Security Policy

Last updated: October 23, 2025

Hentav Ruldo is committed to maintaining the security, integrity, and confidentiality of all data processed through our platform. This Security Policy describes the technical and organizational measures we implement to protect our systems, infrastructure, and user data.

1. Scope

This policy applies to all systems, services, platforms, and data assets operated or managed by Hentav Ruldo, including web applications, backend infrastructure, databases, communication channels, and third-party integrations used in the delivery of our services.

2. Information Security Principles

Our security practices are guided by the following core principles:

Confidentiality — access to data is restricted to authorized personnel and systems only
Integrity — data is protected against unauthorized modification or corruption
Availability — services and systems are maintained to ensure reliable access for authorized users
Accountability — all access and actions are logged and attributable

3. Access Control

3.1 Authentication

All user and administrative accounts require strong, unique passwords
Multi-factor authentication (MFA) is enforced for all privileged and administrative access
Session tokens are time-limited and invalidated upon logout or inactivity
Failed login attempts trigger automatic account lockout after a defined threshold

3.2 Authorization

Access rights are granted on a least-privilege basis
Role-based access control (RBAC) is applied across all internal systems
Access permissions are reviewed and updated regularly and revoked promptly upon role change or termination
Separation of duties is enforced for sensitive operations

4. Data Protection

4.1 Encryption in Transit

All data transmitted between users and our platform is encrypted using TLS 1.2 or higher
HTTP connections are automatically redirected to HTTPS
Secure cipher suites are enforced; weak or deprecated protocols are disabled

4.2 Encryption at Rest

Sensitive data stored in databases and file systems is encrypted using industry-standard algorithms
Encryption keys are stored separately from encrypted data
Key management procedures are documented and reviewed periodically

4.3 Data Minimization

Only data necessary for service delivery is collected and retained
Data is anonymized or pseudonymized where full identification is not required
Retention periods are defined and enforced; data is securely deleted upon expiry

5. Infrastructure Security

5.1 Network Security

Firewalls and network segmentation are applied to isolate sensitive components
Intrusion detection and prevention systems (IDS/IPS) monitor network traffic
Unnecessary ports, protocols, and services are disabled by default
Internal services are not exposed to the public internet unless explicitly required

5.2 Server and System Hardening

All servers and operating systems follow hardening guidelines upon provisioning
Default credentials are always changed; unnecessary default services are removed
Security patches and updates are applied promptly following release
Automated vulnerability scanning is performed on a regular schedule

5.3 Cloud and Hosting Security

Infrastructure is hosted with reputable cloud providers maintaining recognized security certifications
Cloud environments are configured in accordance with provider security best practices
Storage buckets, databases, and services are set to private by default
Infrastructure-as-code configurations are version-controlled and reviewed

6. Application Security

6.1 Secure Development Practices

Security is integrated into the software development lifecycle (SDLC)
Code reviews include security considerations as a standard step
Dependencies and third-party libraries are monitored for known vulnerabilities
Automated static and dynamic analysis tools are used during development and deployment

6.2 Common Vulnerability Protections

Input validation and output encoding are enforced to prevent injection attacks
Protection against cross-site scripting (XSS) and cross-site request forgery (CSRF) is implemented
Security headers including Content Security Policy (CSP) are applied
SQL queries are parameterized; direct query construction from user input is prohibited

7. Monitoring and Logging

System and application logs are collected, stored securely, and retained for a defined period
Logs capture authentication events, access to sensitive data, configuration changes, and error conditions
Automated alerts are configured for anomalous or suspicious activity
Log integrity is protected; logs cannot be modified or deleted by standard user processes
Security events are reviewed regularly by designated personnel

8. Incident Response

8.1 Detection and Classification

Security incidents are identified through automated monitoring, user reports, or third-party notifications
Incidents are classified by severity and type to prioritize response effort

8.2 Response Procedures

A documented incident response plan is maintained and tested periodically
Designated personnel are responsible for coordinating incident containment, investigation, and recovery
Affected systems are isolated promptly to prevent further impact
Root cause analysis is conducted following significant incidents

8.3 Notification

Affected users and relevant authorities are notified in accordance with applicable obligations
Notifications include the nature of the incident, data involved, and steps being taken
Post-incident reports are prepared internally to drive remediation and improvement

9. Business Continuity and Backup

Critical data is backed up regularly using automated, verified backup procedures
Backups are encrypted and stored in geographically separate locations
Recovery procedures are documented and tested at regular intervals
Recovery time and recovery point objectives are defined for essential services

10. Third-Party and Vendor Security

All third-party providers with access to our systems or data are subject to security assessment prior to engagement
Data processing agreements are established with vendors handling personal or sensitive data
Third-party access is limited to the minimum necessary scope and duration
Vendor security posture is reviewed periodically and upon contract renewal

11. Employee and Personnel Security

All personnel with access to systems or data receive security awareness training
Security responsibilities are defined in employment terms and onboarding materials
Access credentials are issued individually and must not be shared
Personnel are required to report suspected security incidents or vulnerabilities immediately
Access is revoked promptly upon departure or role change

12. Physical Security

Physical access to offices and work areas is controlled and restricted to authorized individuals
Devices used to access company systems must be protected by screen locks and full-disk encryption
Sensitive documents and materials are stored securely and disposed of appropriately
Unattended workstations are locked automatically after a period of inactivity

13. Vulnerability Disclosure

If you discover a potential security vulnerability in our platform or services, we encourage responsible disclosure. Please report your findings to us at:

Email: [email protected]

We ask that you:

Provide sufficient detail to allow us to reproduce and assess the issue
Allow reasonable time for investigation and remediation before public disclosure
Refrain from accessing, modifying, or disclosing data beyond what is necessary to demonstrate the vulnerability

We are committed to acknowledging valid reports promptly and working toward resolution in good faith.

14. Policy Review and Updates

This Security Policy is reviewed at least annually and updated as necessary to reflect changes in our systems, services, threat landscape, or applicable requirements. Continued use of our services following publication of an updated policy constitutes acknowledgment of the revised terms.

15. Contact

For questions or concerns related to this Security Policy, please contact us:

Company: Hentav Ruldo
Address: Jarosława Dąbrowskiego 16/lok 18, 02-558 Warszawa, Poland
Phone: +48 735 919 879
Email: [email protected]
Website: blissful-aim.com