Purpose
Cafiyn is committed to protecting the confidentiality, integrity, availability, and privacy of information entrusted to us by customers, partners, employees, and users.
This Information Security Policy outlines the administrative, technical, and organizational controls implemented by Cafiyn to manage information security risks.
Scope
This Policy applies to:
- Cafiyn websites
- Web applications
- Customer portals
- Internal systems
- Cloud infrastructure
- Employees
- Contractors
- Service providers with access to Cafiyn systems
Security governance
Cafiyn maintains a risk-based security program designed to:
- Identify threats
- Assess vulnerabilities
- Reduce risk exposure
- Protect information assets
- Maintain service reliability
- Security controls are reviewed periodically and updated based on business requirements and emerging
- threats.
Access control
Access to systems and information is granted based on business need and least privilege principles.
Controls include:
- Unique user accounts
- Role-based access
- Password requirements
- Multi-factor authentication where supported
- Access reviews
- Timely deprovisioning
- Users are prohibited from sharing credentials.
Authentication
Authentication controls include:
- Strong password standards
- Secure credential storage
- Authentication monitoring
- Session management controls
- Passwords are never stored in plaintext.
Data classification
Information may be classified as:
- Public
- Information approved for public disclosure.
- Internal
- Operational information not intended for public distribution.
- Confidential
- Business-sensitive information requiring restricted access.
- Restricted
- Highly sensitive information requiring enhanced safeguards.
- Access controls are applied according to classification.
Data protection
Cafiyn implements safeguards designed to protect information against unauthorized access, disclosure, alteration, or destruction.
Measures include:
- Encryption in transit using TLS
- Secure cloud storage controls
- Access restrictions
- Audit logging
- Monitoring controls
Application security
Security practices may include:
- Secure software development practices
- Dependency management
- Code review procedures
- Security testing
- Vulnerability remediation
- Security issues identified during development are prioritized based on risk.
Cloud security
Cafiyn utilizes reputable cloud service providers that maintain industry-standard security controls.
Cloud environments may include:
- Network segmentation
- Security monitoring
- Access management
- Backup controls
- Availability protections
Logging and monitoring
Security-relevant activities may be logged and monitored including:
- Authentication events
- Access events
- Administrative actions
- Security alerts
- Application errors
- Logs are retained according to operational and legal requirements.
Vulnerability management
Cafiyn maintains processes for:
- Vulnerability identification
- Risk assessment
- Remediation planning
- Security updates
- Critical vulnerabilities are prioritized for remediation.
Incident response
Cafiyn maintains procedures to:
- Detect incidents
- Investigate incidents
- Contain threats
- Recover operations
- Improve controls
- Security incidents are handled according to internal response procedures.
Breach notification
Where legally required and where customer information is affected, Cafiyn will provide notification without undue delay following confirmation of a reportable incident.
Notifications may include:
- Nature of incident
- Known impact
- Containment measures
- Recommended actions
Backup and recovery
Appropriate backup measures are implemented to support business continuity and disaster recovery objectives.
Backup procedures may include:
- Automated backups
- Periodic restoration testing
- Access restrictions
- Secure retention
Business continuity
Cafiyn maintains reasonable measures to support continuity of operations during disruptive events.
Such measures may include:
- Cloud redundancy
- Backup systems
- Recovery procedures
- Incident management processes
Employee security
Personnel with system access may be subject to:
- Confidentiality obligations
- Security awareness training
- Access reviews
- Policy acknowledgements
- Access is revoked upon termination of employment or engagement.
Third-party risk management
Third-party providers may be evaluated based on:
- Security posture
- Service reliability
- Data protection practices
- Contractual obligations
- Only authorized providers are permitted access to business-critical systems.
Responsible disclosure
Security researchers who discover vulnerabilities are encouraged to report them responsibly.
Reports should include:
- Description of issue
- Steps to reproduce
- Potential impact
- Supporting evidence
- Reports should be sent to:
- infosec@cafiyn.com
Prohibited security testing
Without prior written authorization, individuals may not:
- Conduct denial-of-service attacks
- Access customer information
- Modify production systems
- Perform destructive testing
- Exploit vulnerabilities beyond proof of concept
- Unauthorized activities may result in legal action.
Policy review
This Policy may be reviewed and updated periodically to reflect changes in technology, threats, legal requirements, or business operations.
Contact
Security Contact
Email: infosec@cafiyn.com
For security inquiries, vulnerability reports, compliance requests, or security questionnaires, contact the above address.