Back to Home

Security Policy

Effective Date: April 1, 2025

Last Updated: April 1, 2025

At Belbotika, we understand the importance of keeping your business data secure. This Security Policy outlines the measures we take to protect your information and ensure the integrity, confidentiality, and availability of our platform.

Our security practices are designed to meet or exceed industry standards, and we're committed to continuous improvement in our security measures.

1. Data Encryption

We implement strong encryption protocols to protect your data:

  • In Transit: All communications between your browser/device and Belbotika servers are encrypted using TLS 1.3 (Transport Layer Security) with forward secrecy. This creates a secure tunnel for your data, protecting it from eavesdropping and tampering.
  • At Rest: Your data is encrypted when stored on our servers using AES-256 encryption, one of the strongest encryption algorithms available.
  • Database Encryption: Sensitive information like authentication credentials is stored with additional encryption layers and salted hashing.

2. Authentication & Access Control

We implement robust authentication systems to ensure only authorized users can access their accounts:

  • Secure Password Requirements: We enforce strong password policies, including minimum length and complexity.
  • Multi-Factor Authentication (MFA): Available for all accounts and required for administrator accounts, adding an extra layer of security.
  • Account Recovery: Secure account recovery processes with verification steps to prevent unauthorized access.
  • Session Management: Automatic session timeouts and secure cookie handling.
  • Role-Based Access Control (RBAC): User permissions are granted based on specific roles to ensure least-privilege access.

3. OAuth Token Security

Third-Party Integration Security

When you connect third-party services like Google to Belbotika, we use OAuth 2.0, an industry-standard authorization framework. We implement the following security measures for OAuth tokens:

Token Storage and Encryption:

  • All OAuth access tokens and refresh tokens are encrypted using AES-256 encryption before being stored in our database
  • Encryption keys are stored separately from the encrypted tokens and rotated regularly
  • Tokens are never logged, displayed in error messages, or exposed in API responses
  • Database backups containing tokens are also encrypted

Access Control:

  • Access to OAuth tokens is strictly limited to automated systems that require them to function
  • Human access to encrypted tokens is prohibited except during authorized security investigations
  • All access attempts are logged and monitored
  • Administrative access requires multi-factor authentication

Token Lifecycle Management:

  • Automatic Expiration: Access tokens are automatically refreshed using refresh tokens, minimizing the window of vulnerability
  • Revocation: Tokens are immediately revoked when you disconnect a third-party integration
  • Cleanup: When you delete your account or revoke access, all associated tokens are permanently deleted within 30 days
  • Security Breach Response: In the event of a detected security incident, affected tokens are automatically revoked

Minimal Scope Requests:

  • We only request the minimum OAuth scopes necessary to provide our services
  • We never request access to data or permissions beyond what is needed for core functionality
  • Scope requests are clearly explained during the authorization process

Compliance:

  • Our OAuth implementation follows the OAuth 2.0 Security Best Current Practice (BCP) guidelines
  • We comply with Google's API Services User Data Policy and similar policies from other third-party providers
  • Regular security audits verify the integrity of our OAuth implementation

4. Infrastructure Security

Our infrastructure is protected by multiple layers of security:

  • Firewall Protection: Network-level firewalls restrict access to our servers and services.
  • Intrusion Detection: Automated systems monitor for suspicious activity and potential security threats.
  • DDoS Protection: Enterprise-grade DDoS mitigation services to maintain platform availability during attack attempts.
  • Vulnerability Management: Regular scanning of our infrastructure and applications for potential vulnerabilities.
  • Server Hardening: All servers are configured with security best practices, including removal of unnecessary services, regular security updates, and secure configuration standards.

5. Application Security

We build security into our application development process:

  • Secure Development Lifecycle: Security is integrated throughout our development process, from design to deployment.
  • Code Review: All code changes undergo peer review with a focus on security implications.
  • OWASP Compliance: Our application is developed with awareness of the OWASP Top 10 and other security best practices.
  • API Security: APIs use authentication tokens, rate limiting, and input validation to ensure secure data access.
  • Content Security Policy: Implemented to prevent cross-site scripting (XSS) and other code injection attacks.
  • Input Validation: All user inputs are validated and sanitized to prevent SQL injection, XSS, and other injection attacks.

6. Regular Security Assessments

We maintain a robust security testing program:

  • Vulnerability Scans: Automated scanning of our infrastructure and applications on a regular schedule.
  • Penetration Testing: Periodic penetration tests conducted by qualified third-party security professionals.
  • Security Audits: Regular reviews of our security controls, policies, and procedures.
  • Third-Party Assessment: Evaluation of our third-party service providers' security posture.
  • OAuth Integration Audits: Specific security reviews of our OAuth implementation and token handling procedures.

We promptly address identified vulnerabilities based on risk level, with critical issues receiving immediate attention.

7. Data Backup & Disaster Recovery

We implement comprehensive backup and disaster recovery procedures:

  • Automated Backups: Your data is automatically backed up on a regular schedule.
  • Encryption: All backups are encrypted both in transit and at rest.
  • Geographical Redundancy: Backups are stored in multiple geographic locations to protect against regional disasters.
  • Backup Testing: We regularly test our backup restoration process to ensure data can be recovered when needed.
  • Disaster Recovery Plan: We maintain and regularly update a detailed disaster recovery plan to ensure business continuity.

8. Employee Security

Our security measures extend to our team:

  • Security Training: All employees receive security awareness training upon hiring and regularly thereafter.
  • Background Checks: We conduct background checks on employees as part of our hiring process.
  • Access Management: Employee access to systems and data is based on job requirements and regularly reviewed.
  • Device Security: Company devices are configured with security controls including disk encryption, endpoint protection, and automatic updates.
  • Secure Remote Access: VPN and multi-factor authentication are required for remote access to internal systems.
  • Data Access Restrictions: Access to customer data, including OAuth tokens and imported Google data, is strictly controlled and logged.

9. Incident Response

We have established incident response procedures to address security events promptly:

  • Incident Response Team: A dedicated team is responsible for responding to security incidents.
  • Defined Procedures: We follow documented incident response procedures for consistent handling of security events.
  • Detection Systems: We use monitoring and alerting tools to detect potential security incidents promptly.
  • Communication Plan: Our protocol includes timely notification to affected customers in the event of a security breach, in accordance with applicable laws and regulations.
  • Post-Incident Analysis: After resolution, we conduct a thorough analysis to prevent similar incidents and improve our response.
  • Token Revocation: In the event of a security incident involving third-party integrations, affected OAuth tokens are immediately revoked.

10. Compliance & Certifications

We align our security practices with industry standards and regulations:

  • GDPR Compliance: Our platform is designed to help you meet GDPR requirements. See our GDPR Compliance document for details.
  • Google API Services User Data Policy: We comply with Google's strict requirements for handling user data obtained through their APIs.
  • Regular Compliance Reviews: We regularly review our practices against relevant standards and regulations.
  • Third-Party Audits: We undergo independent security assessments to validate our security controls.

11. Customer Security Best Practices

We recommend the following practices to enhance the security of your Belbotika account:

  • Enable multi-factor authentication for all user accounts
  • Use strong, unique passwords for each team member
  • Regularly review user access and remove accounts for people who no longer need access
  • Be cautious of phishing attempts that may target your Belbotika account
  • Set appropriate permission levels for team members based on their job requirements
  • Keep your devices and browsers updated with the latest security patches
  • Regularly review connected third-party integrations and revoke access to services you no longer use
  • Monitor account activity logs for any suspicious behavior

12. Security Updates & Notifications

We keep our platform secure through continuous updates:

  • Security Patches: We promptly apply security patches and updates to our systems.
  • Dependency Management: We regularly review and update third-party libraries and components to address known vulnerabilities.
  • Security Notifications: We will notify you of significant security updates or issues that may affect your account.

Critical updates are applied with minimal delay to protect our platform and your data.

13. Reporting Security Concerns

If you discover a potential security vulnerability or have security concerns, please contact us immediately at security@belbotika.com.

We take all security reports seriously and will investigate promptly. We appreciate your help in keeping Belbotika secure.

When reporting a security issue, please include:

  • A description of the vulnerability
  • Steps to reproduce the issue
  • Potential impact of the vulnerability
  • Any suggested remediation

14. Changes to This Security Policy

We may update this Security Policy from time to time to reflect changes in our practices or for other operational, legal, or regulatory reasons. We will notify you of any material changes through the Services or via email.

We encourage you to review this document periodically to stay informed about how we protect your data.

15. Contact Information

If you have any questions about this Security Policy or our security practices, please contact us at:

Email: info@belbotika.com

Security Email: security@belbotika.com

Address: Magenta Court, Hamilton, Ontario, Canada