Security Policy

Last Updated: April 15, 2025

At orionex, we are committed to protecting the security and integrity of our systems, services, and the data entrusted to us by our clients and users. This Security Policy outlines our approach to information security, the measures we implement, and your role in maintaining a secure environment.

1. Information Security Framework

We maintain a comprehensive information security framework designed to protect against unauthorized access, disclosure, alteration, and destruction of data. Our security practices are based on industry-recognized standards and are regularly reviewed and updated to address emerging threats.

Security Principles

Confidentiality: Ensuring that information is accessible only to authorized individuals and systems
Integrity: Maintaining the accuracy and completeness of data throughout its lifecycle
Availability: Ensuring that authorized users have reliable access to information and services when needed
Accountability: Tracking and logging access to systems and data for audit purposes

2. Data Protection and Privacy

We implement robust measures to protect personal and sensitive information from unauthorized access, loss, or misuse.

Data Encryption

All data transmitted between users and our services is encrypted using industry-standard TLS/SSL protocols
Sensitive data stored on our systems is encrypted at rest using strong encryption algorithms
Encryption keys are managed securely and rotated regularly
We employ end-to-end encryption for highly sensitive communications where applicable

Data Access Controls

Access to data is granted on a need-to-know and least-privilege basis
Multi-factor authentication is required for access to sensitive systems and data
User access rights are reviewed regularly and revoked when no longer necessary
All access to sensitive data is logged and monitored for suspicious activity

Data Retention and Disposal

Data is retained only for as long as necessary to fulfill business and legal requirements
Secure deletion procedures are employed when data reaches end of life
Data disposal methods ensure information cannot be recovered or reconstructed

3. Network and Infrastructure Security

Our network infrastructure is designed with multiple layers of security to protect against external and internal threats.

Network Protection

Firewalls and intrusion detection systems monitor and filter network traffic
Network segmentation isolates critical systems and sensitive data
Regular vulnerability scans identify and address potential security weaknesses
Distributed denial-of-service (DDoS) protection safeguards service availability

Server and Application Security

Servers are hardened according to security best practices
Operating systems and software are kept up-to-date with security patches
Applications undergo security testing during development and deployment
Web application firewalls protect against common attack vectors

Cloud Security

Cloud infrastructure providers are selected based on their security certifications and practices
Cloud resources are configured following security best practices and compliance requirements
Regular audits ensure cloud security configurations remain appropriate

4. Access Management

We maintain strict controls over who can access our systems and data, ensuring authentication and authorization processes are robust.

User Authentication

Strong password requirements are enforced for all user accounts
Multi-factor authentication is required for administrative and sensitive accounts
Account lockout policies prevent brute-force attacks
Session timeouts automatically terminate inactive sessions

Administrative Access

Administrative privileges are granted only to authorized personnel
Privileged access is monitored and logged
Administrative actions are subject to approval workflows where appropriate
Temporary elevated access is time-limited and automatically revoked

Third-Party Access

Vendors and partners are granted access only when necessary and with appropriate restrictions
Third-party access is regularly reviewed and audited
Contracts with third parties include security and confidentiality requirements

5. Security Monitoring and Incident Response

We actively monitor our systems for security threats and have established procedures to respond to security incidents promptly and effectively.

Security Monitoring

Automated systems continuously monitor for suspicious activity and security events
Security logs are collected, analyzed, and retained for investigation purposes
Alerts are generated for potential security incidents requiring investigation
Regular security assessments identify vulnerabilities and compliance gaps

Incident Response Process

In the event of a security incident, we follow a structured response process:

Detection and Reporting: Security incidents are identified through monitoring or reported by users and staff
Assessment: The nature and severity of the incident is evaluated
Containment: Immediate action is taken to limit the impact and prevent further damage
Eradication: The root cause is identified and removed from systems
Recovery: Affected systems and services are restored to normal operation
Post-Incident Review: The incident is analyzed to improve future response and prevention

Breach Notification

In the event of a data breach affecting personal information, we will notify affected individuals and relevant authorities as required by applicable laws
Notifications will be made without undue delay and include information about the nature of the breach and steps being taken

6. Application and Development Security

Security is integrated throughout our software development lifecycle to ensure applications are designed, built, and maintained with security in mind.

Secure Development Practices

Security requirements are defined at the beginning of development projects
Code reviews include security considerations
Automated security testing tools scan code for vulnerabilities
Third-party libraries and dependencies are monitored for known vulnerabilities

Application Testing

Applications undergo security testing before deployment
Penetration testing is performed by qualified security professionals
Vulnerability assessments identify potential security weaknesses
Issues identified during testing are remediated before release

Change Management

Changes to production systems follow controlled processes
Security implications are assessed before implementing changes
Rollback procedures are in place to revert problematic changes

7. Physical and Environmental Security

Physical access to facilities and equipment is controlled to prevent unauthorized access to systems and data.

Facility Security

Data centers and offices implement access control systems
Visitors are logged and escorted when accessing secure areas
Surveillance systems monitor critical areas
Environmental controls protect equipment from physical damage

Equipment Security

Computing equipment is physically secured to prevent theft or tampering
Portable devices are encrypted and protected with strong authentication
Equipment disposal follows secure sanitization procedures

8. Business Continuity and Disaster Recovery

We maintain plans and procedures to ensure critical services can continue or be quickly restored in the event of disruptions.

Backup Procedures

Regular backups of critical data and systems are performed
Backups are encrypted and stored securely in multiple locations
Backup integrity is regularly tested through restoration exercises
Retention periods for backups comply with business and legal requirements

Disaster Recovery Planning

Disaster recovery plans document procedures to restore services after major disruptions
Recovery time objectives and recovery point objectives are defined for critical systems
Disaster recovery plans are tested and updated regularly
Redundant infrastructure supports rapid service restoration

9. Third-Party Security

We carefully evaluate and manage security risks associated with third-party service providers and vendors.

Vendor Assessment

Third-party providers are assessed for security capabilities before engagement
Contracts include security requirements and right-to-audit clauses
Vendor security practices are reviewed periodically
High-risk vendors undergo enhanced due diligence

Data Sharing

Data shared with third parties is limited to what is necessary
Data processing agreements define security and privacy responsibilities
Third-party data handling practices are monitored for compliance

10. Employee Security

Our employees are essential to maintaining security, and we invest in their training and awareness.

Security Training

All employees receive security awareness training upon hiring and regularly thereafter
Training covers common threats such as phishing, social engineering, and malware
Role-specific training is provided to employees with security responsibilities
Security updates and reminders are communicated to staff regularly

Acceptable Use

Employees must comply with acceptable use policies for company systems and data
Personal use of company resources is limited and monitored
Violations of security policies may result in disciplinary action

Background Checks

Background checks are conducted for employees with access to sensitive systems or data
Checks are performed in accordance with applicable laws and regulations

11. Compliance and Auditing

We maintain compliance with applicable laws, regulations, and industry standards relevant to information security.

Regulatory Compliance

Security controls align with requirements of relevant data protection and privacy regulations
Compliance obligations are identified and documented
Regular assessments ensure ongoing compliance with regulatory requirements

Security Audits

Internal audits assess the effectiveness of security controls
Independent third-party audits may be conducted periodically
Audit findings are tracked and remediated in a timely manner
Audit reports are available to authorized parties upon request

12. User Responsibilities

Users play a critical role in maintaining security. By using our services, you agree to:

Maintain the confidentiality of your account credentials and not share them with others
Use strong, unique passwords and enable multi-factor authentication where available
Report suspicious activity or potential security incidents promptly
Comply with acceptable use policies and not attempt to compromise security
Keep your devices and software up-to-date with security patches
Be cautious of phishing attempts and social engineering tactics
Not upload or transmit malicious software or content

13. Responsible Disclosure

We welcome reports from security researchers and users who discover potential vulnerabilities in our systems.

Reporting Vulnerabilities

If you discover a security vulnerability, please report it to us by contacting:

Email: support@orionex.online
Phone: +44 1582 481263

Disclosure Guidelines

When reporting vulnerabilities, please:

Provide detailed information about the vulnerability and how it can be reproduced
Allow reasonable time for us to investigate and address the issue before public disclosure
Avoid accessing or modifying data that does not belong to you
Not perform testing that could disrupt services or harm users

We commit to:

Acknowledge receipt of vulnerability reports promptly
Provide updates on our investigation and remediation efforts
Recognize responsible disclosure efforts appropriately
Not pursue legal action against researchers acting in good faith

14. Security Updates and Communications

We may update this Security Policy to reflect changes in our practices, technologies, or legal requirements.

Policy Updates

Updates to this policy will be posted on our website with a revised date
Significant changes may be communicated through additional channels
Continued use of our services after updates constitutes acceptance of changes

Security Advisories

We may issue security advisories to inform users of relevant threats or incidents
Users are encouraged to subscribe to security notifications

15. Limitations and Disclaimers

While we implement comprehensive security measures, no system can be completely secure. We cannot guarantee absolute security or prevent all unauthorized access, loss, or misuse of data.

Users acknowledge that:

Internet transmission and electronic storage carry inherent security risks
They are responsible for securing their own devices and networks
They use our services at their own risk within the bounds of applicable terms

16. Contact Information

For questions, concerns, or reports related to security, please contact us:

orionex
City of London School for Girls, Barbican
St Giles Terrace, Wood St
London EC2Y 8BB
United Kingdom

Email: support@orionex.online
Phone: +44 1582 481263
WhatsApp: +44 1582 481263
Telegram: +44 1582 481263

This Security Policy is effective as of the last updated date shown above and applies to all users of orionex services and systems.