot be decrypted even if long-term keys are compromised
• API Encryption: All API traffic uses TLS 1.2+ with certificate pinning for sensitive endpoints

2.2 At-Rest Encryption

• Database Encryption: All data at rest is encrypted using AES-256 encryption
• Key Management: Encryption keys are stored in a secure Hardware Security Module (HSM) or managed key vault with access logging
• Backup Encryption: All backups are encrypted and stored in geographically distributed, secured locations
• Disk-Level Encryption: All storage devices and volumes use full-disk encryption (BitLocker, LUKS, or equivalent)
• Secrets Management: API keys, credentials, and secrets are encrypted and never logged or displayed in plaintext

2.3 Field-Level Encryption

Highly sensitive fields (e.g., authentication credentials, access tokens) are encrypted at the application level using AES-256 before storage, ensuring protection even if database access is compromised.

3. Access Control & Authentication

3.1 Multi-Factor Authentication (MFA)

• Required for all employee and admin accounts
• Supported methods: TOTP (Google Authenticator, Authy), hardware security keys (FIDO2), and SMS (as fallback)
• Optional for user accounts; we strongly recommend enabling MFA for all users
• MFA recovery codes are securely stored and rotated periodically

3.2 Role-Based Access Control (RBAC)

• All employees and service accounts follow principle of least privilege (PoLP)
• Roles are defined by job function; access is granted only to resources required for that role
• Quarterly access reviews ensure stale or inappropriate access is removed
• Privileged accounts (admins, engineers) have additional monitoring and restrictions

3.3 Session Management

• Session tokens are cryptographically secure and rotated on authentication
• Sessions expire after 60 minutes of inactivity for web portal; 8 hours for API
• Users can force-logout all active sessions from their account settings
• Session tokens are httpOnly and Secure cookies; cannot be accessed via JavaScript

4. Network Security

4.1 Infrastructure

• Cloud Hosting: Deployed on AWS or Azure with DDoS protection, WAF, and VPC isolation
• Network Segmentation: Production, staging, and development environments are isolated
• Firewalls: All ingress/egress traffic filtered; only necessary ports are open
• DDoS Protection: CloudFlare, AWS Shield, or equivalent DDoS mitigation

4.2 Vulnerability Management

• Scanning: Continuous vulnerability scanning using tools like Nessus, Qualys, or equivalent
• Dependency Monitoring: Software dependencies are monitored for known vulnerabilities; patches are applied within 7 days of release (critical) or 30 days (standard)
• Penetration Testing: Annual third-party penetration testing; results are addressed before production deployment
• Disclosure Program: We encourage responsible disclosure via security@exchangeguardians.com; we do not pursue legal action for good-faith disclosures

4.3 WAF & Rate Limiting

• Web Application Firewall (WAF) protects against OWASP Top 10 attacks (SQLi, XSS, CSRF, etc.)
• Rate limiting prevents brute-force attacks and API abuse; excessive requests are blocked
• IP reputation lists and bot detection prevent malicious traffic

5. Application Security

5.1 Secure Development

• SSDLC: Secure Software Development Lifecycle practices are followed
• Code Review: All code changes are peer-reviewed before merging; security-focused reviews are mandatory
• Static Analysis: SAST tools scan code for security issues before deployment
• Dynamic Analysis: DAST tools test running applications for vulnerabilities
• Dependency Scanning: SCA tools identify vulnerable third-party libraries

5.2 Input Validation & Output Encoding

• All user input is validated server-side against strict whitelists
• Output is context-aware encoded (HTML encoding, JavaScript escaping, URL encoding, etc.)
• Protection against injection attacks (SQL, LDAP, command injection, template injection)

5.3 Authentication & Authorization

• Passwords are hashed with bcrypt (or equivalent) with random salts; we never store plaintext passwords
• Authorization checks are enforced server-side; client-side checks are not trusted
• API tokens are rotated regularly and have expiration dates
• OAuth 2.0 is supported for third-party integrations

6. Data Security & Privacy

6.1 Data Minimization

• We collect only data necessary to provide Services and comply with legal obligations
• Unnecessary data is not retained; scheduled purges remove old logs and temporary data
• Personal identifiable information (PII) is anonymized or pseudonymized where possible

6.2 Data Classification

Data is classified by sensitivity:

• Public: Publicly available information (marketing content, documentation)
• Internal: Internal business data (employee records, financials)
• Confidential: Customer data, tenant information, diagnostic logs
• Restricted: Credentials, encryption keys, security audit results

Each classification has corresponding access and retention controls.

6.3 Data Retention & Deletion

• Data is retained only as long as required by contract, legal obligation, or business need
• Upon deletion request, data is securely purged using DOD 5220.22-M or NIST standards
• Automated processes delete old logs, temporary files, and inactive accounts
• Backups containing deleted data are deleted after their retention period (typically 90 days)

7. Incident Response & Breach Notification

7.1 Incident Response Plan

• 24/7 Monitoring: Security team monitors logs, alerts, and threat intelligence in real-time
• Escalation Procedures: Critical incidents are escalated immediately to leadership and legal
• Investigation & Containment: Incidents are contained, investigated, and remediated within defined timeframes
• Post-Incident Reviews: Root cause analysis and corrective actions are documented

7.2 Breach Notification

If a security breach affects your personal data:

• Timeline: We notify affected parties within 72 hours (per GDPR) or as required by law
• Content: Notification includes nature of breach, data affected, steps we're taking, and your rights
• Transparency: We provide a detailed incident report and technical analysis
• Remediation: We provide credit monitoring or other appropriate remediation

8. Business Continuity & Disaster Recovery

8.1 Availability & Uptime

• Target: 99.95% uptime for production systems (excluding planned maintenance)
• Redundancy: Multi-region deployment; automatic failover in case of regional outage
• Load Balancing: Traffic is distributed across multiple servers; single-server failures do not cause downtime
• Monitoring: Real-time monitoring with alerting for degraded performance or outages

8.2 Backup & Recovery

• Backup Frequency: Full backups daily; incremental backups hourly
• Geographic Redundancy: Backups are stored in multiple geographic regions
• Recovery Testing: Quarterly recovery drills ensure we can restore from backups within 4 hours
• Point-in-Time Recovery: Data can be recovered to any point within the last 30 days

9. Compliance & Certifications

We maintain or are pursuing the following certifications:

• SOC 2 Type II: Annual audit of security, availability, and confidentiality controls
• ISO 27001: Information security management system certification (target: 2024)
• GDPR Compliance: GDPR-compliant data processing, DPA execution, and privacy impact assessments
• CCPA Compliance: California Consumer Privacy Act compliance and user rights fulfillment
• Cyber Essentials: Alignment with NCSC Cyber Essentials baseline controls

10. Third-Party Risk Management

10.1 Vendor Assessment

• All vendors (cloud providers, SaaS tools, service providers) undergo security assessment
• Vendors must provide SOC 2, ISO 27001, or equivalent certifications
• Security questionnaires are completed for all critical vendors
• Annual re-assessment ensures continued compliance

10.2 Data Processing Agreements (DPA)

• All data processors execute DPAs with Standard Contractual Clauses (SCCs) for international transfers
• DPAs specify data processing scope, security obligations, and audit rights
• We audit vendor security practices at least annually

11. Employee Security & Training

• Background Checks: All employees undergo background checks
• Security Training: Mandatory annual security awareness training covering phishing, data handling, and incident response
• Confidentiality: All employees sign confidentiality agreements
• Offboarding: Upon termination, all access is revoked and devices are securely wiped

12. Responsible Disclosure & Bug Bounty

We take security research seriously and encourage responsible disclosure.

12.1 Reporting a Vulnerability

If you discover a security vulnerability:

• Email us at security@exchangeguardians.com with:
• Description of the vulnerability
• Proof of concept (if applicable)
• Steps to reproduce
• Your contact information and preferred acknowledgment

12.2 Our Commitment

• We acknowledge receipt within 24 hours
• We provide a timeline for fix and coordinated disclosure
• We do not pursue legal action against good-faith researchers
• We publicly acknowledge your contribution (if desired)
• We may offer a monetary reward for critical vulnerabilities (bug bounty program to be announced)

13. Security Audit & Testing

• Annual Penetration Testing: Independent third-party tests by certified ethical hackers
• Quarterly Vulnerability Scans: Automated scanning identifies known vulnerabilities
• Code Review: All code changes undergo security-focused peer review
• Red Team Exercises: Internal security team simulates attacks to test defenses
• Audit Reports: Available to customers under NDA; contact security@exchangeguardians.com

14. Physical Security

• Data Centers: Cloud-hosted on AWS/Azure with industry-leading physical security, surveillance, and access controls
• Office Security: Badge access, surveillance, alarm systems, and visitor logs
• Device Security: All devices (laptops, phones) are encrypted, tracked, and can be remotely wiped

15. Changes to This Security Policy

This policy may be updated periodically to reflect new threats, technologies, or regulatory requirements. Material changes will be communicated to customers. Continued use of our Services indicates acceptance of updates.

16. Contact & Questions

For security concerns or questions:

• Security Team: security@exchangeguardians.com
• Privacy & Legal: privacy@exchangeguardians.com
• Response Time: Critical security issues receive response within 4 hours; standard inquiries within 24 hours