Security Policies

This page summarises the operational security policies that govern how Prodia protects its platform, customer data and corporate systems. Full policy documents are maintained internally and shared with customers on request under non-disclosure.

1. Password Policy

• Minimum 12 characters; passphrase guidance issued in line with NIST SP 800-63B.
• Prohibition on reuse, on dictionary passwords and on known-breached credentials (checked against breach corpora).
• Multi-factor authentication is mandatory for every Prodia employee account and for every administrative interface; phishing-resistant factors (WebAuthn / FIDO2) are required for privileged roles.
• Secrets are stored in an enterprise secret manager, never in source control, never in shared documents.

2. Access Management Policy

• Role-based and attribute-based access; least-privilege by default.
• Just-in-time elevation for production and customer-data access, with time-bound, auditable grants.
• Quarterly access reviews; immediate revocation on role change or departure.
• Separation of duties between development, security, operations and approval functions for sensitive actions.
• Centralised identity provider with SSO; offboarding triggers automated deprovisioning.

3. Vulnerability Management Policy

• Continuous dependency scanning, container scanning, and infrastructure-as-code analysis on every change.
• Authenticated and unauthenticated scanning of production surfaces on a recurring schedule.
• Annual independent penetration test, plus targeted tests on material changes.
• Remediation SLOs: Critical within 7 days, High within 30 days, Medium within 90 days, Low on the next maintenance window. Compensating controls applied where remediation is not yet possible.
• Coordinated disclosure handled under the Vulnerability Disclosure Policy.

4. Change Management Policy

• All production changes follow a defined lifecycle: proposal, peer review, automated checks, approval, deployment, monitoring.
• Two-person review for code touching authentication, authorisation, cryptography, data export, customer-data paths or billing.
• Production deploys are versioned, observable and reversible. Emergency change procedure exists with mandatory post-incident review.
• Configuration drift is detected and reconciled; infrastructure is managed as code.

5. Secure Development Policy

• Threat modelling on material new features and any change to security-sensitive surfaces.
• Static analysis, software composition analysis, secret scanning and license analysis on every pull request.
• Mandatory security training for engineers on onboarding and at least annually thereafter.
• Security champions embedded in product teams.
• Production access requires reviewed merges only; direct production writes are prohibited.

6. Logging, Monitoring and Incident Response

• Centralised security logging with tamper-evident storage and defined retention.
• 24/7 alerting for high-severity events; documented runbooks; periodic exercise of the incident response plan.
• Customer notification of confirmed incidents affecting their data without undue delay, consistent with Art. 33 GDPR and contractual obligations.

7. Physical and Personnel Security

• Production workloads run in audited cloud environments; corporate offices are access-controlled.
• Background checks for personnel with privileged access, to the extent permitted by local law.
• Confidentiality and IP assignment obligations apply to every member of personnel.

Document availability

The underlying policy documents, control matrices and recent audit summaries are available under non-disclosure on request to trust@prodia.dev.