Security Policy

1. Encryption Standards

Data in Transit: All communication between your browser and our servers is encrypted using TLS 1.3 protocol. This means data passing through the internet is protected from eavesdropping. You can verify this by looking for "https" and a padlock icon in your browser address bar.

Data at Rest (Sensitive Fields): Highly sensitive data stored in our database is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys). This includes:

• Employee salary information and payroll calculations
• Bank account and account holder names
• PAN, Aadhar numbers (if stored)
• Tax information and Form 16 data

Encryption Key Management: Encryption keys are stored separately from encrypted data using AWS KMS (Key Management Service). No single person has access to all keys. Key rotation occurs quarterly. Lost keys cannot decrypt old data (security design, not a bug).

2. Access Control & Authentication

Multi-Factor Authentication (MFA): Admin login requires two factors:

• Factor 1: Password (something you know)
• Factor 2: OTP via SMS or authenticator app (something you have)

This prevents account takeover even if your password is compromised.

Role-Based Access Control (RBAC): Different admin roles have different permissions:

• Super Admin: Full platform access (should be limited to 1-2 people)
• HR Admin: Employee data, attendance, leave (cannot see salary)
• Payroll Admin: Salary calculations, tax filings (cannot see personal details)
• Viewer: Read-only access for reporting

Session Management: Login sessions expire after 30 minutes of inactivity. You must re-authenticate with MFA. This prevents unauthorized access if you leave your computer unattended.

3. Cloud Infrastructure Security

Cloud Hosting: AccoNova runs on Amazon Web Services (AWS) or Microsoft Azure infrastructure in India data centers only. No international data transfers without explicit consent.

Server Isolation: Each customer's data is logically isolated. Database access credentials are unique per customer. No possibility of one customer accessing another's data.

Network Security: We employ multiple layers:

• Firewall: Blocks unauthorized inbound/outbound traffic
• DDoS Protection: AWS Shield standard protects against distributed denial-of-service attacks
• WAF (Web Application Firewall): Filters SQL injection, XSS, and common web attacks
• VPC (Virtual Private Cloud): Isolated network environment

4. Security Audits & Testing

Penetration Testing: Third-party cybersecurity firms conduct quarterly penetration tests attempting to breach our systems ethically. 100% of identified vulnerabilities are fixed within 30 days. Reports available to customers upon request.

Vulnerability Assessments: Automated monthly scans identify security weaknesses. Critical vulnerabilities are patched within 24 hours. Medium/low issues within 30 days.

Code Security Reviews: All code changes undergo security review before production deployment. We use SAST (Static Application Security Testing) tools to scan for injection attacks, hardcoded credentials, etc.

Compliance Audits: Annual audits verify compliance with DPDPA, data localization laws, and internal security policies. Third-party auditors validate findings.

5. Threat Monitoring & Incident Response

24/7 Monitoring: Our SOC (Security Operations Center) continuously monitors for unauthorized access attempts, data exfiltration, malware, and anomalies using:

• SIEM (Security Information & Event Management) tools
• Intrusion Detection Systems (IDS)
• Log analysis and alerting

Incident Response Team: If a security incident is detected, our incident response team immediately:

• Isolates affected systems
• Preserves forensic evidence
• Notifies affected customers within 4 hours
• Publishes root cause analysis within 72 hours

6. Employee Training & Compliance

Security Training: All AccoNova employees handling customer data undergo mandatory security training:

• Data privacy principles and laws
• Password security and social engineering
• Incident reporting procedures
• Secure coding practices (for developers)

Background Checks: All employees with data access undergo background verification.

NDA (Non-Disclosure Agreement): All employees sign strict NDAs prohibiting disclosure of customer data. Violations result in legal action.

Zero-Tolerance Policy: Unauthorized data access results in immediate termination and legal proceedings.

7. Disaster Recovery & Backups

Automated Backups: Daily backups of all customer data performed automatically (0:00 UTC). Backups encrypted and stored in geographically separate data centers.

Backup Retention: Backups retained for 30 days rolling window. Allows recovery of data deleted up to 30 days ago.

Disaster Recovery Plan: RTO (Recovery Time Objective) = 4 hours. RPO (Recovery Point Objective) = 1 hour. If primary data center fails completely, services restored from backup within 4 hours with maximum 1 hour of data loss.

DR Testing: Quarterly disaster recovery drills test backup integrity and restore procedures. Results documented and shared with auditors.

8. Compliance Certifications & Standards

DPDPA 2023 Compliance: Full compliance with Digital Personal Data Protection Act covering data collection, processing, retention, and user rights.

Data Localization: All customer data stored within India data centers. No international transfer without explicit consent.

ISO 27001 Certified Architecture: Our core cloud infrastructure and internal data management processes are fully ISO 27001 compliant, ensuring the highest global standard for Information Security Management Systems (ISMS).

SOC 2 Type II Compliant: We maintain strict SOC 2 Type II compliant controls over security, availability, processing integrity, and confidentiality. Routine independent audits ensure continuous adherence.

Bug Bounty Program: We welcome ethical hackers to report vulnerabilities responsibly. Full disclosure after vendor is notified and fix is applied. Rewards up to ₹5,00,000 for critical vulnerabilities.