Security Policy

1Introduction

RyBusiness is committed to protecting the security of our systems and your data. This Security Policy outlines the measures we take to safeguard business formation, compliance, invoicing, payroll, and operations tools.

2Data Encryption

• All data in transit is protected using TLS 1.3 or higher.
• Sensitive data at rest is encrypted using AES-256.
• Cryptographic keys are managed using industry-standard key management practices with regular rotation.

3Access Controls

• Access to production systems follows the principle of least privilege.
• All privileged access requires multi-factor authentication (MFA).
• Access rights are reviewed quarterly and revoked promptly upon role change or termination.
• We maintain detailed audit logs of all administrative and privileged actions.

4Infrastructure Security

• Our infrastructure is hosted on SOC 2 Type II certified cloud providers.
• Systems are continuously monitored for security events and anomalies.
• Network traffic is protected by firewalls, intrusion detection systems, and DDoS mitigation.
• We maintain isolated environments for development, staging, and production.

5Application Security

• We follow OWASP secure development guidelines throughout our software development lifecycle.
• Code changes undergo peer review and automated security scanning before deployment.
• Third-party dependencies are regularly audited and updated to address known vulnerabilities.
• We conduct regular penetration testing by independent security professionals.

6Incident Response

• We maintain a documented incident response plan tested at least annually.
• Security incidents are investigated, contained, and resolved following our documented procedures.
• Affected users are notified of data breaches within the timeframes required by applicable law (e.g., 72 hours under GDPR).
• Post-incident reviews are conducted to identify and address root causes.

7Vendor & Third-Party Security

• All third-party vendors with access to our systems or data are subject to security assessments.
• Data processing agreements and appropriate contractual security obligations are in place with all sub-processors.
• Vendor access is scoped to the minimum required for their service function.

8Responsible Disclosure

• If you discover a security vulnerability in RyBusiness services, please report it responsibly by emailing support@rybusiness.com with a detailed description.
• We commit to acknowledging reports within 72 hours and providing regular status updates.
• We will not take legal action against researchers who report vulnerabilities in good faith.
• We do not currently operate a formal bug bounty programme, but significant findings may be recognised at our discretion.

9Updates to This Policy

We review and update this Security Policy at least annually and following any significant security event. Changes are posted on this page.

10Contact

For security concerns, contact us at support@rybusiness.com.