Security Disclosure

Our Security Commitment

At AssureTech, security is not just what we sell — it is who we are. As a cybersecurity company serving Africa's most critical financial institutions, we hold ourselves to the same rigorous standards we demand of our clients. We believe in radical transparency, responsible disclosure, and continuous improvement of our own security posture.

This Security Disclosure outlines our commitment to maintaining the highest security standards, our responsible disclosure program for security researchers, and the measures we take to protect our systems, our clients' data, and the broader financial ecosystem we serve.

Responsible Disclosure Program

We welcome security researchers, ethical hackers, and the broader cybersecurity community to help us identify and address vulnerabilities in our systems. Our responsible disclosure program is designed to encourage responsible reporting and ensure timely remediation of any security issues.

What We Ask of Researchers

• Provide detailed information about the vulnerability, including steps to reproduce
• Allow us reasonable time to investigate and address the issue before any public disclosure
• Do not access, modify, or delete data belonging to others
• Do not exploit the vulnerability beyond what is necessary to demonstrate the issue
• Do not engage in social engineering, phishing, or physical attacks against our personnel
• Do not test on systems or services that are not explicitly in scope
• Act in good faith and avoid actions that could harm our clients or users

What We Promise Researchers

• We will acknowledge receipt of your report within 48 hours
• We will investigate all legitimate reports and provide regular updates on our progress
• We will not take legal action against researchers who comply with this policy
• We will publicly acknowledge your contribution (with your permission) in our security hall of fame
• We will work to remediate confirmed vulnerabilities within 90 days of disclosure
• We will coordinate with you on the timing of any public disclosure

Scope of Testing

The following domains and services are explicitly in scope for our responsible disclosure program:

• assuretech.com and all subdomains
• assuretech.online and all subdomains
• Our public API endpoints and documentation
• Our client portal and dashboard applications
• Our marketing and informational websites

The following are out of scope and should not be tested:

• Third-party services or integrations not owned by AssureTech
• Client systems, networks, or data
• Physical security testing of our offices or facilities
• Social engineering or phishing attacks against our employees
• Denial of service (DoS) or distributed denial of service (DDoS) attacks
• Any activity that violates applicable laws

How to Report a Vulnerability

If you believe you have discovered a security vulnerability in any of our systems, please report it to us immediately. We prefer encrypted communications for sensitive reports.

Please include the following information in your report:

• A clear description of the vulnerability and its potential impact
• Step-by-step instructions to reproduce the issue
• The affected systems, URLs, or endpoints
• Proof-of-concept code or screenshots (if applicable)
• Your contact information for follow-up communications
• Whether you have already disclosed the vulnerability to anyone else

Our Security Practices

We implement comprehensive security measures across all aspects of our operations:

Infrastructure Security

• All data encrypted in transit (TLS 1.3) and at rest (AES-256)
• Multi-factor authentication required for all internal systems
• Principle of least privilege for all access controls
• Network segmentation and zero-trust architecture
• Regular penetration testing by independent third parties
• 24/7 security operations center (SOC) monitoring

Application Security

• Secure software development lifecycle (SSDLC) with security gates at every phase
• Automated static and dynamic application security testing (SAST/DAST)
• Dependency vulnerability scanning and automated patching
• Code review requirements for all production changes
• Regular security training for all engineering staff
• Bug bounty program for external security researchers

Compliance & Certifications

• ISO 27001:2022 certified Information Security Management System
• SOC 2 Type II attestation for service organization controls
• GDPR compliance for data protection and privacy
• PCI-DSS compliance for payment card data handling
• Regular internal and external security audits
• Annual third-party penetration testing and vulnerability assessments

Incident Response

We maintain a comprehensive incident response plan to ensure rapid and effective handling of any security incidents:

• 24/7 incident detection and response capabilities
• Defined escalation procedures and communication protocols
• Regular incident response drills and tabletop exercises
• Post-incident analysis and continuous improvement processes
• Client notification procedures for any incidents affecting their data
• Coordination with law enforcement and regulatory bodies when required

Security Hall of Fame

We are grateful to the security researchers who have responsibly disclosed vulnerabilities to us. With their permission, we acknowledge their contributions here. If you have reported a vulnerability and would like to be recognized, please let us know when you submit your report.

Contact Our Security Team

For security-related inquiries, vulnerability reports, or to discuss our security practices, please reach out to our dedicated security team:

For non-security matters, please contact our general support team at info@assuretech.online. For urgent security incidents affecting our services, please include "URGENT" in your subject line.