Data Protection and Encryption Policy

Introduction

At Nineteen58, data security is a cornerstone of our commitment to operational integrity, regulatory compliance, and customer trust. Protecting sensitive information against unauthorised access, breaches, and corruption is essential to maintaining a secure and resilient digital ecosystem. This Data Protection and Encryption Policy establishes the safeguards necessary to ensure data confidentiality, integrity, and availability. By implementing robust encryption protocols, access controls, and security best practices, we mitigate risks, strengthen operational security, and uphold industry standards.

Scope and Objectives

This policy applies to all data managed, stored, and processed within Nineteen58's digital infrastructure, encompassing public, internal, confidential, and highly sensitive information. It defines the principles for encryption, access control, and data classification while ensuring compliance with GDPR, POPIA, and SOC 2. The primary objectives of this policy include preventing unauthorised access, enforcing best practices for secure data handling, ensuring encryption of data at rest and in transit, and providing clear guidance on disaster recovery and incident response.

Data Classification and Sensitivity

Proper classification of data is fundamental to determining the level of security controls required. Public data, such as website content and marketing materials, is openly accessible, while internal data is limited to employees but does not require additional safeguards. Confidential data includes proprietary business information, internal reports, and client-related details, necessitating restricted access. Highly sensitive data, such as personal identifiers, authentication credentials, financial transactions, and encryption keys, demands the strictest security measures. To maintain data security, all information is classified upon creation and periodically reassessed based on evolving risks and regulatory requirements.

Encryption Standards and Secure Storage

Encryption serves as a fundamental safeguard for data security, ensuring that even in the event of a security breach, information remains protected. Data at rest is encrypted using AES-256, a robust industry-standard encryption algorithm, to prevent unauthorised access. All databases, backups, and file storage systems adhere to secure encryption policies. Data in transit is equally protected, with TLS 1.2 or higher enforced for all network communications, ensuring that information exchanged between systems remains secure. APIs require HTTPS, OAuth 2.0 authentication, and JWT security measures to safeguard communication. End-to-end encryption is implemented where necessary, ensuring sensitive information remains protected from interception.

Key management is critical in maintaining data security. Encryption keys are stored in a managed secrets vault, rotated regularly to prevent long-term exposure, and accessible only to authorised personnel. Strict access control measures ensure that encryption keys remain secure and uncompromised.

Access Controls and Role-Based Security

Restricting access to data is essential in maintaining security and reducing risks associated with unauthorised exposure. The principle of least privilege governs access to sensitive data, ensuring that users receive only the permissions necessary for their role. Role-Based Access Control (RBAC) enforces structured access permissions, preventing overexposure of confidential information. Multi-Factor Authentication (MFA) is required for privileged accounts to add an additional layer of security.

To prevent unauthorised data access across different user groups, Row-Level Security (RLS) is implemented within databases, ensuring that users can only access the data relevant to their organisation. API access is strictly managed, with public APIs secured using API keys, while internal APIs rely on JWT and OAuth authentication to ensure only verified entities can access system resources. All authentication events, including login attempts and API access, are logged and monitored for anomalies, providing a transparent record of system activity.

Third-Party Data Processing and Compliance

Handling data securely extends beyond internal processes to third-party providers that interact with Nineteen58's systems. Vendors handling sensitive data must adhere to Nineteen58's security policies and demonstrate compliance with regulatory standards. Personally identifiable information is anonymised or tokenised where applicable to enhance privacy protection. All access and data modifications are logged, ensuring transparency and accountability. Data is retained only as long as necessary for business or compliance purposes, with automated deletion policies in place to minimise unnecessary exposure.

Third-party integrations, including payment processors, messaging services, and automation tools, must implement strict encryption and access control measures. Secure data handling requirements ensure that no unencrypted sensitive information is stored externally, and third parties are granted the least privilege necessary to perform required functions.

Backup, Disaster Recovery, and Incident Response

A robust backup and disaster recovery strategy ensures business continuity in the event of system failures, cyberattacks, or data corruption. All backups are encrypted using AES-256 and stored in geographically redundant locations to prevent data loss. Regular integrity checks validate backup data, ensuring that it remains recoverable when needed. A structured disaster recovery plan defines recovery timelines, assigns responsibilities to incident response teams, and undergoes regular testing to ensure effectiveness.

Security incident monitoring is a proactive measure to detect potential threats. Automated alerts notify security teams of suspicious activity, allowing immediate response to mitigate risks. Forensic analysis of security incidents helps identify root causes and strengthens the organisation's defences against future attacks. In the event of a security breach, a structured response plan ensures that containment measures are swiftly enacted, investigations determine the breach's scope, and affected parties are notified in compliance with regulatory obligations. Post-incident analysis leads to continuous improvements in security measures.

Conclusion

Data security is a continuous process that requires vigilance, adaptation, and adherence to best practices. Nineteen58 enforces comprehensive encryption standards, access controls, and compliance measures to safeguard sensitive data and maintain regulatory alignment. Ongoing security training and policy updates ensure that all personnel contribute to maintaining a secure information environment. As cyber threats evolve, our security framework will continue to strengthen, ensuring the protection of our digital assets and reinforcing the trust placed in us by our users and partners.