Security Policy
Last Updated: November 29, 2025
Qumarenvia ("we," "us," or "our") is committed to protecting the security of our systems, data, and the information entrusted to us by our users. This Security Policy describes the measures we take to safeguard our platform and outlines the responsibilities of all parties in maintaining a secure environment.
By accessing or using our services, you acknowledge that you have read and understood this Security Policy and agree to cooperate with the security practices described herein.
1. Scope
This policy applies to all systems, infrastructure, services, and data operated or managed by Qumarenvia, including web-based applications, APIs, communication channels, and any associated data storage or processing environments. It applies to all users, staff, contractors, and third-party service providers who interact with our platform.
2. Data Protection and Encryption
2.1 Data in Transit
All data transmitted between users and our platform is encrypted using industry-standard Transport Layer Security (TLS) protocols. We enforce secure connections and reject unencrypted communication to and from our core services.
2.2 Data at Rest
Sensitive data stored on our systems is encrypted using strong encryption standards. Encryption keys are managed through secure key management processes and are rotated on a regular basis to minimize risk of exposure.
2.3 Backups
We maintain regular encrypted backups of critical data. Backup integrity is periodically tested to ensure recoverability in the event of system failure or data loss. Backup access is restricted to authorized personnel only.
3. Access Control
3.1 Authentication
Access to our internal systems and user accounts is protected by strong authentication mechanisms. We support and encourage the use of multi-factor authentication (MFA) across all accounts where applicable. Passwords are stored using secure, salted hashing algorithms and are never stored in plain text.
3.2 Principle of Least Privilege
Access to systems and data is granted on a need-to-know basis. Personnel are given only the minimum level of access required to perform their job functions. Access rights are reviewed periodically and revoked promptly when no longer necessary.
3.3 Administrative Access
Administrative and privileged access to production environments is strictly controlled, logged, and audited. Remote administrative access is permitted only through secure, encrypted channels. Default credentials are always changed prior to deployment.
4. Network Security
4.1 Firewalls and Perimeter Defense
Our infrastructure is protected by firewalls and network segmentation to limit exposure of internal services. Unnecessary network ports and protocols are disabled. Traffic to and from our systems is monitored for anomalous activity.
4.2 Intrusion Detection and Prevention
We employ intrusion detection and prevention systems to identify and respond to suspicious activity in real time. Alerts are reviewed by our security team and escalated according to defined incident response procedures.
4.3 DDoS Protection
Our platform incorporates protections against distributed denial-of-service (DDoS) attacks through rate limiting, traffic analysis, and infrastructure-level mitigation services to maintain availability during high-volume attack scenarios.
5. Application Security
5.1 Secure Development Practices
Our development team follows secure coding guidelines throughout the software development lifecycle. Code is reviewed for security vulnerabilities before deployment. We incorporate security considerations into design, development, testing, and release phases.
5.2 Vulnerability Management
We conduct regular vulnerability assessments and security testing of our platform and infrastructure. Identified vulnerabilities are classified by severity and remediated according to defined timelines. Critical vulnerabilities are addressed on a priority basis.
5.3 Dependency Management
Third-party libraries, frameworks, and dependencies used in our platform are monitored for known security vulnerabilities. We apply patches and updates promptly to minimize exposure to publicly disclosed security issues.
5.4 Input Validation and Output Encoding
Our applications are built with protections against common web application vulnerabilities including, but not limited to, SQL injection, cross-site scripting (XSS), cross-site request forgery (CSRF), and insecure deserialization. Input validation and output encoding are applied consistently throughout the platform.
6. Incident Response
6.1 Detection and Reporting
We maintain processes for detecting, reporting, and responding to security incidents. Security events are logged and monitored continuously. Internal teams are trained to identify and escalate potential incidents promptly.
6.2 Response Procedures
Upon identification of a confirmed security incident, our response team follows a structured process that includes containment, investigation, remediation, and post-incident review. Our goal is to minimize impact, restore services, and prevent recurrence.
6.3 User Notification
In the event of a security incident that materially affects user data or account security, we will notify affected users in a timely manner through appropriate communication channels. Notifications will describe the nature of the incident and any recommended steps users should take.
7. Third-Party Security
7.1 Vendor Assessment
We evaluate the security practices of third-party vendors and service providers before engaging them. Vendors who handle sensitive data or access our systems are required to meet acceptable security standards.
7.2 Data Sharing
Data shared with third parties is limited to what is necessary for the delivery of services. Contractual obligations require third parties to maintain appropriate security controls and to handle data responsibly.
7.3 Ongoing Monitoring
We periodically review the security posture of critical third-party relationships. Changes to vendor security practices that may affect our platform are evaluated and addressed as appropriate.
8. Physical Security
Our services are hosted in data center facilities that maintain physical security controls including restricted access, surveillance, environmental controls, and redundant power and connectivity. Physical access to servers and infrastructure is limited to authorized personnel.
9. User Responsibilities
Users of our platform play an important role in maintaining security. To help protect your account and data, you are responsible for:
- Keeping your login credentials confidential and not sharing them with others
- Using a strong, unique password for your account
- Enabling multi-factor authentication where available
- Logging out of your account when using shared or public devices
- Reporting any suspected unauthorized access or suspicious activity to us promptly
- Keeping your devices and software up to date with security patches
- Avoiding the use of our platform on unsecured or public networks without appropriate precautions
We are not responsible for security incidents resulting from a user's failure to take reasonable precautions or from the compromise of credentials outside of our control.
10. Security Awareness and Training
We invest in security awareness and training for all personnel who have access to our systems or user data. Training covers topics including phishing, social engineering, secure data handling, and incident reporting. Security awareness is treated as an ongoing responsibility rather than a one-time activity.
11. Logging and Monitoring
We maintain comprehensive logs of access to and activity within our systems. Logs are protected from unauthorized access and modification. Log data is retained for a period sufficient to support security investigations and compliance requirements. Automated monitoring systems are in place to detect unusual patterns and trigger alerts for review.
12. Business Continuity and Disaster Recovery
We maintain business continuity and disaster recovery plans designed to ensure the availability of our services in the event of unexpected disruptions. These plans are tested and reviewed periodically. Our infrastructure is designed with redundancy to reduce the risk of service interruption.
13. Responsible Disclosure
We welcome reports from security researchers and members of the public who discover potential security vulnerabilities in our platform. If you believe you have identified a security issue, please contact us promptly using the details provided below. We ask that you:
- Report findings privately and allow us reasonable time to investigate and remediate before any public disclosure
- Avoid accessing, modifying, or deleting data that does not belong to you
- Refrain from actions that could disrupt or degrade our services
- Not use vulnerabilities for personal gain or to harm others
We will acknowledge receipt of valid reports and work with reporters in good faith to resolve confirmed issues.
14. Policy Review and Updates
This Security Policy is reviewed on a regular basis and updated as necessary to reflect changes in our practices, technology, or the threat landscape. Significant changes will be communicated to users where appropriate. Continued use of our services following any update constitutes acceptance of the revised policy.
15. Contact Us
If you have questions, concerns, or reports related to this Security Policy or the security of our platform, please contact us using the following details:
Qumarenvia
30 Eric Ave, Scheepershoogte, Kariega, 6229, South Africa
Email: help@qumarenvia.com
Phone: +27 33 341 2266