Enterprise Security

Security Policy

Last Updated: April 16, 2026

1. Our Security Philosophy

At Cedron Technologies Pvt. Ltd., security is not an afterthought — it is a core engineering value woven into every stage of our software development and infrastructure management process. We follow a "security-by-design" approach, meaning security controls and best practices are embedded from the start of every project, not added as a final layer.

We hold ourselves to the same enterprise-grade security standards we deliver to our clients. This policy outlines our security commitments, practices, and the measures we take to protect your data and our systems.

2. Data Encryption

We implement industry-standard encryption across all data flows:

  • Data in Transit: All data transmitted between clients and our systems is encrypted using TLS 1.2 or TLS 1.3. We enforce HTTPS on all web properties and reject insecure connections.
  • Data at Rest: Sensitive data stored in our databases and file systems is encrypted using AES-256, the gold standard for enterprise data encryption.
  • Key Management: Encryption keys are managed separately from the data they protect, using dedicated key management services (KMS) on cloud platforms.
  • Backups: All backup copies of data are encrypted using the same standards as live data and stored in geographically separate locations.

3. Access Control & Authentication

We operate on a strict "least-privilege" model — every user, system, and service has only the minimum access required to perform its function:

  • Multi-Factor Authentication (MFA): MFA is mandatory for all internal team members accessing production systems, code repositories, cloud consoles, and client data environments.
  • Role-Based Access Control (RBAC): Access to systems and data is segmented by role. Engineers, project managers, and support staff have different, isolated access levels.
  • SSH Key Authentication: Password-based SSH access is disabled. Only cryptographic key-based authentication is permitted for server access.
  • Access Reviews: We conduct quarterly access reviews to ensure permissions remain appropriate and revoke access for team members upon role changes.
  • Zero Trust Principles: We apply Zero Trust networking principles — no implicit trust is granted based on network location alone.

4. Infrastructure Security

Our cloud infrastructure is engineered with multiple security layers:

  • Cloud Providers: We deploy on AWS, Google Cloud, and Azure — all of which maintain SOC 2, ISO 27001, and other major security certifications.
  • Network Segmentation: Production environments are isolated from development and staging environments using Virtual Private Clouds (VPCs), subnets, and security groups.
  • Firewalls & WAF: Web Application Firewalls (WAF) and network firewalls are deployed to filter malicious traffic, prevent injection attacks, and block unauthorized access attempts.
  • DDoS Protection: Distributed Denial of Service (DDoS) mitigation is enabled by default on all public-facing infrastructure through our cloud providers and CDN services.
  • Container Security: Docker containers are scanned for known vulnerabilities before deployment. We use minimal base images and enforce container isolation.
  • Infrastructure as Code (IaC): All infrastructure is defined and versioned as code, enabling auditable, reproducible, and consistent deployments.

5. Secure Development Practices

Security is built into our software development lifecycle (SDLC):

  • Code Reviews: All code changes are peer-reviewed before being merged. Security-relevant changes undergo additional scrutiny.
  • Static Analysis (SAST): Automated static analysis tools scan our codebase for common vulnerabilities (SQL injection, XSS, CSRF, etc.) in every CI/CD pipeline run.
  • Dependency Scanning: We use automated tools (e.g., Dependabot, Bundler Audit) to continuously monitor for known vulnerabilities in third-party libraries and dependencies.
  • Secret Management: Secrets, API keys, and credentials are never hard-coded in source code. We use environment variables and dedicated secret management tools (e.g., AWS Secrets Manager, HashiCorp Vault).
  • OWASP Top 10: Our development standards are aligned with the OWASP Top 10 Web Application Security Risks. All engineers are trained to identify and mitigate these common vulnerabilities.

6. Monitoring & Incident Response

We maintain continuous monitoring and a clear incident response process:

  • 24/7 Monitoring: Production systems are monitored around the clock using tools like AWS CloudWatch, Datadog, or equivalent. Alerts are configured for anomalous behavior, error spikes, and performance degradation.
  • Audit Logging: All access to sensitive systems and data is logged and retained for a minimum of 12 months. Logs are stored in tamper-evident, centralized systems.
  • Incident Classification: Security incidents are classified by severity (Critical, High, Medium, Low) and handled according to our defined response procedures.
  • Notification: In the event of a data breach affecting client data, we commit to notify affected parties within 72 hours of becoming aware of the incident, in line with applicable data protection laws.
  • Post-Incident Review: Every significant security incident triggers a post-mortem review to identify root cause, impact, and preventive measures for the future.

7. Vulnerability Management & Penetration Testing

We proactively identify and address security weaknesses:

  • Regular Vulnerability Scans: Automated vulnerability scans are run weekly against our production infrastructure and web applications.
  • Patch Management: Critical security patches are applied within 24 hours of release. Standard patches are applied within 7 days. We maintain a documented patch management policy.
  • Penetration Testing: We conduct formal penetration tests annually (or before major releases) by qualified third-party security professionals.
  • Bug Bounty Program: We welcome responsible disclosure of security vulnerabilities from the security community (see Section 9 below).

8. Physical & Operational Security

  • Remote-First Team: Our team operates in a remote-first environment. All team members are required to use encrypted devices, VPNs when accessing production systems, and must adhere to our Acceptable Use Policy.
  • Device Security: Company-issued and personal devices used for work must have full-disk encryption enabled, automatic screen lock, and up-to-date operating systems.
  • Data Center Security: We do not operate physical data centers. Our cloud providers (AWS, GCP, Azure) maintain SOC 2-certified facilities with physical security controls including biometric access, 24/7 surveillance, and redundant power systems.
  • Business Continuity: We maintain documented business continuity and disaster recovery (BC/DR) plans with regular testing to ensure service resilience.

9. Reporting a Security Vulnerability

We believe in the power of the security community. If you discover a potential security vulnerability in our website, systems, or services, we strongly encourage responsible disclosure.

Please do not publicly disclose any vulnerability before we have had a reasonable opportunity to investigate and remediate it.

To report a vulnerability, contact us at:

  • Email: security@cedrontech.in
  • Subject Line: [SECURITY] Vulnerability Report
  • Expected Response Time: We will acknowledge your report within 48 business hours and provide a status update within 10 business days.

We thank all researchers who responsibly disclose vulnerabilities and will publicly acknowledge contributions (with your permission).

10. Compliance & Standards

Our security practices are aligned with the following frameworks and standards:

  • ISO/IEC 27001: Information Security Management best practices.
  • OWASP: Web Application Security guidelines and Top 10.
  • NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover.
  • India IT Act 2000 & Rules: Compliance with Indian data protection and cybersecurity regulations.
  • GDPR (where applicable): For clients and data subjects in the EU/EEA.

11. Contact Us

For any security-related enquiries or concerns, please contact us:

  • Security Email: security@cedrontech.in
  • General Support: support@cedrontech.in
  • Phone: +91 9164099555
  • Address: VV Nagar, Banashankari, Bangalore – 560067, India