Security at Selfeey

Protecting the confidentiality, integrity, and availability of your information assets through comprehensive security governance.

Security Features

Enterprise-grade security protecting your data at every level

Data Protection & Encryption

Industry-standard encryption at rest and in transit with secure key management

Multi-Factor Authentication

MFA required for administrative accounts, privileged access, and sensitive systems

Role-Based Access Control

Least privilege and need-to-know principles with periodic access reviews

Continuous Monitoring

Real-time monitoring with centralized logging and anomaly detection

Secure Infrastructure

Cloud, on-premise, and hybrid environments with environment segregation

Compliance & Governance

Meeting contractual, regulatory, and compliance obligations

Certifications & Compliance

Independently verified security and compliance standards

ISO 27001
Information Security
GDPR
Data Protection
India Laws
Compliance

1. Access Control

Role-Based Access Control (RBAC)

  • • Access rights assigned based on job roles and responsibilities
  • • Privileges reviewed periodically and revoked upon role change or termination
  • • Strict enforcement to prevent unauthorized access

Least Privilege & Need-to-Know

  • • Users granted only minimum access required to perform duties
  • • Sensitive data access restricted and monitored
  • • Regular access reviews and audits

Authentication & Authorization

  • • Strong authentication mechanisms enforced
  • • Multi-Factor Authentication (MFA) required for administrative accounts
  • • MFA required for privileged access and sensitive systems

2. Data Protection & Encryption

Data Classification

  • • Public - Openly available information
  • • Internal - For internal use only
  • • Confidential - Sensitive business information
  • • Restricted - Highly sensitive, strictly controlled
  • • Handling requirements vary based on classification

Encryption Standards

  • • Data encrypted at rest using industry-standard cryptographic algorithms
  • • Data encrypted in transit using secure protocols
  • • Industry-standard encryption methods applied consistently

Key Management

  • • Cryptographic keys securely generated and stored
  • • Regular key rotation and secure retirement
  • • Access to keys strictly controlled and logged

3. Systems & Application Security

Secure Development Lifecycle (SDLC)

  • • Secure coding standards followed across development
  • • Code reviews and vulnerability assessments conducted
  • • Security integrated from design through deployment
  • • Regular testing and validation procedures

Environment Segregation

  • • Development, testing, staging, and production environments logically separated
  • • Access to production systems restricted and monitored
  • • Clear separation of duties and responsibilities

Patch & Configuration Management

  • • Systems regularly patched to address vulnerabilities
  • • Secure baseline configurations enforced
  • • Hardening standards applied consistently

4. Monitoring & Logging

Centralized Logging

  • • Centralized, tamper-evident logging implemented
  • • Logs capture access and authentication events
  • • Transaction and configuration changes logged
  • • AI outputs and activities tracked

Continuous Monitoring

  • • Systems continuously monitored for suspicious activity
  • • Alerts generated for anomalous behavior
  • • Policy violations detected and reported
  • • Real-time threat detection capabilities

Audit Trails

  • • Audit logs retained per legal requirements
  • • Regulatory obligations met
  • • Internal compliance policies followed
  • • Comprehensive audit trail maintenance

5. Incident Response

Incident Management Framework

  • • Detection and reporting procedures
  • • Assessment and investigation protocols
  • • Containment and eradication measures
  • • Recovery and restoration processes

Reporting Obligations

  • • Immediate reporting to designated security team
  • • Regulatory authorities notified where required by law
  • • Affected stakeholders informed as necessary

Post-Incident Review

  • • Root cause analysis conducted
  • • Corrective actions implemented
  • • Preventive measures established
  • • Lessons learned documented

6. Training & Awareness

  • • Mandatory periodic security awareness training for all employees
  • • Role-specific training for users handling sensitive data
  • • Specialized training for users managing sensitive systems
  • • Security responsibilities communicated clearly
  • • Regular reinforcement of security practices

7. Third-Party & Vendor Security

  • • Vendors must meet Selfeey's security requirements
  • • Security due diligence performed before onboarding
  • • Contracts include confidentiality obligations
  • • Data protection requirements enforced
  • • Ongoing security assessments of third parties

8. Governance & Responsibilities

Board & Senior Management

  • • Provide oversight and strategic direction for information security
  • • Approve security policies and allocate adequate resources
  • • Review security posture, risks, and major incidents

Information Security Officer (ISO)

  • • Implement and maintain information security program
  • • Conduct risk assessments and security audits
  • • Ensure compliance with laws, standards, and policies
  • • Coordinate incident response and remediation

Employees & Authorized Users

  • • Comply with security policies and procedures
  • • Protect credentials and sensitive information
  • • Report suspected security incidents promptly
  • • Report vulnerabilities or policy violations

Report a Security Vulnerability

Security incidents must be reported immediately to our designated security team. We take all reports seriously and respond promptly.

Security Team: security@selfeey.com

Information Security Officer: iso@selfeey.com

Non-compliance with security policies may result in access suspension, disciplinary action, or legal remedies. All security incidents are investigated thoroughly.

This Security Policy is governed by the laws of India. Courts of competent jurisdiction in India have exclusive authority over disputes.

Security Policy Information

Scope: This policy applies to all Selfeey information assets including cloud, on-premise, hybrid environments, AI platforms, and all authorized users.

Review: This policy is reviewed at least annually or upon significant business changes, technology updates, or regulatory changes.

Enforcement: Failure to comply may result in disciplinary or legal action.