Business Terms

Security Policy

Our comprehensive security standards, encryption protocols, and compliance certifications

Effective Date: 2025-01-01
Last Updated: 2025-01-15
Version: 1.0.0

Overview

Vetigen implements a comprehensive security program to protect the confidentiality, integrity, and availability of veterinary clinic data. Our security infrastructure is designed with a defense-in-depth approach and continuously updated against emerging threats.

Our security framework is aligned with industry-leading standards including ISO 27001, SOC 2 Type II, and GDPR requirements. We employ technical, administrative, and physical controls to ensure the highest level of protection for our customers' data.

Security Framework

Our security program is designed in accordance with industry-leading standards:

  • ISO 27001: Information security management system standards
  • SOC 2 Type II: Service Organization Control assurance reports
  • GDPR & KVKK: Full compliance with EU and Turkish data protection regulations
  • OWASP Top 10: Protection against web application security vulnerabilities

Data Encryption

Encryption in Transit

  • TLS 1.3 for all API and web traffic (minimum TLS 1.2)
  • Perfect Forward Secrecy (PFS) mandatory for all connections
  • HSTS (HTTP Strict Transport Security) enforced
  • Certificate pinning for critical mobile applications

Encryption at Rest

  • AES-256 encryption for all databases
  • Field-level encryption for sensitive data
  • Encrypted file storage (S3/Azure Storage)
  • Encrypted disk partitions on all servers

Key Management

  • Centralized key management with AWS KMS/Azure Key Vault
  • Automatic key rotation every 90 days
  • Hardware Security Modules (HSM) for master keys
  • Key usage audit logging and monitoring

Access Control

Vetigen implements multi-layered access control:

Authentication

  • Multi-Factor Authentication (MFA) - mandatory or optional for all accounts
  • Single Sign-On (SSO) - SAML 2.0, OAuth 2.0 support
  • Strong password policies (minimum 12 characters, complexity requirements)
  • Account lockout after 5 failed attempts
  • Session management and timeout controls

Authorization

  • Role-Based Access Control (RBAC) - granular permission system
  • Principle of least privilege - users only access what they need
  • Dynamic access controls based on context (IP, time, device)
  • Regular access reviews and permission audits

Infrastructure Security

Cloud Security

  • Tier-1 cloud providers (AWS, Azure) with SOC 2 Type II certification
  • Multi-region geographic redundancy for high availability
  • Virtual Private Cloud (VPC) isolation for customer data
  • Infrastructure as Code (IaC) for consistent security configuration

Network Security

  • Web Application Firewall (WAF) protecting against OWASP Top 10
  • DDoS protection with traffic filtering and rate limiting
  • Network segmentation isolating production, staging, and development
  • Intrusion Detection/Prevention Systems (IDS/IPS)

Application Security

  • Secure SDLC with security reviews at every stage
  • Static Application Security Testing (SAST) in CI/CD pipeline
  • Dynamic Application Security Testing (DAST) for runtime vulnerabilities
  • Dependency scanning for third-party library vulnerabilities

Data Protection & Business Continuity

We implement multiple layers of data protection to ensure business continuity:

Protection MeasureImplementationFrequency
Automated BackupsContinuous replication + daily snapshotsReal-time & Daily
Backup TestingAutomated restore verificationWeekly
Data Retention90-day point-in-time recoveryContinuous
Disaster Recovery DrillsFull system recovery simulationQuarterly

Incident Response

Vetigen maintains a 24/7 incident response capability with clearly defined procedures:

Detection & Monitoring

  • 24/7 Security Operations Center (SOC) monitoring
  • Real-time anomaly detection with AI-powered SIEM
  • Automated alerting for suspicious activities

Response Procedure

  1. Identification (< 15 minutes): Threat assessment and severity classification
  2. Containment (< 1 hour): Isolate affected systems and prevent spread
  3. Eradication (< 4 hours): Remove threat and close security gaps
  4. Recovery (< 24 hours): Restore systems and verify integrity
  5. Post-Incident Review: Document lessons learned and update procedures

Notification Protocol

  • Affected customers notified within 24 hours of confirmed breach
  • Regulatory authorities notified as required by GDPR
  • Transparent communication of impact and remediation steps

Vulnerability Management

Proactive vulnerability management is a cornerstone of our security program:

  • Continuous Scanning: Weekly automated vulnerability scans of all infrastructure and applications
  • Rapid Patching: Critical vulnerabilities patched within 24 hours, high-severity within 7 days
  • Penetration Testing: Annual third-party penetration tests and quarterly red team exercises
  • Responsible Disclosure: Security researcher program with bug bounty rewards

Employee Security

Background Checks

All employees undergo comprehensive background checks including employment history verification, reference checks, and criminal record screening before accessing production systems.

Security Training

  • Mandatory security awareness training during onboarding
  • Quarterly phishing simulation exercises
  • Annual security certification refresher courses
  • Specialized training for engineers on secure coding practices

Access Management

  • Just-in-time (JIT) access provisioning for production systems
  • Automatic access revocation upon role change or termination
  • Quarterly access reviews by managers and security team

Physical Security

Our data centers maintain the highest physical security standards:

  • ISO 27001 certified data centers with 24/7 on-site security personnel
  • Biometric access controls and multi-factor authentication for entry
  • Video surveillance with 90-day retention
  • Environmental controls (fire suppression, climate control, redundant power)

Third-Party Security

We carefully vet and monitor all third-party vendors:

  • Vendor Assessment: Security questionnaires and compliance verification before onboarding
  • Contractual Controls: Data Processing Agreements (DPA) with strict security and privacy terms
  • Continuous Monitoring: Regular reviews of vendor security posture and incident notifications
  • Vendor Audits: Annual security audits for critical third-party providers

Compliance & Certifications

Vetigen maintains compliance with international security and privacy standards:

ISO 27001:2013

Information Security Management

Certified: 2024

SOC 2 Type II

Service Organization Controls

Audited: Annually

GDPR Compliant

EU Data Protection Regulation

Compliant: 2024

KVKK Compliant

Turkish Data Protection Law

Compliant: 2024

Audit Logging & Monitoring

Comprehensive logging enables security monitoring and forensic investigation:

  • All authentication attempts (successful and failed)
  • Data access and modifications with user attribution
  • Administrative actions and configuration changes
  • API requests and integrations
  • Security events and alerts

Logs retained for 1 year in immutable storage for compliance and forensic analysis.

Security Testing

We employ multiple testing methodologies to validate our security controls:

  • Penetration Testing: Annual third-party penetration tests by certified ethical hackers
  • Code Review: Automated SAST/DAST in CI/CD + manual security code reviews
  • Dependency Scanning: Daily scans of third-party libraries for known vulnerabilities
  • Bug Bounty: Public bug bounty program rewarding security researchers

Business Continuity & Disaster Recovery

Vetigen maintains robust business continuity and disaster recovery capabilities:

  • RTO: Recovery Time Objective (RTO): < 4 hours for critical services
  • RPO: Recovery Point Objective (RPO): < 15 minutes (near-zero data loss)
  • Geographic Redundancy: Multi-region active-active deployment with automatic failover
  • Failover Testing: Quarterly disaster recovery drills to validate recovery procedures

Reporting Security Issues

We welcome responsible disclosure of security vulnerabilities from security researchers and users. Our security team investigates all reports promptly and works with researchers to resolve issues.

Bug Bounty Program: We reward qualifying security discoveries through our bug bounty program. Contact security@vetigen.com for more information.

  • Security Email: security@vetigen.com
  • PGP Key: Available at vetigen.com/security/pgp
  • Bug Bounty: hackerone.com/vetigen

Policy Updates

This Security Policy is reviewed and updated quarterly or whenever significant changes are made to our security infrastructure or regulatory requirements.

Customers will be notified of material changes via email and dashboard notifications at least 30 days before the effective date.

Security Contact

For security-related questions, concerns, or to report a security vulnerability:

  • Chief Information Security Officer: ciso@vetigen.com
  • Security Team: security@vetigen.com
  • Data Protection Officer: dpo@vetigen.com

For any questions or concerns regarding this policy, please contact us at legal@vetigen.com