Table of Contents

Security Policies

Version: 1.1

1. Introduction

We are a Software-as-a-Service (SaaS) company specialized in developing advanced solutions for animal production management. Our platform is hosted on Microsoft Azure and is designed following industry best practices for security, reliability, and resilience.

This document outlines the security measures we implement to protect the confidentiality, integrity, and availability of customer data, as well as the continuity of our services.

2. Data Isolation

Each customer subscription is deployed within a logically isolated data environment to ensure strong tenant separation. Animal production records are stored in a dedicated database per subscription, preventing data access between customers.

Optionally, individual farms within a subscription may be assigned separate databases to provide an additional layer of logical and physical isolation. This architecture is designed to preserve the confidentiality, integrity, and security of customer data across all tenants.

3. Cloud Infrastructure and Azure Security

Our infrastructure is deployed on Microsoft Azure (United States region), leveraging its enterprise-grade security, compliance, and resiliency capabilities. Core components include:

Infrastructure as Code (IaC)

  • All cloud infrastructure is provisioned using Bicep, Microsoft’s native Infrastructure-as-Code (IaC) language for Azure.
  • This approach ensures consistent, repeatable, and auditable deployments.
  • Complete environments can be deployed or rebuilt within minutes, supporting rapid recovery, scalability, and disaster recovery scenarios.
  • Infrastructure definitions are version-controlled to reduce configuration drift and human error.

Virtual Machines (VMs)

  • Critical services are hosted on Azure Virtual Machines.
  • VM disks are configured with redundancy to improve resilience and data durability.
  • Operating system and security updates are applied regularly as part of our maintenance processes.

Kubernetes

  • Application services are containerized and orchestrated using Kubernetes to support horizontal scalability, high availability, and fault tolerance.
  • Role-Based Access Control (RBAC) policies are enforced at cluster and namespace levels.

Application Gateway & DDoS Protection

  • Azure Application Gateway is used to manage inbound traffic and provide Web Application Firewall (WAF) protection.
  • Azure DDoS Protection helps mitigate volumetric, protocol, and resource exhaustion attacks.

Backup and Storage Resilience

  • Databases and critical system components are backed up daily.
  • Storage accounts and disks use Azure redundancy options (e.g., ZRS / RA-GRS) to enhance durability and disaster recovery capabilities.

4. Authentication and Access Control

Strict identity and access management policies are applied to protect sensitive data and administrative operations:

  • Multi-Factor Authentication (MFA) is enforced for all Agritec staff accounts with administrative privileges.
  • Role-Based Access Control (RBAC) is applied following the principle of least privilege.
  • Segregation of duties is implemented where feasible.
  • Periodic access reviews are conducted.

5. Secure Communications

  • All data transmitted between client devices and services is protected using SSL/TLS encryption.
  • Only validated digital certificates are used to prevent man-in-the-middle attacks.
  • Internal service-to-service communications also use encrypted channels where applicable.

6. Redundancy and Business Continuity

To support service availability and data protection, we implement:

  • Infrastructure redundancy at storage and compute levels.
  • Automated backups:
    • Daily backups retained for 30 days.
    • Monthly backups retained for 12 months for long-term recovery.
  • Documented disaster recovery procedures designed to reduce downtime and data loss.
  • Offline Functionality: The mobile application supports offline operation, allowing users to continue essential tasks during temporary connectivity disruptions. Data is synchronized once connectivity is restored.

7. Disaster Recovery

The Recovery Time Objective (RTO) represents the target timeframe for restoring service after an incident has been detected and its impact assessed. The indicative RTO for the service is 6 hours.

The Recovery Point Objective (RPO) indicates the target maximum data loss window following an incident. The indicative RPO for the service is 24 hours.

RTO and RPO values are provided for informational purposes only and do not constitute contractual service guarantees. Actual recovery times may vary depending on incident severity, scope, and external dependencies.

8. Secure Development Practices

We apply secure development practices, including:

  • Source code repositories protected by access controls
  • Basic peer code reviews
  • Separation between production and test environments
  • Secure secrets and credential management
  • Logging and traceability of changes deployed to production

9. Monitoring, Logging, and Incident Management

  • Continuous Monitoring: Infrastructure, applications, and network activity are monitored to detect anomalies and operational issues.
  • Alerting: Automated alerts support timely investigation and response.
  • Logging: Security-relevant events and system logs are retained for troubleshooting and analysis.
  • Incident Response: A documented incident response process is in place to manage and mitigate security events.
  • Security Reviews: Periodic security assessments are conducted to identify improvement opportunities.

10. ISO/IEC 27001 Alignment

Information security is a core part of our SaaS platform design and operations.

We are not currently certified under ISO/IEC 27001. However, our information security management practices are aligned with the principles and control framework of ISO/IEC 27001.

Our security approach follows a risk-based model, consistent with ISO/IEC 27001, and covers the protection of confidentiality, integrity, and availability of information.

Our security program is structured around the following principles:

  • Risk management Information security risks are identified, assessed, and mitigated using documented processes.

  • Access control Access to systems and data is restricted based on least-privilege and role-based access principles.

  • Data protection Customer data is logically isolated and protected using industry-standard security measures, including encryption where applicable.

  • Operational security Secure development practices, change management, monitoring, and backup procedures are in place to ensure system reliability and resilience.

  • Incident management Security incidents are logged, assessed, and handled according to defined response procedures.

  • Infrastructure security Our platform is hosted on secure cloud infrastructure and relies on providers with recognized security certifications.

We regularly review and improve our security controls to address emerging threats, operational changes, and customer requirements. Our alignment with ISO/IEC 27001 provides a structured foundation for ongoing improvement and future certification, should it be required.