Optivra

Back to Home

Security Overview

Last Updated: January 2025

1. Introduction

At Optivra, security is fundamental to everything we do. This document provides an overview of our comprehensive security program designed to protect your data and ensure the integrity of our people intelligence platform.

Our security approach is built on industry best practices, international standards, and a commitment to continuous improvement.

2. Security Framework

Our security program is aligned with:

  • ISO 27001: Information Security Management System
  • SOC 2 Type II: Service Organization Control
  • NIST Cybersecurity Framework: Risk-based approach
  • GDPR: Data protection and privacy requirements
  • PDPL: Saudi Personal Data Protection Law

3. Data Security

3.1 Privacy by Design

Our platform is built on privacy-first principles:

  • No Personal Data: We do NOT collect, process, or store personal identifiable information
  • No Cameras: Our Wi-Fi sensing technology operates without visual surveillance
  • Anonymization: All data is anonymized at the point of collection
  • Aggregation: Data is aggregated to prevent individual identification

3.2 Encryption

  • Data in Transit: TLS 1.3 encryption for all data transmission
  • Data at Rest: AES-256 encryption for stored data
  • End-to-End: Encrypted communication between sensors and cloud
  • Key Management: Hardware Security Modules (HSM) for key storage

3.3 Data Isolation

  • Multi-tenant architecture with logical separation
  • Customer data segregation at database level
  • Dedicated encryption keys per customer
  • No cross-customer data access or sharing

4. Infrastructure Security

4.1 Cloud Infrastructure

We leverage enterprise-grade cloud providers:

  • AWS: Primary hosting with EU data residency options
  • Geographic Redundancy: Multi-region deployment for resilience
  • DDoS Protection: AWS Shield and WAF integration
  • Compliance: SOC 2, ISO 27001, and GDPR certified infrastructure

4.2 Network Security

  • Virtual Private Cloud (VPC) isolation
  • Network segmentation with security groups
  • Intrusion Detection and Prevention Systems (IDS/IPS)
  • Next-generation firewalls
  • Regular network penetration testing

4.3 Hardware Security

Our Wi-Fi sensing hardware includes:

  • Secure boot and firmware validation
  • Encrypted storage and communication
  • Tamper detection and response
  • Regular firmware security updates
  • Hardware attestation mechanisms

5. Application Security

5.1 Secure Development

  • SDLC Integration: Security embedded in development lifecycle
  • Code Reviews: Mandatory peer review and security scanning
  • Static Analysis: Automated code security testing
  • Dependency Management: Regular vulnerability scanning of libraries
  • Secure Coding Standards: OWASP Top 10 compliance

5.2 Authentication and Authorization

  • Multi-Factor Authentication (MFA): Required for all user accounts
  • Single Sign-On (SSO): SAML 2.0 and OAuth 2.0 support
  • Role-Based Access Control (RBAC): Granular permission management
  • Session Management: Secure tokens with automatic expiration
  • Password Policy: Strong password requirements and hashing (bcrypt)

5.3 API Security

  • API authentication via API keys and OAuth
  • Rate limiting and throttling
  • Input validation and sanitization
  • API versioning and deprecation policies
  • Comprehensive audit logging

6. Access Controls

6.1 Principle of Least Privilege

All access is granted based on the minimum necessary permissions:

  • Just-in-time access provisioning
  • Regular access reviews and revocation
  • Automated deprovisioning on employee departure
  • Privileged access management (PAM) for administrative access

6.2 Internal Access

  • Background checks for all employees
  • Confidentiality agreements and security training
  • VPN required for remote access
  • Full audit trail of administrative actions
  • No standing production access for engineers

7. Monitoring and Incident Response

7.1 Security Monitoring

  • 24/7 Monitoring: Continuous security event monitoring
  • SIEM: Security Information and Event Management system
  • Log Aggregation: Centralized logging with retention policies
  • Anomaly Detection: ML-based threat detection
  • Alerting: Real-time security alerts and escalation

7.2 Incident Response

Our incident response program includes:

  • Dedicated security incident response team (SIRT)
  • Documented incident response procedures
  • Regular tabletop exercises and drills
  • 24-hour breach notification commitment
  • Post-incident reviews and improvements
  • Collaboration with law enforcement when necessary

8. Business Continuity and Disaster Recovery

8.1 High Availability

  • Uptime SLA: 99.9% platform availability
  • Redundancy: Multi-zone and multi-region deployment
  • Load Balancing: Automatic failover and traffic distribution
  • Auto-Scaling: Dynamic resource allocation

8.2 Backup and Recovery

  • Automated daily backups with encryption
  • Geographically distributed backup storage
  • Regular backup restoration testing
  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 24 hours

8.3 Business Continuity Planning

  • Comprehensive business continuity plan (BCP)
  • Regular testing and updates
  • Communication protocols for major incidents
  • Alternative operating procedures

9. Compliance and Certifications

9.1 Current Certifications

  • ISO 27001: Information Security Management (in progress)
  • SOC 2 Type II: Service Organization Controls (in progress)
  • GDPR: General Data Protection Regulation compliant
  • PDPL: Saudi Personal Data Protection Law compliant

9.2 Regular Assessments

  • Annual third-party security audits
  • Quarterly vulnerability assessments
  • Penetration testing by certified ethical hackers
  • Compliance reviews and gap analysis

10. Vendor and Supply Chain Security

We carefully vet all vendors and suppliers:

  • Security questionnaires and risk assessments
  • Contractual security requirements
  • Regular vendor security reviews
  • Sub-processor due diligence
  • Secure software supply chain practices

11. Security Training and Awareness

  • Mandatory security training for all employees
  • Regular phishing simulation exercises
  • Security champions program
  • Secure development training for engineers
  • Annual security awareness refresher courses

12. Physical Security

For our office locations:

  • Controlled access with badge systems
  • Video surveillance (office premises only)
  • Visitor management and escort policies
  • Clean desk and screen lock policies
  • Secure disposal of sensitive materials

Data center physical security is managed by our cloud providers (AWS) with SOC 2 certification.

13. Vulnerability Management

  • Patch Management: Regular security patches and updates
  • Vulnerability Scanning: Weekly automated scans
  • Bug Bounty Program: Responsible disclosure program (planned)
  • CVE Monitoring: Tracking of relevant security vulnerabilities
  • Remediation SLAs: Critical vulnerabilities patched within 48 hours

14. Customer Security Responsibilities

Security is a shared responsibility. Customers should:

  • Enable and enforce MFA for all users
  • Follow strong password policies
  • Regularly review user access and permissions
  • Report security concerns promptly
  • Keep contact information up to date
  • Educate users on security best practices

15. Transparency and Reporting

We believe in transparency:

  • Public security documentation
  • Regular security updates to customers
  • Annual security and compliance reports
  • Status page for service availability
  • Clear incident communication

16. Contact Security Team

For security inquiries, concerns, or to report a vulnerability:

  • Security Team: security@optivra.io
  • General Contact: info@optivra.io
  • Data Protection: dpo@optivra.io

We take all security reports seriously and commit to responding within 24 hours.

Questions?

If you have any questions about this document, please contact us at info@optivra.io