Security Statement

At Longiflo, we are committed to protecting the security of the data you entrust to us. We use a multi-layered approach to secure our platform and your information, in compliance with our obligations as a Data Processor under the DDPA, 2023.

1. Data Encryption

• Encryption in Transit: All data transferred between you, your end-users, and our servers is encrypted using industry-standard Transport Layer Security (TLS 1.2 or higher).
• Encryption at Rest:
  • Survey Responses: All survey responses containing personal data are individually encrypted using the Fernet symmetric encryption standard before being stored in our database.
  • Account Credentials: Sensitive account information, such as your password and third-party tokens (e.g., Google), are encrypted at the application level before being stored.
  • Infrastructure-Level Encryption: All data stored on our underlying infrastructure (databases, file storage) is automatically encrypted at rest by our cloud provider, Google Cloud Platform.

2. Infrastructure Security

• Cloud Provider: Longiflo is hosted on Google Cloud Platform (GCP), a leading cloud provider that maintains compliance with numerous international security standards, including SOC 2, ISO 27001, and PCI DSS.
• Network Security: Our production environment is protected by firewalls, and we follow the principle of least-privilege access to all network resources.

3. Application Security

• Secure Authentication: We enforce strong password policies and provide Two-Factor Authentication (2FA) for all user accounts to prevent unauthorized access.
• Secure Development: We follow secure coding practices to prevent common vulnerabilities such as SQL injection and Cross-Site Scripting (XSS).
• Web Application Protections: We utilize security headers like Content-Security-Policy (CSP) and protections against Cross-Site Request Forgery (CSRF) to secure our web application.

4. Access Control

• Principle of Least Privilege: Access to production systems and customer data is strictly limited to authorized Longiflo personnel on a need-to-know basis for tasks such as system maintenance and customer support.
• Audit Logging: We maintain detailed audit logs of all actions taken within our administrative systems to ensure accountability.

5. Personal Data Breach Response

In the event of a personal data breach, we have an incident response plan designed to:

1. Detect and Contain: Promptly identify and contain the breach to minimize its impact.
2. Investigate: Understand the nature and scope of the breach.
3. Notify: As your Data Processor, we will notify the affected customer (the Data Fiduciary) without undue delay. This notification will provide you with the necessary information to fulfill your legal obligations to inform the Data Protection Board of India and the affected Data Principals, as required by the DDPA.

6. Your Security Responsibilities

Security is a shared responsibility. We urge you to:

• Use a strong, unique password for your Longiflo account.
• Enable Two-Factor Authentication (2FA) in your account settings.
• Keep your login credentials confidential.

7. Reporting Vulnerabilities

If you believe you have discovered a security vulnerability in our platform, please report it to us at security@longiflo.com. We are committed to working with the security community to resolve issues promptly.