Cybersecurity Policy

This Cybersecurity Policy establishes the guidelines and requirements for protecting Blackowl Pte Ltd's information assets, systems, and data. It applies to all employees, contractors, consultants, temporary staff, and other workers at Blackowl Pte Ltd.

Purpose: To establish a framework for protecting Blackowl Pte Ltd's information assets from unauthorized access, use, disclosure, disruption, modification, or destruction.

Scope: This policy applies to all information systems, data, and network resources owned, operated, or managed by Blackowl Pte Ltd, as well as all users who access these resources.

At Blackowl Pte Ltd, we are committed to implementing industry best practices for security and privacy. We are currently:

• Building our security program based on ISO 27001 and SOC 2 frameworks
• Implementing security controls aligned with financial industry requirements
• Conducting regular internal security assessments and working with our third-party integration partners to ensure our systems meet security requirements
• Planning for formal certifications as our business grows

We take a security-first approach to protect customer data and maintain the trust of our users.

Data Classification
All data must be classified according to sensitivity:

• Restricted: Highly sensitive information (customer financial data, authentication credentials)
• Confidential: Business-sensitive information (internal financial records, strategic plans)
• Internal: Non-sensitive business information (operational procedures, training materials)
• Public: Information approved for public disclosure

Data Encryption
All data in transit is protected with TLS 1.2 or higher. Data at rest is encrypted using AES-256, with keys managed through Google Cloud Key Management Service to ensure industry-standard cryptographic control.

We enforce role-based access control (RBAC) following the principle of least privilege. API keys and secrets are stored in a secure vault and rotated at least quarterly. Authentication to connected brokerage APIs uses either HTTP Basic (API key/secret) or OAuth 2.0 flows, following best practice security protocols.

User Access Management

• Access rights must be granted based on job responsibilities
• Regular access reviews must be conducted quarterly
• Immediate revocation of access upon termination or role change
• Multi-factor authentication required for all administrative access

Our infrastructure is hosted on enterprise-grade cloud platforms with ISO 27001 and SOC 2 compliance. We implement secure-by-design architecture including network segmentation, hardened host images, and regular security updates to reduce our attack surface.

Automated vulnerability scans run weekly against all assets, and we commission annual third-party penetration tests. Critical vulnerabilities are patched within 48 hours of discovery; high-severity issues within one week.

Network Protection

• Network traffic monitoring and analysis
• Intrusion detection and prevention systems
• Regular network security assessments
• Secure remote access through VPN with MFA

We maintain a formal Incident Response Plan with clearly defined roles, escalation paths, and communication procedures. Any security incident triggers immediate investigation, user notification, and, where required, coordination with relevant third-party service providers within our SLA.

Incident Response Procedures

1. Identification: Detect and report security incidents
2. Containment: Limit the impact of the incident
3. Eradication: Remove the cause of the incident
4. Recovery: Restore affected systems to normal operation
5. Lessons Learned: Document findings and improve processes

All systems ship logs to a centralized SIEM for continuous monitoring, analytics, and alerting. Anomalous behavior automatically generates tickets for our security team to investigate.

Log Management

• Centralized log collection and retention
• Minimum 12-month log retention period
• Tamper-proof logging mechanisms
• Regular log review and analysis

Critical data is backed up daily with multi-region replication in GCP. Quarterly disaster-recovery drills validate that our Recovery Point Objective (RPO) is under 1 hour and Recovery Time Objective (RTO) is under 2 hours.

Backup Procedures

• Regular testing of backup restoration
• Offsite storage of critical backups
• Documentation of recovery procedures
• Annual review of business continuity plans

We require all vendor partners to hold SOC 2 or ISO 27001 certifications. Annual security reviews and contractually enforced security requirements ensure their controls remain robust.

Vendor Assessment

• Security assessment prior to engagement
• Regular security reviews of existing vendors
• Contractual security requirements
• Right to audit provisions in contracts

Our development process integrates static and dynamic code analysis, threat modelling, and mandatory security code reviews to address OWASP Top 10 risks before deployment.

### Secure Coding Practices

• Security requirements in software design
• Regular code reviews with security focus
• Pre-production security testing
• Vulnerability management throughout the development lifecycle

All team members undergo security awareness training upon hire and annually. Regular phishing simulations and policy refreshers keep security top-of-mind across the organization.

Security Training Program

• New hire security orientation
• Annual security awareness refresher training
• Role-specific security training
• Security incident reporting procedures

Facility Access Controls

• Restricted access to server rooms and data centers
• Visitor management procedures
• CCTV monitoring of sensitive areas
• Regular physical security assessments
  

Equipment Security

• Asset inventory and management
• Secure disposal of equipment
• Protection of unattended equipment
• Clear desk and clear screen policy

Regulatory Compliance

• Regular compliance assessments
• Documentation of compliance activities
• Remediation of compliance gaps
• Monitoring of regulatory changes
  

Internal Audits

• Regular security control audits
• Independent review of security practices
• Management review of audit findings
• Tracking of remediation activities

Violations of this policy may result in disciplinary action, up to and including termination of employment or contract. All suspected violations must be reported to the Information Security team.

This policy will be reviewed annually and updated as necessary to reflect changes in technology, business requirements, or regulatory environment.

For questions about this policy, please contact:
[email protected]