Security Policy

Last updated: June 21, 2026

At RESTIV Technology (“we”, “us”, or “our”), security is at the core of everything we do. This Security Policy outlines our commitment to protecting your data and the measures we implement to maintain a secure environment for our clients and partners.

This Security Policy should be read alongside our Privacy Policy, GDPR Compliance Statement, and Terms of Service, which together describe our overall approach to data protection.

1. Security Principles

Our security program is built on the following core principles:

• Defense in Depth: We implement multiple layers of security controls to protect sensitive information.
• Least Privilege: Access to data is granted on a need-to-know basis, with the minimum permissions necessary.
• Zero Trust: We verify every access request regardless of source or network location.
• Continuous Monitoring: Our security posture is constantly assessed and verified.
• Privacy by Design: Security and privacy considerations are integrated into our product development lifecycle.

2. Infrastructure Security

Our infrastructure is designed with security as a foundation:

• Cloud Security: We leverage enterprise-grade cloud services with robust security features and compliance certifications.
• Network Security: Multiple layers of firewalls, intrusion detection systems, and traffic monitoring protect our network perimeter.
• Encryption: All data is encrypted both in transit (using TLS 1.2 or higher) and at rest using industry-standard encryption algorithms.
• High Availability: Our infrastructure is designed for resilience with redundancy across multiple geographic regions.
• Regular Updates: Systems are regularly patched and updated to address security vulnerabilities.

3. Access Control

We implement strict access controls to protect information:

• Multi-Factor Authentication (MFA): MFA is required for all internal systems and client-facing applications.
• Role-Based Access: Access permissions are based on defined roles and responsibilities, with regular reviews.
• Strong Authentication: We enforce strong password policies, including complexity requirements and regular rotation.
• Session Management: Automatic timeouts, secure session handling, and device validation help prevent unauthorized access.
• Access Logging: All access attempts are logged and monitored for suspicious activities.

4. Application Security

Security is integrated throughout our development lifecycle:

• Secure Development: Our development practices follow OWASP (Open Web Application Security Project) guidelines.
• Code Reviews: Regular peer code reviews and automated security scanning tools identify vulnerabilities.
• Penetration Testing: We conduct regular penetration testing by both internal teams and third-party security specialists.
• Vulnerability Management: A formal process for identifying, classifying, and remediating vulnerabilities ensures prompt resolution.
• API Security: All APIs implement strong authentication, rate limiting, and input validation controls.

5. Security Monitoring and Incident Response

We maintain vigilant monitoring and rapid response capabilities:

• 24/7 Monitoring: Continuous monitoring of systems and networks for unusual activity or potential security incidents.
• Automated Alerts: Automated systems detect and alert on suspicious behaviors and potential threats.
• Incident Response Team: A dedicated team of security professionals is ready to respond to and mitigate security incidents.
• Response Plan: A comprehensive incident response plan details our approach to handling security incidents.
• Post-Incident Review: Thorough analysis of security incidents informs improvements to our security measures.

6. Business Continuity and Disaster Recovery

We prepare for disruptions to ensure service reliability:

• Backup Systems: Regular, encrypted backups with strict access controls protect against data loss.
• Disaster Recovery: Comprehensive disaster recovery plans ensure rapid restoration of services.
• Testing: Regular testing of recovery procedures validates our ability to resume operations.
• Geographic Redundancy: Critical systems are distributed across multiple geographic regions to ensure availability.
• Communication Plan: In the event of a disruption, we have clear procedures for communicating with affected parties.

7. Compliance and Certifications

We maintain compliance with industry standards and regulations:

• SOC 2 Type II: Our security controls are independently audited against the AICPA Trust Services Criteria.
• ISO 27001: We implement an Information Security Management System aligned with international standards.
• GDPR Compliance: Our practices comply with the European General Data Protection Regulation.
• Regular Audits: Independent third-party audits regularly assess our security posture.
• Industry Best Practices: We follow frameworks like NIST Cybersecurity Framework and CIS Controls.

8. Reporting Security Concerns

We encourage the responsible disclosure of security concerns:

If you discover a potential security vulnerability or have other security concerns, please contact our security team at security@restiv.io. We are committed to:

• Acknowledging receipt of your report within 24 hours
• Providing a timeline for addressing the issue within 48 hours
• Keeping you informed of our progress in addressing the issue
• Recognizing your contribution to our security (with your permission)

We appreciate the efforts of security researchers and the broader community in helping us maintain a secure platform.

9. Contact Information

For questions about our security practices or to report security concerns, please contact:

RESTIV Technology Security Team 101-119 6 Ave SW Calgary, AB, Canada T2P 0P8

Email: security@restiv.io

Phone: +1.587.807.0896

10. Changes to this Policy

We may update this Security Policy from time to time to reflect changes in our practices or legal requirements. We will notify clients of any material changes and indicate at the top of this policy when it was most recently updated.