Security Policy

Last updated: May 21, 2026

Our security practices for protecting Customer Data, infrastructure, and AI workloads.

Security is foundational to how we build and operate SYSSOLUTION. This page summarises the controls, certifications, and operational practices we maintain. For our full Security Whitepaper or to request a vendor security review, contact [email protected].

1. Data Encryption

  • In transit: TLS 1.2+ for all client–server and server–server traffic. HSTS preload enabled on web properties.
  • At rest: AES-256 for database, object storage (call recordings, attachments), and backups.
  • Secrets: Application secrets and customer API keys stored in encrypted secret managers, not in source code.

2. Access Controls

  • Role-Based Access Control (RBAC): admin, super_admin, agent, supervisor, and custom roles.
  • Two-Factor Authentication (2FA): required for admin accounts; optional for all users.
  • Audit logs: every privileged action is logged, immutable, and reviewable.
  • Principle of least privilege: engineers access production only via just-in-time elevation with peer review.
  • Single Sign-On (SSO) available for Business and Enterprise plans (Google Workspace).

3. Infrastructure Security

  • Hosting primarily in Bangladesh-region data centres; some workloads in international regions for redundancy.
  • WireGuard VPN for management access; SSH key authentication only (no passwords).
  • Web Application Firewall (WAF) and DDoS mitigation at the edge.
  • Network segmentation: production, staging, and corporate networks isolated.
  • Hardened server images: minimal packages, automatic security patching.

4. Application Security

  • OWASP Top 10 controls applied throughout development.
  • Input validation, parameterized queries (no raw SQL), CSRF tokens, secure cookies.
  • Regular dependency scanning for known CVEs.
  • Code review required for all changes touching authentication, payments, or data access.

5. AI Workload Security

  • AI prompts and responses are processed by approved providers (Anthropic) under contractual data protection.
  • AI providers are not authorised to train models on Customer Data.
  • BYOK (Bring Your Own Key) available on supported plans for tenants who want full control of model access.
  • AI outputs are logged for audit and quality review; sensitive content is redacted before storage where applicable.

6. Telecommunications Security

  • SIP signalling protected; call media encrypted on supported networks.
  • Asterisk endpoints behind hardened firewalls; SIP brute-force protection (fail2ban).
  • Recording storage: encrypted at rest, RBAC-controlled access, retention policy per plan.
  • Compliance with BTRC regulations on calling hours, DNC, and consent.

7. Backups & Disaster Recovery

  • Database snapshots taken at least daily, retained 30–90 days depending on plan.
  • Object storage replicated across multiple zones.
  • Recovery Time Objective (RTO): 4 hours. Recovery Point Objective (RPO): 24 hours (lower on Enterprise plans).
  • Quarterly disaster-recovery drills.

8. Compliance & Audits

  • Regular internal security reviews; external penetration testing on a defined cadence for Business+ tiers.
  • SOC 2 and ISO 27001 alignment in progress; formal certifications targeted as the company matures.
  • Bangladesh Data Protection Act compliance.
  • GDPR-aligned data handling for international customers (see our Privacy Policy).

9. Incident Response

We maintain a documented incident-response plan:

  1. Detection: monitoring, alerts, customer reports.
  2. Containment: isolate affected systems within hours.
  3. Eradication & Recovery: patch, restore, validate.
  4. Notification: affected customers notified within 72 hours of confirmed breach involving their data.
  5. Post-mortem: published internally; summary available to enterprise customers on request.

10. Responsible Disclosure

Security researchers are welcome. If you discover a vulnerability, please email [email protected] with details. We will acknowledge within 2 business days, investigate, and coordinate disclosure. We do not currently run a paid bug-bounty program but recognize responsible disclosure in our Hall of Fame.

Please do not: access data that isn’t yours, disrupt service, or publicly disclose before we have had reasonable time to fix.

11. Vendor Security Reviews

Enterprise prospects may request our Security Whitepaper, completed CAIQ / SIG-Lite questionnaires, and SOC 2 Type 2 readiness summary. Email [email protected].

12. Contact

Security team: [email protected]
General contact: /contact