Security Policy

1. Purpose

This Security Policy describes the technical and organizational measures implemented by Refybe to protect the confidentiality, integrity, and availability of its systems, services, and data.

Refybe is committed to maintaining a high level of security for its platform, users, and partners.

2. Scope

The Refybe platform and all related infrastructure.

All employees, contractors, and service providers with access to Refybe systems.

Customer and end-user data processed through Refybe services.

3. Information Security Principles

Confidentiality: Data is accessible only to authorized individuals and systems.

Integrity: Data is protected from unauthorized alteration or destruction.

Availability: Systems and data are available when needed.

4. Data Protection & Privacy

Refybe processes personal data in accordance with applicable laws, including the GDPR.

Personal data is collected only for specified, explicit, and legitimate purposes.

Access to personal data is restricted to authorized personnel on a need-to-know basis.

Data processing agreements (DPAs) are in place with relevant subprocessors.

5. Access Control

Role-based access control (RBAC) is enforced across all systems.

Strong password policies are required for all user and administrative accounts.

Multi-factor authentication (MFA) is used where technically feasible, particularly for administrative access.

Access rights are reviewed periodically and revoked promptly when no longer required.

6. Infrastructure & Network Security

Production systems are hosted in secure, professionally managed data centers.

Network traffic is protected using firewalls, encryption, and segmentation.

All communication with the Refybe platform is encrypted using TLS.

Regular updates and security patches are applied to operating systems and dependencies.

7. Application Security

Secure development practices are followed, including code reviews and testing.

Dependencies and third-party libraries are monitored for known vulnerabilities.

Input validation and authorization checks are implemented to reduce common attack vectors.

Security considerations are integrated throughout the software development lifecycle.

8. Data Encryption & Storage

Data in transit is encrypted using industry-standard encryption protocols.

Sensitive data at rest is encrypted where appropriate.

Backups are performed regularly and stored securely in EU.

Backup data is protected against unauthorized access and accidental loss.

9. Monitoring & Logging

System activity and access are logged to detect unauthorized or suspicious behavior.

Logs are protected against tampering and retained based on legal requirements.

Monitoring is used to support incident detection and operational reliability.

10. Incident Response

Refybe maintains a process to identify, assess, and respond to security incidents.

Security incidents are documented and reviewed to prevent recurrence.

Affected customers and authorities are notified without undue delay where required by law.

11. Business Continuity & Availability

Measures are in place to ensure service availability and resilience.

Recovery procedures support restoration of services in the event of an incident.

Business continuity is integrated into infrastructure and operational decisions.

12. Third-Party Security

Refybe works only with reputable service providers that meet security standards.

Third-party access is limited to what is strictly necessary.

Subprocessors are assessed for security and compliance obligations.

13. Employee Awareness & Responsibilities

Personnel are required to follow security best practices.

Access is granted strictly based on role and responsibility.

Security obligations form part of contractual and internal policies.

14. Policy Review & Updates

This policy is reviewed periodically and updated to reflect changes in technology or legal requirements.