Security Policy

Version: 1.2, Dated: 01-05-2025

1. Introduction

At BrainCave Software Private Limited, we prioritize the security of our clients’ data and our ERP platform. This Security Policy defines the strategies and controls in place to protect information processed through Lucent ERP from unauthorized access, alteration, disclosure, or destruction.

2. Policy Scope

This policy applies to:

• All infrastructure, databases, code, and servers used to run Lucent ERP (cloud or on-premise).
• All employees, partners, contractors, and vendors handling or interacting with ERP systems.
• All customers and users using Lucent ERP services and interfaces.

3. Security Principles

We operate under the following core security principles:

• Confidentiality: Ensuring that data is only accessible to authorized users.
• Integrity: Ensuring data remains accurate, consistent, and protected from unauthorized modification.
• Availability: Ensuring that authorized users have reliable access to information and systems when needed.

4. Data Security

A. Encryption

• Data at Rest: All sensitive data stored in Lucent ERP databases is encrypted using industry-standard AES-256 encryption.
• Data in Transit: Communication between client devices and our cloud servers is secured using HTTPS/TLS 1.2 or higher.

B. Access Control

• Role-Based Access Control (RBAC) is enforced at all levels.
• Admins can define granular permissions based on user roles and modules.
• Multi-Factor Authentication (MFA) is available for cloud deployments.

C. Password Management

• All passwords are hashed using secure algorithms (e.g., bcrypt).
• Passwords are never stored in plain text.
• Session timeouts and auto-logout features prevent unauthorized access on idle systems.

5. Application Security

• Lucent ERP undergoes periodic code reviews and vulnerability scanning using automated tools and manual audits.
• Protection against OWASP Top 10 vulnerabilities, including SQL Injection, Cross-Site Scripting (XSS), and CSRF.
• Input validation and sanitization mechanisms are built into all forms and APIs.
• Internal APIs require token-based authentication with usage limits.

6. Infrastructure & Hosting Security

Cloud Deployments

• Hosted on secure cloud platforms such as AWS, Azure, or DigitalOcean, which are compliant with ISO/IEC 27001, SOC 2, and GDPR standards.
• Firewalls and intrusion detection systems (IDS) are implemented.
• Servers are regularly patched and updated with the latest security fixes.

On-Premise Installations

• Clients are responsible for infrastructure security.
• Lucent ERP offers hardening guidelines and configuration checklists.
• Optional managed services available for patching, backups, and monitoring.

7. Data Backup & Disaster Recovery

• Daily automated backups with a 30-day retention policy for cloud clients.
• Backups are encrypted and stored in secure, geographically separate locations.
• Disaster Recovery Plan (DRP) ensures restoration within 24-48 hours in case of critical failures.

8. Monitoring & Logging

• Comprehensive logging of user actions, login attempts, and administrative changes.
• Real-time system monitoring to detect unusual behavior or resource overload.
• Logs are stored securely and retained as per compliance requirements.

9. Physical Security

• For cloud services, our data centers ensure:
  • 24/7 surveillance
  • Biometric access controls
  • Fire detection and suppression systems
  • Environmental safeguards (HVAC, humidity control)
• For on-premise, physical security is the responsibility of the client.

10. Employee Access & Awareness

• Employees have access only to data necessary for their roles (principle of least privilege).
• All staff are trained regularly on:
  • Secure coding practices
  • Data protection and privacy
  • Incident response protocols
• Non-disclosure agreements (NDAs) are signed by all team members and contractors.

11. Incident Response & Breach Notification

• A formal Incident Response Plan (IRP) is in place.
• Clients will be notified within 72 hours of any data breach affecting their environment.
• Logs and forensic evidence are collected during incident investigations.

12. Compliance & Certification

Lucent ERP and its hosting environment adhere to several recognized compliance frameworks:

• ISO/IEC 27001-compliant security practices
• GDPR and Indian DPDP readiness
• SOC 2 readiness (for select deployments)
• Custom compliance for healthcare, finance, and government sectors available on request

13. Client Responsibilities

While BrainCave Software ensures system-level and infrastructure-level security, clients must:

• Maintain the confidentiality of login credentials.
• Regularly review and audit user roles and access.
• Train their teams on secure ERP usage.
• For on-premise setups, implement recommended firewall, antivirus, and update policies.

14. Policy Review & Updates

This policy is reviewed annually or upon any major system update. Clients will be notified of changes that materially affect their rights or obligations.