Information Security Policy

1. Infrastructure Security

• Cloud Providers: Our infrastructure is hosted on AWS (Amazon Web Services) and Google Cloud Platform, DigitalOcean, utilizing their SOC 2 Type II compliant data centers.
• Network Protection: We employ Virtual Private Clouds (VPCs), Web Application Firewalls (WAF), and DDoS protection to shield our servers from malicious attacks.
• Containerization: Services run in isolated containers to minimize the impact of any potential breach.

2. Data Encryption

• At Rest: All customer data (database records, uploaded files, backups) is encrypted.
• In Transit: All data transmitted between your device and our servers is secured via TLS 1.2+.
• Key Management: Encryption keys are managed via AWS KMS (Key Management Service) with strict rotation policies.

3. Access Control

• Authentication: We support Multi-Factor Authentication (MFA) for all user accounts and enforce it for administrative access.
• Least Privilege: Employee access to production data is restricted based on the principle of least privilege. Access logs are audited quarterly.
• Identity Management: We use industry-standard JWT (JSON Web Tokens) with short lifespans and secure rotation for session management.

4. Vulnerability Management

We proactively identify and remediate security risks through:

• Automated dependency scanning (SCA) in our CI/CD pipelines.
• Weekly static code analysis (SAST) for security flaws.
• Annual third-party penetration testing.

5. Incident Response

In the event of a security breach, Realty OS has a dedicated Incident Response Team. We are committed to notifying affected customers within 72 hours of confirming a data breach, in compliance with PIPEDA and GDPR requirements.