This Security Policy outlines the safeguards and protocols implemented by SOUQERP to ensure the confidentiality, integrity, and availability of user data and digital services. It complements our Privacy Policy and Terms of Service, and is structured to align with relevant regulatory frameworks in the Kingdom of Saudi Arabia, including SDAIA, NCA, and CITC standards.

1 Purpose and Scope

This policy applies to:

• All SOUQERP software services, web applications, APIs, and cloud-hosted platforms
• Internal systems used to operate, monitor, and support client environments
• Data and communications exchanged between SOUQERP and its clients, partners, or regulators

2 Data Classification and Handling

SOUQERP classifies and handles data based on sensitivity levels

All user data submitted via our platforms is encrypted both in transit and at rest using approved digital methods.

3 Access Management

We enforce strict access protocols to reduce risk:

• Role-Based Access Control (RBAC)
• Periodic credential reviews and deactivation of dormant accounts
• Logging and real-time monitoring of login activity and session behavior

Administrative access is restricted to authorized personnel based on operational need and subject to formal approval.

4 Infrastructure and Hosting Security

SOUQERP platforms are hosted in compliant data centers with:

• Physical security controls
• ISO 27001-certified environments
• Firewall segmentation and intrusion detection systems (IDS)
• Data residency aligned with KSA/GCC regulatory expectations

Systems are hardened and updated regularly to mitigate vulnerabilities.

5 Application and API Security

All applications undergo secure development practices including:

• Code reviews and vulnerability scans
• Penetration testing in staging environments
• Secure API key management and throttling

We maintain secure integration methods with trusted third-party platforms such as CRM, ERP, and payment gateways.

6 Incident Response and Notification

In the event of a security breach:

• Immediate containment measures are initiated
• Impact analysis and root-cause investigation are conducted
• Affected parties are notified per SDAIA and NCA guidelines
• Incident logs are maintained for audit and regulatory review

SOUQERP’s response team operates under a documented playbook approved by our cybersecurity compliance lead.

7 Business Continuity and Disaster Recovery

We ensure resilience through:

• Regular backup schedules stored across diverse zones
• Real-time failover mechanisms and high-availability clusters
• Disaster recovery protocols tested bi-annually
• Service continuity metrics (RTO/RPO) aligned to client SLAs

Third-Party Risk Management

8 Any third-party vendor or service involved in delivering SOUQERP solutions must:

• Sign a binding NDA and Data Processing Agreement (DPA)
• Demonstrate compliance with relevant cybersecurity and data protection standards
• Undergo periodic risk assessments and platform integration reviews

9 Employee and Internal Security Awareness

All SOUQERP staff are subject to

• Background checks per organizational risk level
• Mandatory cybersecurity training and phishing simulations
• Annual compliance attestations and awareness refreshers

Access to client or production environments is highly restricted and monitored.

10 Policy Review and Updates

This Security Policy is reviewed at least annually and may be revised to:

• Reflect changes in legal, operational, or technological practices
• Incorporate feedback from regulatory bodies or audits
• Address newly identified threats or vulnerabilities

Significant changes will be communicated to stakeholders through formal updates.

11 Contact & Reporting

To report a security concern or request clarificationinfo@souqerp.com