Schedule Consultation
Trust & Compliance

Security

Our commitment to protecting your data and infrastructure

At JIATech Global Limited, security is not an afterthought—it is embedded into every layer of our operations, development processes, and delivery practices. We build systems that handle sensitive data, power critical business operations, and serve millions of end users. This page outlines our security posture, practices, and commitments.

1. Security Philosophy

Our approach to security is guided by three core principles:

  • Defense in depth: Multiple layers of security controls so that no single point of failure can compromise the system
  • Least privilege: Users and systems are granted only the minimum access necessary to perform their functions
  • Continuous improvement: Regular review, testing, and enhancement of security practices to stay ahead of evolving threats

2. Compliance & Standards

JIATech Global Limited aligns its security practices with internationally recognized standards and frameworks:

PCI-DSS

Payment Card Industry Data Security Standard compliance for all systems handling payment data

GDPR

General Data Protection Regulation compliance for processing personal data of EU residents

NDPR

Nigeria Data Protection Regulation compliance for all data processing activities within Nigeria

SOC 2

Service Organization Control criteria for security, availability, and confidentiality

OWASP

Development practices aligned with OWASP Top 10 and Application Security Verification Standard (ASVS)

ISO 27001

Information security management system framework guiding our organizational security controls

3. Infrastructure Security

3.1 Cloud & Hosting

  • Production systems are hosted on enterprise-grade cloud platforms (AWS, Microsoft Azure) with SOC 2 and ISO 27001 certifications
  • Infrastructure is provisioned using Infrastructure as Code (IaC) for consistency and auditability
  • Network segmentation isolates production, staging, and development environments
  • Web Application Firewalls (WAF) and DDoS protection are deployed on all public-facing endpoints

3.2 Data Encryption

  • In transit: All data transmitted over networks is encrypted using TLS 1.2 or higher
  • At rest: All stored data is encrypted using AES-256 encryption
  • Key management: Encryption keys are managed through cloud-native key management services (AWS KMS / Azure Key Vault) with automatic rotation

3.3 Availability & Redundancy

  • Multi-availability-zone deployments for production workloads
  • Automated failover and disaster recovery with Recovery Point Objectives (RPO) defined per client SLA
  • Regular backup testing and restoration drills
  • 99.9%+ uptime SLA for production systems

4. Application Security

4.1 Secure Development Lifecycle (SDL)

Security is integrated at every phase of our software development process:

  • Design: Threat modeling and security architecture review for all new features and systems
  • Development: Secure coding guidelines enforced through automated linting, code analysis, and peer review
  • Testing: Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) integrated into CI/CD pipelines
  • Deployment: Container image scanning, dependency vulnerability checks, and infrastructure validation before every release
  • Monitoring: Runtime application self-protection (RASP) and real-time anomaly detection in production

4.2 Code Security

  • All code changes require peer review and approval before merging
  • Automated dependency scanning (e.g., Snyk, Dependabot) with alerts for known vulnerabilities
  • Secrets management through dedicated vaults—no hardcoded credentials, tokens, or keys in source code
  • Regular third-party code audits for high-risk projects

4.3 API Security

  • OAuth 2.0 / OpenID Connect for authentication and authorization
  • Rate limiting and throttling on all API endpoints
  • Input validation and output encoding to prevent injection attacks
  • API versioning and deprecation policies for backward-compatible changes

5. Access Control

  • Identity management: Centralized identity and access management (IAM) with single sign-on (SSO)
  • Multi-factor authentication (MFA): Required for all employees and contractors accessing production systems, code repositories, and client environments
  • Role-based access control (RBAC): Granular permissions based on job function and project assignment
  • Access reviews: Quarterly reviews of access rights with prompt revocation upon role change or offboarding
  • Privileged access: Just-in-time (JIT) access for administrative operations with full audit logging

6. Data Protection

6.1 Client Data Handling

  • Client data is logically separated and never co-mingled between clients
  • Production data is never used in development or testing environments—synthetic or anonymized data is used instead
  • Data classification policies ensure appropriate handling based on sensitivity level
  • Data retention and deletion policies aligned with contractual and regulatory requirements

6.2 Personal Data

  • Personal data processing activities are documented in our Records of Processing Activities (ROPA)
  • Data Protection Impact Assessments (DPIA) are conducted for high-risk processing operations
  • Data subject access requests (DSARs) are handled within 30 days

7. Monitoring & Incident Response

7.1 Continuous Monitoring

  • 24/7 infrastructure and application monitoring with automated alerting
  • Centralized log aggregation and Security Information and Event Management (SIEM)
  • Real-time intrusion detection and prevention systems (IDS/IPS)
  • Regular review of security logs and anomaly reports

7.2 Incident Response Plan

Our incident response process follows a structured approach:

  1. Detection: Automated monitoring triggers or manual reports via our security team
  2. Triage: Severity classification (Critical, High, Medium, Low) and initial assessment within 1 hour
  3. Containment: Immediate actions to limit the scope and impact of the incident
  4. Eradication: Root cause identification and removal of the threat
  5. Recovery: Restoration of affected systems with verification of integrity
  6. Post-mortem: Detailed analysis, lessons learned, and preventive measures documented and shared

7.3 Notification

In the event of a confirmed security incident affecting client data, we will:

  • Notify affected clients within 72 hours of confirmation
  • Provide detailed information about the nature, scope, and impact of the incident
  • Share remediation steps taken and recommendations for client-side actions
  • Report to relevant regulatory authorities as required by law

8. Vulnerability Management

  • Penetration testing: Annual third-party penetration tests on production systems, with additional testing for major releases
  • Vulnerability scanning: Weekly automated scans of infrastructure and applications
  • Patch management: Critical security patches applied within 24 hours; high-severity patches within 72 hours
  • Bug bounty consideration: We welcome responsible disclosure of security vulnerabilities (see Section 11)

9. Employee & Contractor Security

  • Background checks: All employees and contractors undergo background verification before accessing client systems
  • Security training: Mandatory security awareness training upon onboarding and annually thereafter
  • Phishing simulations: Regular simulated phishing exercises to maintain vigilance
  • NDAs: All team members sign non-disclosure agreements covering client and company data
  • Endpoint security: Company-managed devices with endpoint detection and response (EDR), disk encryption, and automatic updates
  • Offboarding: Immediate access revocation upon termination, with exit procedures including device return and data verification

10. Physical Security

  • Office premises secured with access control systems
  • Visitor management protocols and escort requirements
  • Clean desk policy for all workstations
  • Secure disposal of physical media containing sensitive information

11. Responsible Disclosure

We value the security research community and encourage responsible disclosure of vulnerabilities. If you discover a security issue related to our systems:

  • Email details to security@jiatech.global
  • Include a clear description of the vulnerability and steps to reproduce
  • Allow reasonable time for us to investigate and remediate before public disclosure
  • Do not access, modify, or delete data belonging to others during your research

We commit to acknowledging receipt within 48 hours and providing status updates throughout the remediation process. We will not pursue legal action against researchers who act in good faith.

12. Business Continuity

  • Documented Business Continuity Plan (BCP) reviewed and updated annually
  • Disaster recovery procedures with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
  • Geographically distributed backups across multiple cloud regions
  • Regular tabletop exercises and recovery drills

13. Contact Our Security Team

For security-related questions, concerns, or to report a vulnerability:

JIATech Global Limited — Security Team

RC: 9550408

Email: security@jiatech.global

Phone: +234 813 168 4800

PGP Key: Available upon request for encrypted communication