Security at Fleek

1. Infrastructure and Hosting

The Fleek ERP platform and all associated data are hosted on Amazon Web Services (AWS), in the ap-south-1 (Mumbai, India) region. AWS operates under rigorous compliance programmes including ISO 27001, SOC 1/2/3, PCI DSS, and GDPR. By hosting in India, customer data remains subject to Indian data protection law.

• Isolated Virtual Private Cloud (VPC) with private subnets for application and database tiers.
• Web Application Firewall (WAF) to filter malicious traffic.
• DDoS protection via AWS Shield Standard.
• Automated daily backups with a 30-day retention period.
• Disaster recovery procedures tested quarterly.

2. Data Encryption

We encrypt all data, in transit and at rest, using industry-standard algorithms:

• In transit, all communications between your browser and our servers are encrypted using TLS 1.2 or higher. HTTP is redirected to HTTPS. HSTS (HTTP Strict Transport Security) is enforced.
• At rest, all database storage and file system volumes are encrypted using AES-256 via AWS KMS (Key Management Service).
• Passwords, user passwords are never stored in plaintext. We use bcrypt with a minimum work factor of 12 for password hashing.
• API tokens and secrets, stored in AWS Secrets Manager with automatic rotation and strict access policies.

3. Access Controls

Access to customer data and production systems is tightly controlled:

• Principle of least privilege, each team member and system has access only to the data and resources required for their specific function.
• Multi-factor authentication (MFA), required for all internal systems, cloud console access, and administrative interfaces.
• Role-based access control (RBAC), within the Fleek ERP platform, every user has a defined role (admin, manager, supervisor, operator, QC) that controls what they can see and do.
• No standing access, production system access requires explicit just-in-time authorisation and is logged.
• Access reviews, access rights for all employees are reviewed quarterly and revoked immediately upon offboarding.

4. Application Security

We follow secure software development lifecycle (SSDLC) practices:

• Code is reviewed by a second engineer before merging into production.
• Automated dependency scanning (via npm audit and GitHub Dependabot) flags known vulnerabilities in third-party packages.
• Static application security testing (SAST) runs on every build.
• We follow OWASP Top 10 guidelines for web application security.
• SQL injection, XSS, and CSRF protections are built into our framework and enforced at the API layer.
• Rate limiting is applied to all public-facing endpoints, including the contact form API.
• All API inputs are validated and sanitised server-side, independent of client-side validation.

5. Monitoring and Incident Response

We maintain continuous visibility into our systems:

• Centralised log management with alerting on anomalous patterns (failed authentications, unusual data access, infrastructure events).
• Uptime monitoring with automated alerting and on-call escalation paths.
• A documented Incident Response Plan with defined roles, escalation procedures, and communication protocols.

In the event of a confirmed security breach affecting personal data:

• India (DPDPA 2023), we will notify the Data Protection Board within the required timeframe and inform affected individuals as required by law.
• EU (GDPR), we will notify the relevant supervisory authority within 72 hours of becoming aware of a breach and will communicate to affected data subjects without undue delay where the breach is likely to result in high risk.

6. Employee Security

Our team members are the first line of defence:

• All employees and contractors undergo security awareness training at onboarding and annually thereafter.
• All personnel with access to customer data sign confidentiality and non-disclosure agreements.
• Background verification is conducted for roles with access to sensitive systems.
• Phishing simulation exercises are conducted periodically.
• Security policies are reviewed and acknowledged annually by all staff.

7. Third-Party Vendor Security

We apply due diligence to all third-party vendors who process data on our behalf:

• Vendors are assessed for security posture before onboarding.
• Data Processing Agreements (DPAs) are in place with all vendors who process personal data.
• Vendor security is reviewed periodically as part of our vendor management programme.

Key sub-processors currently in use: AWS (infrastructure and website hosting), Resend (transactional email). Full sub-processor list available on request.

8. Compliance Posture

We design and operate our platform to align with:

• India DPDPA 2023, Digital Personal Data Protection Act, 2023.
• GDPR, EU General Data Protection Regulation, where applicable to EU data subjects.
• ISO 27001, Information Security Management System standard (implementation in progress).
• OWASP Top 10, Web application security best practices.
• AWS Well-Architected Framework, Cloud security best practices.

9. Vulnerability Disclosure

We take security vulnerabilities seriously and appreciate responsible disclosure from the security community. If you discover a potential security vulnerability in our website or platform:

• Email us at info@fleekerp.com with the subject line “Security Vulnerability Report”.
• Include a clear description of the issue, steps to reproduce, and potential impact.
• Do not exploit the vulnerability, access other users' data, or disrupt services.
• Allow us reasonable time (we target 90 days) to investigate and remediate before public disclosure.

We commit to acknowledging valid reports within 5 business days, providing regular updates on our investigation, and notifying you when the issue is resolved. We do not currently operate a formal bug bounty programme, but we recognise contributors in our security acknowledgements where they consent.

10. Physical Security

Fleek ERP is a cloud-native platform with no on-premise infrastructure. Our team works in office environments with standard physical security measures (visitor management, secured access). All critical infrastructure is managed by AWS, whose data centres operate under ISO 27001-certified physical security controls.

11. Contact Us

For security enquiries, vulnerability reports, or questions about our security practices:

For security issues, please mark your email subject as Security Vulnerability Report or Security Enquiry so we can route it to the right team promptly.