Security Policy

Last updated: 14 June 2026

Purpose

Cafiyn is committed to protecting the confidentiality, integrity, availability, and privacy of information entrusted to us by customers, partners, employees, and users.

This Information Security Policy outlines the administrative, technical, and organizational controls implemented by Cafiyn to manage information security risks.

Scope

This Policy applies to:

  • Cafiyn websites
  • Web applications
  • Customer portals
  • Internal systems
  • Cloud infrastructure
  • Employees
  • Contractors
  • Service providers with access to Cafiyn systems

Security governance

Cafiyn maintains a risk-based security program designed to:

  • Identify threats
  • Assess vulnerabilities
  • Reduce risk exposure
  • Protect information assets
  • Maintain service reliability
  • Security controls are reviewed periodically and updated based on business requirements and emerging
  • threats.

Access control

Access to systems and information is granted based on business need and least privilege principles.

Controls include:

  • Unique user accounts
  • Role-based access
  • Password requirements
  • Multi-factor authentication where supported
  • Access reviews
  • Timely deprovisioning
  • Users are prohibited from sharing credentials.

Authentication

Authentication controls include:

  • Strong password standards
  • Secure credential storage
  • Authentication monitoring
  • Session management controls
  • Passwords are never stored in plaintext.

Data classification

Information may be classified as:

  • Public
  • Information approved for public disclosure.
  • Internal
  • Operational information not intended for public distribution.
  • Confidential
  • Business-sensitive information requiring restricted access.
  • Restricted
  • Highly sensitive information requiring enhanced safeguards.
  • Access controls are applied according to classification.

Data protection

Cafiyn implements safeguards designed to protect information against unauthorized access, disclosure, alteration, or destruction.

Measures include:

  • Encryption in transit using TLS
  • Secure cloud storage controls
  • Access restrictions
  • Audit logging
  • Monitoring controls

Application security

Security practices may include:

  • Secure software development practices
  • Dependency management
  • Code review procedures
  • Security testing
  • Vulnerability remediation
  • Security issues identified during development are prioritized based on risk.

Cloud security

Cafiyn utilizes reputable cloud service providers that maintain industry-standard security controls.

Cloud environments may include:

  • Network segmentation
  • Security monitoring
  • Access management
  • Backup controls
  • Availability protections

Logging and monitoring

Security-relevant activities may be logged and monitored including:

  • Authentication events
  • Access events
  • Administrative actions
  • Security alerts
  • Application errors
  • Logs are retained according to operational and legal requirements.

Vulnerability management

Cafiyn maintains processes for:

  • Vulnerability identification
  • Risk assessment
  • Remediation planning
  • Security updates
  • Critical vulnerabilities are prioritized for remediation.

Incident response

Cafiyn maintains procedures to:

  • Detect incidents
  • Investigate incidents
  • Contain threats
  • Recover operations
  • Improve controls
  • Security incidents are handled according to internal response procedures.

Breach notification

Where legally required and where customer information is affected, Cafiyn will provide notification without undue delay following confirmation of a reportable incident.

Notifications may include:

  • Nature of incident
  • Known impact
  • Containment measures
  • Recommended actions

Backup and recovery

Appropriate backup measures are implemented to support business continuity and disaster recovery objectives.

Backup procedures may include:

  • Automated backups
  • Periodic restoration testing
  • Access restrictions
  • Secure retention

Business continuity

Cafiyn maintains reasonable measures to support continuity of operations during disruptive events.

Such measures may include:

  • Cloud redundancy
  • Backup systems
  • Recovery procedures
  • Incident management processes

Employee security

Personnel with system access may be subject to:

  • Confidentiality obligations
  • Security awareness training
  • Access reviews
  • Policy acknowledgements
  • Access is revoked upon termination of employment or engagement.

Third-party risk management

Third-party providers may be evaluated based on:

  • Security posture
  • Service reliability
  • Data protection practices
  • Contractual obligations
  • Only authorized providers are permitted access to business-critical systems.

Responsible disclosure

Security researchers who discover vulnerabilities are encouraged to report them responsibly.

Reports should include:

  • Description of issue
  • Steps to reproduce
  • Potential impact
  • Supporting evidence
  • Reports should be sent to:
  • infosec@cafiyn.com

Prohibited security testing

Without prior written authorization, individuals may not:

  • Conduct denial-of-service attacks
  • Access customer information
  • Modify production systems
  • Perform destructive testing
  • Exploit vulnerabilities beyond proof of concept
  • Unauthorized activities may result in legal action.

Policy review

This Policy may be reviewed and updated periodically to reflect changes in technology, threats, legal requirements, or business operations.

Contact

Security Contact

Email: infosec@cafiyn.com

For security inquiries, vulnerability reports, compliance requests, or security questionnaires, contact the above address.

Questions about this policy? Email infosec@cafiyn.com.

← Back to Security