Security Policy
Last updated: April 24, 2024
Nefudapris ("we", "us", or "our") is committed to protecting the security of information processed through our platform at nefudapris.biz. This Security Policy describes the technical and organisational measures we implement to safeguard data against unauthorised access, disclosure, alteration, and destruction.
1. Scope
This policy applies to all systems, networks, applications, and data under our operational control, including infrastructure supporting our online learning platform and related services. It covers all personnel, contractors, and third-party service providers who access our systems.
2. Information We Protect
We apply security controls to all categories of data processed on our platform, including but not limited to:
| Data Category | Examples |
|---|---|
| Account information | Names, email addresses, authentication credentials |
| Usage data | Learning progress, session activity, feature interactions |
| Payment information | Billing details processed via third-party payment processors |
| Communications | Support messages, feedback submissions |
| Technical data | IP addresses, device identifiers, log files |
3. Infrastructure Security
3.1 Hosting and Network
Our services are hosted on reputable cloud infrastructure providers that maintain recognised security certifications. Network traffic is segmented and monitored. Firewalls and intrusion detection systems are configured to restrict unauthorised access. Administrative access to production infrastructure is limited to authorised personnel and requires multi-factor authentication.
3.2 Data Encryption
All data transmitted between users and our platform is encrypted using TLS 1.2 or higher. Data stored on our servers is encrypted at rest using industry-standard encryption algorithms. Encryption keys are managed using dedicated key management services with strict access controls and rotation schedules.
3.3 Physical Security
Our infrastructure resides in data centres that enforce physical access controls including badge authentication, surveillance, and environmental protections against fire, flood, and power failure. We do not operate our own physical data centres; instead, we rely on certified third-party facilities.
4. Application Security
4.1 Secure Development Practices
Our development teams follow a secure software development lifecycle. Security considerations are incorporated at the design, implementation, testing, and deployment stages. Code reviews include security checks, and developers receive regular training on secure coding practices.
4.2 Vulnerability Management
We perform regular vulnerability assessments and penetration testing on our applications and infrastructure. Identified vulnerabilities are classified by severity and remediated according to defined timelines. Critical vulnerabilities are treated as immediate priorities and resolved without delay.
4.3 Dependency and Patch Management
Third-party libraries and software dependencies are reviewed regularly. Security patches for operating systems, application frameworks, and supporting software are applied promptly following risk assessment and testing.
4.4 Authentication and Access Control
User accounts are protected by password hashing using modern algorithms. We support multi-factor authentication for account access and strongly encourage all users to enable it. Access to administrative functions follows the principle of least privilege, granting only the permissions necessary to perform defined tasks.
5. Organisational Security
5.1 Personnel
All employees and contractors with access to systems or data are subject to confidentiality obligations. Access rights are provisioned based on job function and reviewed periodically. Access is promptly revoked upon role change or termination of engagement.
5.2 Security Awareness
We maintain an ongoing security awareness programme. Personnel receive training on recognising phishing attempts, handling sensitive information, and following secure operational procedures.
5.3 Third-Party Risk
Third-party vendors and service providers who process data on our behalf are evaluated for security practices prior to engagement. We require that such providers maintain appropriate security standards and restrict their use of data to the purposes specified in our agreements.
6. Monitoring and Logging
Our systems generate logs of access events, errors, and operational activities. These logs are retained for a defined period and reviewed to detect anomalous behaviour, potential intrusions, or policy violations. Automated alerting is in place for events that indicate potential security incidents.
7. Incident Response
We maintain a documented incident response plan that defines procedures for identifying, containing, investigating, and recovering from security incidents. In the event of a confirmed breach that affects user data, we will notify affected users in a timely manner consistent with applicable obligations. Notification will include a description of the nature of the incident, data potentially affected, and steps we are taking in response.
To report a suspected security incident or vulnerability, please contact us at [email protected].
8. Business Continuity and Disaster Recovery
We maintain backup procedures to ensure data can be recovered in the event of loss or corruption. Backups are encrypted and tested periodically. Our disaster recovery plan is designed to restore service availability within defined recovery time objectives following a significant disruption.
9. Data Retention and Deletion
Data is retained only for as long as necessary to fulfil the purposes for which it was collected or as required by applicable retention obligations. Upon account closure or upon a verified deletion request, personal data is removed from active systems within a reasonable timeframe. Residual copies in backups are purged according to our standard backup rotation schedule.
10. Responsible Disclosure
We welcome reports from security researchers who identify vulnerabilities in our platform. If you believe you have discovered a security issue, please report it to us at [email protected] before any public disclosure. We commit to acknowledging reports promptly, investigating findings in good faith, and working toward remediation without taking legal action against researchers who act responsibly.
Please include in your report a clear description of the vulnerability, the steps required to reproduce it, and any potential impact you have identified.
11. Compliance and Certifications
We align our security practices with recognised industry frameworks and standards. We continually evaluate our controls against evolving best practices and update our programme accordingly. Specific certifications or audit reports may be made available to enterprise customers upon request and subject to a non-disclosure agreement.
12. Changes to This Policy
We may update this Security Policy from time to time to reflect changes in our practices, technology, or regulatory requirements. When we make material changes, we will update the date at the top of this page and, where appropriate, provide additional notice. Continued use of our platform following the effective date of any update constitutes acceptance of the revised policy.
13. Contact
If you have questions or concerns about this Security Policy or our security practices, please contact us:
Nefudapris
80 Marketplace Ave, Nepean, ON K2J 5G3, Canada
Email: [email protected]
Phone: +1 604 625 1248