BetterFlow Header Component
Get Demo

Security

Security Policy – BetterFlow

Last Updated: 01.07.2025
Version: 1.0

1. Overview

Better Quality Assurance S.R.L. (“BetterQA”) is committed to maintaining the highest standards of information security for BetterFlow. This Security Policy outlines our comprehensive approach to protecting your data, systems, and operations.

2. Security Framework

2.1 Compliance Standards

  • ISO 27001:2013 – Information Security Management System
  • GDPR – General Data Protection Regulation
  • ISO 9001:2015 – Quality Management System
  • Industry best practices and guidelines

2.2 Security Governance

  • Designated Information Security Officer
  • Regular security reviews and assessments
  • Continuous improvement processes
  • Board-level security oversight

3. Access Control

3.1 Authentication

  • Secure Login System

    • Separate portals for internal staff and clients
    • Strong password requirements (minimum 8 characters, mixed case, numbers, symbols)
    • Password confirmation to prevent typos
    • Account lockout after failed attempts

  • Session Management

    • Secure authentication tokens
    • Automatic timeout on inactivity (30 minutes)
    • Secure session invalidation on logout
    • Protection against session hijacking

3.2 Authorization

  • Role-Based Access Control (RBAC)

    • Super Admin: Full system access
    • Admin: Organization-wide management
    • Employee: Project and personal data access
    • Client: Limited external project access

  • Principle of Least Privilege

    • Users receive minimum necessary permissions
    • Regular permission audits
    • Immediate revocation upon role change

3.3 Account Management

  • Admin-led onboarding process
  • Email verification for new accounts
  • Immediate access revocation on termination
  • Regular access reviews and audits

4. Data Protection

4.1 Encryption

  • Data in Transit

    • TLS 1.2+ for all communications
    • Certificate pinning for mobile apps
    • Secure API endpoints

  • Data at Rest

    • AES-256 encryption for databases
    • Encrypted file storage
    • Encrypted backup archives

4.2 Data Classification

  • Public: Marketing materials, public documentation
  • Internal: General business information
  • Confidential: User data, project information
  • Restricted: Passwords, tokens, financial data

4.3 Data Handling

  • Secure data collection practices
  • Minimization of data collection
  • Purpose limitation enforcement
  • Secure data disposal procedures

5. Infrastructure Security

5.1 Network Security

  • Firewall protection at all layers
  • Intrusion Detection Systems (IDS)
  • DDoS protection
  • Network segmentation
  • Regular vulnerability scanning

5.2 Server Security

  • Hardened server configurations
  • Regular security patches
  • Automated update management
  • Secure baseline configurations
  • Container security (Kubernetes)

5.3 Application Security

  • Secure coding practices
  • Input validation and sanitization
  • Protection against OWASP Top 10
  • Regular security testing
  • Code reviews and static analysis

6. Operational Security

6.1 Monitoring and Logging

  • Comprehensive Audit Trails

    • User activity logging
    • System access logs
    • Security event monitoring
    • Failed authentication tracking

  • Log Management

    • Centralized log collection
    • 30-day activity log retention
    • Tamper-proof log storage
    • Real-time alerting

6.2 Incident Response

  • Incident Response Plan

    • 24-hour response commitment
    • Defined escalation procedures
    • Communication protocols
    • Post-incident reviews

  • Breach Notification

    • 72-hour GDPR notification
    • Affected user notifications
    • Regulatory compliance
    • Transparent communication

6.3 Backup and Recovery

  • Backup Strategy

    • Daily automated backups
    • 30-day retention period
    • Geographically distributed storage
    • Encrypted backup files

  • Disaster Recovery

    • Documented recovery procedures
    • Regular recovery testing
    • RTO: 4 hours
    • RPO: 24 hours

7. Physical Security

7.1 Data Center Security

  • Tier 3+ certified facilities
  • 24/7 physical security
  • Biometric access controls
  • Environmental monitoring
  • Redundant power and cooling

7.2 Office Security

  • Controlled access to offices
  • Visitor management procedures
  • Clean desk policy
  • Secure equipment disposal

8. Third-Party Security

8.1 Vendor Management

  • Security assessment of vendors
  • Contractual security requirements
  • Regular vendor audits
  • Data processing agreements

8.2 Integration Security

  • Secure API design
  • OAuth 2.0 authentication
  • Rate limiting and throttling
  • API key management

9. Security Awareness

9.1 Employee Training

  • Security awareness onboarding
  • Annual security training
  • Phishing simulation exercises
  • Incident reporting procedures

9.2 User Education

  • Security best practices documentation
  • Regular security tips and updates
  • Clear security guidelines
  • Reporting mechanisms

10. Vulnerability Management

10.1 Vulnerability Assessment

  • Regular penetration testing
  • Automated vulnerability scanning
  • Security code reviews
  • Third-party security audits

10.2 Patch Management

  • Critical patches within 48 hours
  • Regular patch cycles
  • Testing before deployment
  • Rollback procedures

11. Specific Security Features

11.1 Client View Tracking

  • Monitoring of data access patterns
  • Automatic alerts for unusual activity
  • Red flag system for excessive viewing
  • Admin notifications for anomalies

11.2 Data Deletion

  • GDPR-compliant permanent deletion
  • Immediate access revocation
  • Complete data expungement
  • Integrity of remaining data

11.3 Time Tracking Security

  • Secure DeskTime integration
  • Tamper-proof time entries
  • Audit trails for modifications
  • Manager approval workflows

12. Compliance and Audit

12.1 Compliance Monitoring

  • Regular compliance assessments
  • Policy adherence reviews
  • Regulatory update tracking
  • Compliance reporting

12.2 Security Audits

  • Annual third-party audits
  • Internal security reviews
  • Penetration testing reports
  • Remediation tracking

13. Security Metrics and KPIs

  • Mean Time to Detect (MTTD): < 1 hour
  • Mean Time to Respond (MTTR): < 4 hours
  • Patch compliance rate: > 95%
  • Security training completion: 100%
  • Successful phishing test rate: < 5%

14. Contact Information

Security Incidents

Email: security@betterflow.eu
Phone: +40 751 289 399 (24/7 hotline)

Security Questions

Email: security-team@betterflow.eu

Vulnerability Disclosure

Email: security-disclosure@betterflow.eu

15. Policy Updates

This Security Policy is reviewed annually and updated as needed. All changes are:

  • Approved by security leadership
  • Communicated to stakeholders
  • Implemented with proper controls
  • Documented with version control

16. Commitment Statement

BetterQA is committed to:

  • Continuous security improvement
  • Transparent security practices
  • Rapid incident response
  • Protection of customer data
  • Compliance with regulations
  • Industry-leading security standards

This policy reflects our dedication to maintaining a secure environment for all BetterFlow users and their data.