1. Principles and responsibilities

VOGO follows security-by-design, least privilege and defense-in-depth principles. Access is granted strictly on a need-to-know basis and reviewed regularly.

2. Data protection and privacy

• All data classified by sensitivity level (Public, Internal, Confidential, Sensitive).
• Access to confidential data is logged and periodically reviewed.
• Data transfers follow GDPR with SCCs where applicable.

3. Encryption

• TLS 1.2+ for data in transit.
• AES-256 for data at rest.
• Key management via KMS/HSM with regular rotation.

4. Access control

• MFA required for privileged accounts.
• RBAC by environment; quarterly access reviews.
• Secrets managed securely with minimal scope and expiry.

5. Infrastructure

• Network segmentation and VPN/bastion access.
• WAF and rate-limiting on all public endpoints.
• Container hardening (non-root, read-only FS).

6. Secure SDLC

• Code review mandatory; SAST/Dependency scans in CI.
• DAST on staging before production release.
• Secret scanning to prevent credential leaks.

7. Vulnerability management

Critical CVEs addressed immediately; monthly patch cycles for others. Automated scanners run regularly on infrastructure and images.

8. Monitoring and logs

• Centralized logging for app, infra and admin access.
• Retention: application 30–90 days, audit 6–12 months.
• Alerts on failed logins, privilege changes, error spikes.

9. Backup & Disaster Recovery

Daily automated backups encrypted and replicated across zones; restoration tests run quarterly. RPO/RTO defined per product.

10. Incident response

• Detection, containment, eradication, recovery, review.
• Dedicated on-call channel and escalation path.
• Customer notification in accordance with legal timelines.

11. Compliance & certifications

We align with ISO 27001 / SOC 2 controls where possible. Cloud vendors used hold equivalent certifications.

12. GDPR and DPA

VOGO acts as data controller or processor as applicable. The Data Processing Agreement applies when VOGO acts as processor.

13. Sub-processors

14. Pen tests & audits

External penetration tests performed before major releases; reports available under NDA on request.

15. Responsible disclosure

If you identify a vulnerability, email security@vogo.me and allow time for remediation before public disclosure.

16. Client obligations

• Use MFA and strong password policies.
• Protect integration keys and credentials.
• Report suspected account compromise immediately.

17. Security contact

For any questions on security or compliance, contact security@vogo.me or dpo@vogo.me.