Effective Date: 01.03.2025

1. Purpose

This policy defines the security framework used by URIGHTCOMPANY FINANCE LIMITED to protect client data, financial transactions, and internal systems from unauthorized access, data breaches, fraud, and other threats.

2. Scope

This policy applies to:
– All employees and contractors
– All information systems used by the company
– All client-related data and transactions
– All access to internal tools and infrastructure

3. Information Security Principles

Our security program is based on:
– Confidentiality: Data is only accessible by authorized parties
– Integrity: Data is protected from unauthorized modification
– Availability: Services are operational and data is accessible when needed

4. Access Controls

Access to sensitive systems is based on role and necessity
All systems require strong passwords and 2-Factor Authentication (2FA)
Access is logged and reviewed regularly by the security team
Permissions are reviewed quarterly or upon role change/termination

5. Data Encryption

All sensitive data is encrypted at rest and in transit
TLS (Transport Layer Security) is enforced for all communications
Encrypted backups are maintained in secure, offsite/cloud locations

6. Payment & Transaction Security

Real-time transaction monitoring for fraud and unusual patterns
Multi-layered risk scoring system to flag suspicious activity
Withdrawals require identity confirmation or whitelisting
Crypto transactions are validated through blockchain checks

7. Device & Endpoint Security

All company devices use full-disk encryption
Antivirus, anti-malware, and firewall software is installed and updated regularly
USB access is disabled or restricted
Remote device wipe enabled for lost/stolen devices

8. Network Security

Firewalls and intrusion detection systems (IDS) protect all servers
VPN is required for remote access to production environments
Regular network penetration testing and vulnerability assessments

9. Incident Response

In case of a suspected breach or incident:
– Immediate containment and analysis
– Notification of affected parties (as required by PIPEDA)
– Root cause analysis and resolution
– Reporting to regulatory authorities when necessary

10. Employee Training

All employees receive:
– Security awareness training at onboarding
– Annual refresher training on phishing, password hygiene, and secure data handling

11. Third-Party Security

Vendors and partners undergo risk assessments
Data sharing agreements include security and confidentiality clauses
External tools must meet equivalent security standards

12. Monitoring and Audit

Logs of all access and changes are maintained for minimum 5 years
Security team reviews logs, alerts, and performs monthly audits

13. Policy Review

This policy is reviewed and updated at least annually or upon significant changes in systems, regulations, or threats.

Contact:

Security inquiries may be directed to: [email protected]