Security Policy
Last Updated: January 2, 2025
At Tulandro, we are committed to protecting the security and integrity of our platform, our users' data, and our systems. This Security Policy outlines the measures we implement to safeguard information and maintain a secure learning environment.
1. Information Security Framework
1.1 Security Principles
Our security framework is built on the following core principles:
Confidentiality: Ensuring that information is accessible only to those authorized to access it.
Integrity: Maintaining the accuracy and completeness of information and processing methods.
Availability: Ensuring that authorized users have reliable access to information and resources when needed.
Authentication: Verifying the identity of users and systems before granting access.
Authorization: Controlling what authenticated users are permitted to access and do.
1.2 Security Standards
We maintain security practices aligned with industry-recognized standards and best practices, implementing controls appropriate to the nature and scope of our services.
2. Data Protection Measures
2.1 Encryption
We employ encryption technologies to protect data:
Data in Transit: All data transmitted between users and our platform is encrypted using industry-standard protocols such as TLS (Transport Layer Security) to prevent interception and unauthorized access.
Data at Rest: Sensitive information stored on our systems is encrypted using appropriate encryption algorithms to protect against unauthorized access.
Password Protection: User passwords are hashed using strong, one-way cryptographic algorithms and are never stored in plain text.
2.2 Access Controls
We implement strict access control measures:
Principle of Least Privilege: System access is granted based on the minimum level necessary to perform required functions.
Role-Based Access: Permissions are assigned according to user roles and responsibilities.
Authentication Requirements: Multi-factor authentication is available and encouraged for user accounts.
Session Management: Automatic session timeouts and secure session handling protect against unauthorized access.
Administrative Access: Administrative privileges are restricted, monitored, and regularly reviewed.
2.3 Data Segregation
User data is logically segregated to prevent unauthorized cross-access between different users, organizations, or workshops. Access controls ensure users can only view and modify data they are authorized to access.
3. Infrastructure Security
3.1 Network Security
Our network infrastructure includes:
Firewalls: Network firewalls filter traffic and protect against unauthorized access attempts.
Intrusion Detection: Systems monitor for suspicious activity and potential security threats.
Network Segmentation: Network architecture separates different system components to limit potential exposure.
DDoS Protection: Measures are in place to mitigate distributed denial-of-service attacks.
3.2 Server and Application Security
We maintain secure server and application environments:
Regular Updates: Operating systems, applications, and security software are kept current with security patches.
Vulnerability Scanning: Regular automated and manual assessments identify potential security weaknesses.
Secure Configuration: Systems are configured according to security best practices, with unnecessary services disabled.
Code Security: Application code undergoes security review and testing to identify and remediate vulnerabilities.
3.3 Physical Security
Our data hosting facilities implement physical security measures including access controls, surveillance, environmental controls, and redundant power and network connectivity. We select infrastructure providers with appropriate security certifications and controls.
4. Operational Security
4.1 Security Monitoring
We maintain continuous security monitoring:
Log Management: System and application logs are collected, protected, and regularly reviewed.
Activity Monitoring: User and system activities are monitored for anomalous behavior.
Incident Detection: Automated and manual processes identify potential security incidents.
Alerting: Security alerts notify appropriate personnel of potential threats or anomalies.
4.2 Backup and Recovery
We implement comprehensive backup and disaster recovery measures:
Regular Backups: Data is backed up regularly according to defined schedules.
Backup Security: Backups are encrypted and stored securely with appropriate access controls.
Recovery Testing: Backup restoration procedures are tested periodically to ensure reliability.
Business Continuity: Disaster recovery plans are maintained to ensure service continuity.
4.3 Change Management
System changes follow controlled processes:
Review and Approval: Changes undergo review and approval before implementation.
Testing: Changes are tested in non-production environments before deployment.
Documentation: Changes are documented to maintain system integrity and facilitate troubleshooting.
Rollback Capability: Procedures exist to reverse changes if issues arise.
5. Personnel Security
5.1 Access Management
Personnel access is carefully managed:
Background Verification: Personnel with access to sensitive systems or data undergo appropriate screening.
Confidentiality Obligations: Personnel are bound by confidentiality agreements.
Access Provisioning: System access is granted based on job requirements and promptly revoked when no longer needed.
Access Reviews: Personnel access rights are reviewed regularly and adjusted as necessary.
5.2 Security Training
Personnel receive security awareness training covering:
Security policies and procedures
Data protection requirements
Threat awareness and phishing prevention
Incident reporting procedures
Secure development practices for technical personnel
6. Application Security
6.1 Secure Development
Our development practices incorporate security throughout the lifecycle:
Security Requirements: Security considerations are integrated into design and requirements.
Code Review: Code undergoes review to identify security issues.
Security Testing: Applications are tested for common vulnerabilities including injection attacks, cross-site scripting, authentication flaws, and other security weaknesses.
Dependency Management: Third-party components are tracked and updated to address known vulnerabilities.
6.2 Input Validation
All user input is validated and sanitized to prevent injection attacks and ensure data integrity. Output encoding prevents cross-site scripting and other injection-based attacks.
6.3 API Security
Application programming interfaces implement appropriate security controls including authentication, authorization, rate limiting, input validation, and secure communication protocols.
7. Third-Party Security
7.1 Vendor Management
Third-party service providers are evaluated for security:
Security Assessment: Vendors undergo security evaluation before engagement.
Contractual Requirements: Vendor agreements include appropriate security and data protection obligations.
Ongoing Monitoring: Vendor security practices are reviewed periodically.
Limited Access: Third-party access to our systems and data is restricted to what is necessary.
7.2 Integration Security
Integrations with third-party services implement secure authentication, encrypted communication, and appropriate access controls. Data shared with third parties is limited to what is necessary for the integration purpose.
8. Incident Response
8.1 Incident Management
We maintain an incident response process:
Incident Detection: Security monitoring identifies potential incidents.
Incident Classification: Incidents are classified by severity and impact.
Response Procedures: Defined procedures guide incident investigation and response.
Containment and Remediation: Actions are taken to contain incidents and prevent further impact.
Recovery: Affected systems and data are restored to normal operation.
Post-Incident Review: Incidents are analyzed to identify improvements.
8.2 Notification
In the event of a security incident that affects user data or platform security, we will notify affected parties in accordance with applicable requirements and our Privacy Policy. Notifications will be made without undue delay and include relevant information about the incident and recommended actions.
9. Compliance and Auditing
9.1 Security Assessments
We conduct regular security assessments including:
Vulnerability Assessments: Regular scanning and testing for security weaknesses.
Penetration Testing: Periodic testing by qualified personnel to identify potential vulnerabilities.
Security Audits: Review of security controls and practices.
Risk Assessments: Evaluation of security risks and mitigation strategies.
9.2 Audit Logging
Security-relevant events are logged to support security monitoring, incident investigation, and compliance. Logs are protected against unauthorized access and modification and are retained for appropriate periods.
9.3 Compliance
We maintain security practices designed to comply with applicable legal, regulatory, and contractual requirements related to information security and data protection.
10. User Responsibilities
10.1 Account Security
Users are responsible for maintaining the security of their accounts:
Password Security: Create strong, unique passwords and keep them confidential.
Authentication: Enable multi-factor authentication when available.
Account Monitoring: Monitor account activity and report suspicious behavior.
Secure Devices: Access the platform from secure, trusted devices.
Logout: Log out when finished, especially on shared devices.
10.2 Acceptable Use
Users must use the platform in accordance with our Terms of Service and must not:
Attempt to gain unauthorized access to systems or data
Introduce malicious code or harmful content
Interfere with platform security measures
Share account credentials with others
Engage in activities that could compromise platform security
10.3 Reporting Security Issues
Users who identify security vulnerabilities or incidents should report them immediately to our security team at [email protected]. We appreciate responsible disclosure and will work with reporters to address legitimate security concerns.
11. Security Breach Notification
If we become aware of a security breach that results in unauthorized access to user data, we will:
Investigate: Promptly investigate the nature and scope of the breach.
Contain: Take immediate action to contain the breach and prevent further unauthorized access.
Notify: Notify affected users without undue delay, providing information about the breach, data affected, and recommended protective measures.
Remediate: Implement measures to prevent similar incidents in the future.
Cooperate: Cooperate with relevant authorities as required.
12. Limitations and Disclaimers
While we implement comprehensive security measures, no system is completely secure. We cannot guarantee absolute security and are not responsible for:
Security breaches resulting from user actions, such as sharing credentials or falling victim to phishing
Vulnerabilities in user devices, networks, or third-party software
Unauthorized access resulting from circumstances beyond our reasonable control
Security issues in third-party integrations chosen by users
Users acknowledge that they use the platform at their own risk and are responsible for implementing appropriate security measures for their own devices and networks.
13. Policy Updates
We may update this Security Policy to reflect changes in our security practices, technologies, legal requirements, or platform features. When we make material changes, we will notify users through the platform, by email, or by updating the "Last Updated" date at the top of this policy.
We encourage users to review this policy periodically to stay informed about how we protect information and maintain platform security.
14. Contact Information
For questions, concerns, or reports regarding security, please contact us:
For security vulnerability reports, please use the subject line "Security Issue" to ensure prompt attention from our security team.
This Security Policy is effective as of the last updated date shown above and applies to all users of the Tulandro platform.