Security Policy

Last Updated: May 6, 2026

At EDJAM Limited, security is not just a feature—it's the foundation of everything we build. This Security Policy outlines our comprehensive approach to protecting your data, systems, and operations.

1. Security Governance

1.1 Information Security Management System (ISMS)

Our ISO 27001-certified ISMS provides the framework for managing information security:

• Defined security policies, procedures, and standards
• Risk assessment and treatment methodology
• Regular management reviews and audits
• Continuous improvement processes
• Incident management and business continuity planning

1.2 Security Organization

Dedicated security team structure:

• Chief Information Security Officer (CISO): Executive oversight of security strategy
• Security Operations Center (SOC): 24/7 monitoring and incident response
• Security Engineering: Secure development and architecture
• Compliance Team: Regulatory adherence and audit management
• Third-Party Risk Management: Vendor security assessments

2. Data Security

2.1 Encryption Standards

Industry-leading encryption across all layers:

• Data in Transit: TLS 1.3 with perfect forward secrecy, 256-bit SSL certificates
• Data at Rest: AES-256 encryption for databases and file storage
• Key Management: Hardware Security Modules (HSM) for cryptographic key storage
• Key Rotation: Automated key rotation every 90 days
• End-to-End Encryption: Optional E2EE for sensitive customer communications

2.2 Data Classification

Four-tier classification system:

• Public: Marketing materials, public documentation
• Internal: Operational data, non-sensitive business information
• Confidential: Customer data, financial records, proprietary information
• Restricted: PII, payment card data, authentication credentials

2.3 Data Lifecycle Management

• Secure data creation and collection
• Controlled data access based on classification
• Encrypted data transmission and storage
• Secure data archival procedures
• Certified data destruction (NIST 800-88 compliant)

3. Infrastructure Security

3.1 Cloud Architecture

Multi-layered cloud security on AWS/Azure:

• Network Segmentation: VPCs with private subnets for sensitive workloads
• Firewall Protection: Web Application Firewall (WAF) and Network ACLs
• DDoS Protection: AWS Shield Advanced / Azure DDoS Protection
• Load Balancing: Auto-scaling with health checks
• Geo-Redundancy: Multi-region deployment for disaster recovery

3.2 Physical Security (Data Centers)

Our cloud providers maintain SOC 2-compliant data centers with:

• 24/7 on-site security personnel
• Biometric access controls
• Video surveillance and monitoring
• Environmental controls (temperature, humidity, fire suppression)
• Redundant power and cooling systems

3.3 Network Security

• Zero Trust Network Architecture (ZTNA)
• Next-generation firewalls with intrusion prevention
• Network traffic analysis and anomaly detection
• Secure VPN access for remote connectivity
• DNS filtering and threat intelligence

4. Application Security

4.1 Secure Development Lifecycle (SDL)

Security integrated at every stage:

• Design: Threat modeling and security requirements
• Development: Secure coding standards (OWASP guidelines)
• Testing: SAST, DAST, and penetration testing
• Deployment: Automated security checks in CI/CD pipeline
• Maintenance: Regular security patches and updates

4.2 Code Security

• Mandatory code reviews with security checklist
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Software Composition Analysis (SCA) for dependency scanning
• Bug bounty program with responsible disclosure

4.3 API Security

• OAuth 2.0 and OpenID Connect for authentication
• API key management and rotation
• Rate limiting and throttling
• Input validation and output encoding
• API gateway with centralized security controls

5. Access Control

5.1 Identity and Access Management (IAM)

Comprehensive access control framework:

• Principle of Least Privilege: Minimum necessary access rights
• Role-Based Access Control (RBAC): Granular permission assignments
• Just-In-Time (JIT) Access: Temporary elevated privileges
• Privileged Access Management (PAM): Enhanced controls for admin accounts
• Access Reviews: Quarterly recertification of user permissions

5.2 Authentication

• Multi-Factor Authentication (MFA): Mandatory for all users
• Password Policy: Minimum 12 characters, complexity requirements
• Biometric Options: Fingerprint and facial recognition support
• Hardware Tokens: FIDO2/WebAuthn for high-security accounts
• Single Sign-On (SSO): SAML 2.0 integration for enterprise clients

5.3 Session Management

• Secure session token generation
• Session timeout after 30 minutes of inactivity
• Automatic logout on browser close
• Session fixation and hijacking protection

6. Monitoring & Detection

6.1 Security Information and Event Management (SIEM)

Centralized security monitoring:

• Real-time log aggregation and correlation
• Automated threat detection rules
• User and Entity Behavior Analytics (UEBA)
• Compliance reporting and audit trails
• Integration with threat intelligence feeds

6.2 24/7 Security Operations Center (SOC)

Round-the-clock security monitoring:

• Continuous threat monitoring and analysis
• Incident triage and escalation
• Threat hunting and investigation
• Security alert management
• Monthly security metrics and reporting

6.3 Intrusion Detection & Prevention

• Network-based IDS/IPS (Suricata)
• Host-based IDS (OSSEC)
• File integrity monitoring
• Malware detection and prevention
• Automated response playbooks

7. Incident Response

7.1 Incident Response Plan

Structured approach to security incidents:

1. Preparation: Incident response team, tools, and procedures
2. Detection & Analysis: Identify and assess security events
3. Containment: Isolate affected systems to prevent spread
4. Eradication: Remove threat from environment
5. Recovery: Restore systems to normal operation
6. Post-Incident: Lessons learned and improvement

7.2 Incident Classification

• Critical: Data breach, system compromise, service outage > 30 min
• High: Failed attack attempts, malware detection, unauthorized access attempts
• Medium: Policy violations, suspicious activity
• Low: Minor security events, awareness issues

7.3 Communication Protocols

Timely notification of security incidents:

• Critical incidents: Notification within 1 hour
• High priority incidents: Notification within 4 hours
• Data breaches: Notification within 72 hours (Kenya DPA requirement)
• Regular status updates during incident resolution
• Post-incident summary and corrective actions

8. Business Continuity & Disaster Recovery

8.1 Business Continuity Plan (BCP)

• Documented procedures for maintaining operations
• Identified critical business functions
• Recovery time objectives (RTO): 4 hours
• Recovery point objectives (RPO): 15 minutes
• Annual BCP testing and updates

8.2 Disaster Recovery

• Backup Strategy: Automated daily backups with 30-day retention
• Geographic Distribution: Backups stored in multiple regions
• Backup Testing: Monthly restoration tests
• Failover Capability: Hot standby in alternate region
• Communication Plan: Customer notification procedures

9. Third-Party Risk Management

9.1 Vendor Assessment

Rigorous evaluation of third-party security:

• Security questionnaire and due diligence
• Review of security certifications (ISO 27001, SOC 2)
• Contractual security requirements
• Annual vendor security reassessment
• Vendor security incident notification requirements

9.2 Supply Chain Security

• Software Bill of Materials (SBOM) for dependencies
• Open-source license compliance
• Vulnerability scanning of third-party components
• Secure software supply chain (SLSA framework)

10. Security Testing

10.1 Testing Schedule

• Annual Penetration Testing: Independent third-party assessment
• Quarterly Vulnerability Scans: Automated scanning of all systems
• Continuous Security Testing: Automated SAST/DAST in CI/CD
• Red Team Exercises: Annual adversarial simulation
• Social Engineering Testing: Phishing simulations quarterly

11. Security Awareness & Training

11.1 Employee Training

• Mandatory security awareness training for all employees (annual)
• Role-specific security training for developers, operations, support
• Secure coding training for development team
• Incident response tabletop exercises
• Security newsletters and alerts

11.2 Security Culture

Building security-conscious organization:

• Security champion program
• Reward recognition for security contributions
• Open communication about security issues
• No-blame post-incident reviews

12. Vulnerability Disclosure Program

12.1 Responsible Disclosure

We welcome security researchers to report vulnerabilities:

• Scope: edjam.co.ke, api.edjam.co.ke, and mobile applications
• Reporting: security@edjam.co.ke (PGP key available)
• Response Time: Initial response within 48 hours
• Resolution: Critical issues patched within 7 days
• Recognition: Hall of fame for responsible disclosure

12.2 Out of Scope

• Social engineering attacks
• Denial of service testing
• Physical security testing
• Third-party applications and services

13. Security Contact Information

For security concerns, vulnerability reports, or security inquiries:

EDJAM Limited - Security Team
Email: security@edjam.co.ke
PGP Key: Available at /security-pgp.txt
Phone (Urgent): +254 721 680 973

Chief Information Security Officer:
Available for enterprise security discussions
Email: ciso@edjam.co.ke

Security is a journey, not a destination. We continuously evolve our security practices to address emerging threats and maintain the trust you place in us.