Vemdrusk

Security Policy

Last updated: March 16, 2025

Vemdrusk is committed to protecting the security of information processed through its platform. This Security Policy describes the technical and organizational measures we apply to safeguard data, maintain system integrity, and respond to security incidents. By using our services, you acknowledge that you have read and understood this policy.

1. Scope

This policy applies to all systems, infrastructure, applications, and data assets operated by Vemdrusk in connection with the delivery of its AI financial market analysis services. It covers internal operations, third-party integrations, and all users who access the platform, including clients, personnel, and authorized representatives.

2. Information Security Principles

Our security program is built on the following core principles:

3. Infrastructure Security

3.1 Hosting and Network

Our platform is hosted on enterprise-grade infrastructure with physical and logical access controls. Network segmentation is implemented to isolate critical systems. Firewalls, intrusion detection systems, and traffic filtering are in place at all network boundaries. All production environments are separated from development and staging environments.

3.2 Data Centers

We use data center facilities that maintain internationally recognized standards for physical security, including controlled entry, surveillance systems, and environmental protections such as fire suppression and climate management. Physical access to servers is restricted to authorized personnel only.

3.3 Redundancy and Availability

Critical infrastructure components operate with redundancy configurations. Automated failover mechanisms are in place to minimize service disruption. Regular load testing and capacity planning are conducted to ensure system performance under varying demand.

4. Data Encryption

4.1 Data in Transit

All data transmitted between users and our platform is encrypted using industry-standard Transport Layer Security (TLS 1.2 or higher). Unencrypted connections are not accepted by our services. Certificate validity is actively monitored and renewed ahead of expiry.

4.2 Data at Rest

Stored data is encrypted using strong encryption algorithms. Encryption keys are managed through dedicated key management systems and are rotated on a defined schedule. Backup copies of data are encrypted using the same standards as production data.

5. Access Control

5.1 Authentication

Access to the platform requires authenticated credentials. We enforce strong password policies including minimum length, complexity requirements, and prohibition of reuse of recent passwords. Multi-factor authentication is supported and recommended for all user accounts.

5.2 Privileged Access

Administrative and privileged access to internal systems is granted on a least-privilege basis. Privileged sessions are logged and subject to enhanced monitoring. Access credentials for critical systems are not shared and are reviewed on a regular schedule.

5.3 Access Reviews

User access rights are reviewed periodically. Access is revoked promptly upon role change, contract termination, or when no longer required. Inactive accounts are subject to automatic deactivation after a defined period of inactivity.

6. Application Security

6.1 Secure Development

Security is integrated throughout our software development lifecycle. Developers follow secure coding guidelines and undergo training relevant to application security. Code changes are subject to peer review before deployment to production systems.

6.2 Vulnerability Management

We conduct regular vulnerability assessments of our applications and infrastructure. Critical and high-severity vulnerabilities are remediated on a prioritized basis according to defined timelines. Patch management processes ensure that software dependencies and operating system components are kept up to date.

6.3 Penetration Testing

Periodic penetration testing is performed on our platform by qualified security practitioners. Findings are tracked to resolution. Results are used to improve controls and update our security posture continuously.

6.4 Dependency and Supply Chain Security

Third-party libraries and software components used within our platform are inventoried and monitored for known vulnerabilities. We evaluate the security practices of software vendors and service providers before integration.

7. Endpoint and Personnel Security

7.1 Endpoint Controls

Devices used to access internal systems are subject to endpoint security requirements including full-disk encryption, up-to-date antivirus and endpoint detection software, and screen lock policies. Remote access is conducted exclusively over encrypted and authenticated channels.

7.2 Security Awareness

All personnel with access to systems or data undergo security awareness training at onboarding and on a recurring basis. Training covers topics including phishing recognition, password hygiene, social engineering, and incident reporting procedures.

7.3 Background Screening

Personnel with access to sensitive systems or data are subject to appropriate pre-employment screening in accordance with applicable requirements and the nature of their role.

8. Third-Party and Vendor Security

We assess the security practices of third-party vendors and service providers before engaging their services. Data processing agreements are established with vendors who process personal or sensitive data on our behalf. Vendor security performance is subject to ongoing review. We do not permit third parties to use client data for purposes beyond those necessary to deliver contracted services.

9. Incident Detection and Response

9.1 Monitoring and Detection

Security event logging is enabled across platform components. Logs are centrally collected, retained, and monitored for anomalous activity. Alerting mechanisms are configured to notify responsible teams of events that may indicate a security incident.

9.2 Incident Response

We maintain a documented incident response plan that defines roles, escalation procedures, and communication protocols. In the event of a confirmed security incident, the response team will contain and remediate the issue, assess the scope of impact, and take corrective action to prevent recurrence.

9.3 Notification

Where a security incident results in unauthorized access to or disclosure of client data, we will notify affected clients in a timely manner consistent with our obligations. Notifications will include the nature of the incident, data categories potentially affected, and the steps being taken in response.

10. Backup and Recovery

Data backups are performed on a regular automated schedule. Backups are stored in encrypted form and in geographically separated locations where applicable. Recovery procedures are tested periodically to verify that backups can be restored within acceptable timeframes. Backup access is restricted and audited.

11. Business Continuity

Business continuity and disaster recovery plans are maintained to address scenarios involving service disruption, data loss, or infrastructure failure. Plans are reviewed and tested regularly. Recovery time and recovery point objectives are defined and aligned with service commitments.

12. Logging and Audit Trails

System and application logs are maintained for a defined retention period. Logs capture authentication events, administrative actions, data access events, and error conditions. Log integrity is protected against unauthorized modification. Logs may be used for forensic investigation, compliance verification, and operational monitoring.

13. Data Minimization and Retention

We collect and retain only the data necessary for the delivery and operation of our services. Data that is no longer required is disposed of securely using methods appropriate to the sensitivity of the data and the medium on which it is stored. Retention schedules are reviewed and enforced as part of data governance procedures.

14. User Responsibilities

Users of the platform share responsibility for maintaining security. You are required to:

Vemdrusk is not liable for security incidents arising from a user's failure to comply with these responsibilities.

15. Responsible Disclosure

We welcome responsible reporting of potential security vulnerabilities in our platform. If you believe you have identified a security issue, please contact us at help@analysis-vemdrusk.com with a description of the potential vulnerability and steps to reproduce it. We request that you do not disclose the issue publicly until we have had reasonable opportunity to investigate and address it. We will acknowledge receipt of your report and communicate our findings with you in a timely manner.

16. Changes to This Policy

We may update this Security Policy from time to time to reflect changes in our practices, technology, or applicable requirements. The date of the most recent revision is indicated at the top of this document. We encourage you to review this policy periodically. Continued use of our services following any update constitutes acceptance of the revised policy.

17. Contact

If you have questions or concerns regarding this Security Policy or the security of your data, please contact us using the details below:

Channel Details
Email help@analysis-vemdrusk.com
Phone +65 6278 6364
Address 107 Lor 1 Toa Payoh, Singapore 310107
Website www.analysis-vemdrusk.com