Security Policy

March, 2020

This security policy tells you the security measures put in place by Scelloo Ltd as you access or use our products or services. Security is a key component of our services and it is embodied in our staff, processes and solutions. We employ organisational, physical, data, infrastructure, operational and access control measures to protect your information from unauthorized access in compliance with applicable local & foreign security laws.

Organisational Security

In connection with our security measures, our information security management system takes into consideration our security priorities and threats from all stakeholders and necessary mitigations. We adopt strict policies, processes and procedures that cover customer data processing, protection, confidentiality, reliability and availability. In addition, we ensure the following:

• Employee Background Verification. All our employees undergo background verification. We verify their criminal records, past jobs records, if any, and educational background. No employee is assigned duties that could pose threats to users until this process is completed.

• Security Consciousness. Every employee upon recruitment signs a confidentiality agreement and an appropriate use policy, after which they undergo training on information security, privacy and compliance. Employees are periodically evaluated to test their level of security consciousness. Where gaps exist, necessary learning interventions are provided. Furthermore, we provide role-based and specialized trainings to employees.

• Designated Security and Privacy Team. In line with applicable laws, we have a team designated to implement and manage our security and privacy issues. The team designs and maintains our defence systems, establishes security review processes and scans our networks continuously to detect suspicious activity. In addition, at Scelloo, we maintain & promote continuous capacity building for the team.

• Compliance and Audit. We have a dedicated compliance team that reviews our practices and policies in order to comply with the requirements and to decide what controls, processes and systems are needed to meet the requirements. Security is a very high priority at Scelloo, for both our data and yours, hence, we regularly increase our security standards to ensure that we meet the security requirements.

Physical Security

We provide controlled access to our resources/premises to guide against unauthorised entry, consumption and utilization. We maintain access logs & activity records. We monitor all entry and exit movements throughout our resources/premises.

Data Security

We have developed security measures to protect our data subjects; such measures include but not limited to:

• Security Principles. Our solutions are written with security principles in mind to prevent XRF, CSRF, SQL injection and other common attacks. We also perform daily off-site backups, so all of your data is safe and ready to be restored.

• Data Encryption. All data between our servers and you are encrypted with at least 128-bit TLS, and all copies of daily backup data are encrypted with 256-bit AES encryption. Data is kept secure with multiple servers housed in Tier-4 data centres that have strict access controls and real-time video monitoring of the data centre.

• Data Confidentiality. Our platform distributes to our customers and manages cloud space. Using a series of protected protocols in the system, the service data for each customer is logically isolated from the data for other customers. It means that no data on customer service is available to another client. Your data is yours and not ours. Without your permission, we will not share the data with any third party.

• Administrative Right. Our data is securely stored with access to specific authorized individuals, to prevent staff from handling user data inappropriately and to minimize the risk of data disclosure. In addition, we implement internal policies requiring approval flow to gain administrative right to access data.

• Regulated Change Management Process. Any improvements and new features are regulated by a change management policy to ensure that all changes to applications are approved before they are put into production. Through our code analyser tools, vulnerability scans and manual review procedures, our Software Development Life Cycle ensures adherence to safe coding standards, as well as reviewing code changes for potential security issues.

Infrastructure Security

• DDoS protection. We leverage on content delivery networks to make sure that there is no direct internet access to our infrastructure, thereby minimizing the surface areas for DDoS attacks. Behind our servers, we monitor & analyse individual packets, geographies & IPs of each request which helps us detect & mitigate normal & abnormal traffics, malicious IPs & request overload. This keeps our servers & APIs highly available & reliable.

• Network Security. Our network protection and monitoring techniques are designed & implemented to offer multiple protective and defensive layers. We use firewalls & access control list to prevent unauthorized access and unintended traffic to our network. In addition, our systems are segmented into separate private & public networks to secure sensitive data.

• Network Redundancy. We implement a highly available architecture with failovers in place to protect our network and services from potential server failure consequences. If a server fails, users will carry on as usual, as their data and all our services are still available to them.

• Server Hardening. All servers provisioned for development, testing and deployment activities are hardened (by disabling unused ports and accounts, removing default passwords, etc.) using well tested and custom-built server images.

• Intrusion Detection and Prevention. Our intrusion detection mechanism takes note of client-based & host-based signals on individual devices and network-based signals from monitoring points within our servers. Administrative access, use of signed URLs, authenticated file access and system calls on all servers in our test & production networks are logged. Machine intelligence built from data analytics on this data give our data & security engineers warnings of possible incidents.

At the application and network layer, we use industry’s best-in-class network firewalls and WAFs in addition to a multi-layered security approach for whitelisting, blacklisting, network routing, rate limiting, protocol translation and filtering request to mitigate attacks and in turn provide clean traffic, reliable proxy service and a prompt reporting of attacks, if any.

Operational Security

• Logging and Tracking. We track and analyse data obtained from services, network internal traffic and usage of devices and terminals. By a way of event logs, audit logs, fault logs, manager logs, and operator logs, we record this information. We store these logs in a secure server separated from full system access, centrally controlling access control and maintaining reliability.

• Vulnerability Management. We have a dedicated vulnerability detection process that uses manual and automated penetration testing to regularly search for security threats. In the event that any vulnerability arises, it will be logged, given priority and allocated to our team of security engineers to address. We then define the associated risks, monitor and resolve the vulnerability by either patching compromised systems or applying appropriate controls until it is closed.

• Malware and Spam Protection. We monitor all user files using our automated scanning system to stop the spread of malware through our entire products and services ecosystem. Our custom anti-malware software provides regular updates and scans files against blacklisted signatures and malicious trends from external threat intelligence sources.

• Data Retention and Disposal. We hold the data in your account as long as you are using our services. Once you deactivate your account, your data will get deleted from the active database during the next clean-up that occurs once every 3 months. The data deleted from the active database will be deleted from backups after 3 months. When your paid subscription expires, your account is automatically downgraded to a free account. In the event that your free account is inactive for a continuous period of 3 months, we will deactivate it after giving you prior notice and option to back-up your data.

• Disaster Recovery and Backup. We run full data backups everyday in multiple data centres stored and encrypted at rest. When a customer demands data recovery within the retention period, we will retrieve their data from the backup and make it available.

• Business Continuity. We transmit, store, protect, and access data in compliance with local & foreign data protection regulations. Our services are housed in multiple geographical data centres, so our services will keep running even in the face of a major natural or man-made disaster. Data are stored in resilient servers, distributed via data centres (primary & secondary). Data in the primary data centre is replicated in the secondary in near real time. In the event of primary data centre failure, secondary data centre takes over and the operations are carried out smoothly with limited or no time loss.

Access and Identity Control

• Availability of Single Sign-On (SSO). We use SSO to simplify our authentication processes, provide efficient access control and reduce the risk of password exhaustion. We offer single sign-on (SSO), which allows users to access our solutions using the same credentials for authentication.

• Multiple Authentication. This offers an extra layer of security by requiring additional authentication from a user, besides password. If a user's password is compromised, this can significantly reduce the risk of unauthorized access. We employ different measures such as password strength, security questions, two-factor authentication & ring fencing.

• Administrative Access Control. We use technical access controls and internal policies & frameworks to prohibit employees from arbitrarily accessing user data. We adhere to the principles of least privilege and role-based permissions to reduce the risk of data disclosure. Furthermore, for compliance purposes, we continuously log and audit all activities performed by our employees on our system.

Security Control Tips for Customers

The following are things you can do personally as a customer to further enhance your protection:

• Ensure your password strength is strong

• Ensure you protect your password

• Do not disclose your security questions and answers

• Use two-factor authentication

• Use approval workflow to manage roles & privileges

• Use new browser versions to ensure vulnerability patching and to use the latest security features

• Monitor devices connected to your account, ongoing web sessions, and third-party access to detect abnormalities in activities within your account.

About this Policy

When this Policy Applies. This Security Policy applies when you access or use products or services offered by Scelloo Ltd. This Security Policy doesn’t apply to services that have separate security policies that do not incorporate this Security Policy. By continuing to access or use our products or services, you agree to be bound by this Security Policy.

Updates to this Policy. We reserve the right to modify, revise or update our Security Policy from time to time and we will indicate the date of the last update. If changes are significant, we will provide you a notification via our website or email. By continuing to access or use our products or services, after those updates, you agree to be bound by the updated Security Policy.

Contact Information

At Scelloo, we are working round the clock to ensure customer data security. Security of your data is your right. Please contact us at if you have any questions about our Security Policy.