1. Purpose
This policy establishes the security requirements and controls for the VSS platform to protect user accounts, server infrastructure, and data from unauthorized access, cyber threats, and other security risks. The policy ensures the confidentiality, integrity, and availability of services through the implementation of industry-standard security measures.
2. Scope
This policy applies to all users, administrators, contractors, and any personnel authorized to access the VSS system, including all servers, applications, and associated resources.
3. Account Security Policy
3.1 Strong Password Requirements
- All user accounts shall comply with the following password requirements:
- Passwords must contain a combination of uppercase letters, lowercase letters, numbers, and special characters where applicable.
- Weak, easily guessable, or commonly used passwords are strictly prohibited.
- Users are responsible for maintaining the confidentiality of their passwords and shall not share them with unauthorized individuals.
3.2 Anti-Brute-Force Protection
To prevent unauthorized access through password-guessing attacks, the following controls shall be enforced:
- After three (3) consecutive failed login attempts, users shall be required to complete a CAPTCHA or dynamic verification process before further login attempts are permitted.
- After five (5) consecutive failed login attempts, the affected account shall be automatically locked for ten (10) minutes.
3.3 Multi-Factor Authentication (MFA)
To strengthen account security:
- Users shall be encouraged or required, where applicable, to enable Multi-Factor Authentication (MFA).
- Supported third-party authentication applications, including Google Authenticator, may be used to generate one-time verification codes.
- MFA-enabled accounts shall require both password authentication and a secondary verification code during login.
3.4 Account Expiration and Password Maintenance
- User accounts that remain inactive for extended periods shall automatically expire or be disabled in accordance with organizational requirements.
- Users shall receive notifications prompting them to update their passwords periodically to maintain account security.
- Expired or inactive accounts shall be reviewed and reactivated only through authorized administrative procedures.
4. Server Protection Policy
4.1 Secure Data Transmission
To ensure the confidentiality and integrity of information transmitted between users and servers:
- All communications shall utilize Transport Layer Security (TLS) version 1.2 or higher.
- Legacy and insecure protocols, including TLS 1.0, shall be disabled and prohibited from use.
- System administrators shall periodically review encryption configurations to ensure compliance with current security standards.
- Access Controls: Strict “need-to-know” access limited exclusively to authorized personnel.
- Secure Storage & Transmission: Deployment of encryption protocols and secure communication channels during data transfer and storage.
- Technical Safeguards: Utilization of firewalls, data minimization protocols, and active defenses against cyber threats.
- Audits & Compliance: Routine security audits and risk management reviews to maintain alignment with GDPR standards.
5. Additional Security Controls
5.1 CAPTCHA Protection
- CAPTCHA mechanisms shall be automatically enabled after three (3) consecutive unsuccessful login attempts to prevent automated and scripted attacks.
5.2 Login Monitoring and Alerts
- The system shall support configurable login alerts for abnormal or suspicious activities.
- Security administrators shall review login notifications and investigate any unauthorized or unusual access attempts promptly.
- Appropriate corrective actions shall be taken whenever suspicious behavior is detected.
6. Compliance and Enforcement
All users and administrators shall comply with this policy. Any violations, unauthorized activities, or attempts to circumvent these security measures may result in disciplinary action, suspension of access privileges, or other corrective measures as determined by management.
7. Your Privacy Rights
As a data subject under ODPC, you maintain the following rights regarding your data:
- Access & Portability: Request a copy of your data in a structured, machine-readable format.
- Correction & Erasure: Correct inaccurate data or request deletion (note: deleting historical data may alter your service experience).
- Restriction & Objection: Restrict or object to the processing of your data under specific conditions.
- Withdraw Consent: Revoke processing permissions at any time.
- Automated Decisions: VSS does not utilize automated decision-making or automated profiling.
8. Data Sharing
We do not sell, trade, or rent data to third parties for marketing purposes. Data is shared only with:
- Service Providers: Trusted partners assisting in cloud infrastructure, cybersecurity, payment processing, technical support, and order fulfillment (bound by strict data confidentiality contracts).
- Legal Disclosures: When required by subpoenas, warrants, court orders, or legal processes.
Data Retention and Deletion
- Retention Period: Personal and server data (alarm videos/text/images) is retained for a maximum of 14 days.
- Post-Retention: Upon expiration of the retention window, data is permanently deleted.
Data Collected Automatically
- Location Information: IP address and time zone.
- Device & Connection Information: Device model, unique device identifiers, operating system and version, mobile operator/network information, device storage information, and system version.
Multimedia data
- Video, Audio, and image information will be captured by the system through the installed device.
Personal Data Provided Directly
- Identity & Account Info: Business/company name and account password/passcode.
- Contact Info: Email address, phone number.
9. Policy Review
This policy shall be reviewed periodically and updated as necessary to address evolving security threats, technological changes, and organizational requirements.
CONTROLTECH LIMITED
P.O. Box 17659-00500 NAIROBI, KENYA
Tel: +254 705 204 570/1, +254 786 204570/2
Email: info@controltech-ea.com
