Privacy Policy | Nuvra – Data Protection & User Privacy

Back

Security Policy

Effective Date: 25 January 2025

Issued By: Nuvra Limited (Masdar City Free Zone, Abu Dhabi, UAE)

Contact: security@nuvra.agency

1. PURPOSE AND SCOPE

1.1 This Security Policy (“Policy”) establishes the information security, cybersecurity, data protection, and risk management standards implemented by Nuvra Limited (“Nuvra”, “Nuvra Tech”, “Company”, “we”, “our”) for the protection of the Vibe Coding Platform (“Platform”).

1.2 This Policy applies to:

all Platform Users;
all Company employees, contractors, and service providers;
all systems, networks, cloud environments, APIs, and data storage systems;
all data processed, stored, or transmitted through the Platform.

1.3 This Policy complements the Privacy Policy, Data Processing & Retention Policy, and the Acceptable Use Policy.

2. LEGAL AND REGULATORY FRAMEWORK

This Policy is designed to ensure compliance with:

UAE Federal Decree-Law No. 34 of 2021 on Combatting Rumours and Cybercrimes;
UAE Federal Decree-Law No. 45 of 2021 (PDPL);
Cabinet Decision No. 111 of 2022 (PDPL Executive Regulations);
UAE Penal Code;
UAE Telecom/TDRA security requirements;
Masdar City Free Zone policies;
Industry best practices (ISO 27001, NIST CSF, CIS).

3. SECURITY OBJECTIVES

Nuvra Tech is committed to:

3.1 Confidentiality
Ensuring that data is accessed only by authorized persons.

3.2 Integrity
Ensuring that systems and data are accurate and protected against unauthorized modification.

3.3 Availability
Ensuring that the Platform remains accessible and resilient.

3.4 Resilience
Ensuring survivability under cyber attack, system failures, or disaster scenarios.

4. INFORMATION SECURITY MANAGEMENT SYSTEM (ISMS)

4.1 Nuvra Tech operates an internal Information Security Management System aligned with internationally recognized frameworks.

4.2 The ISMS includes:

documented security controls;
risk assessments;
security audits;
vulnerability management;
incident response procedures;
supply-chain risk management.

4.3 Annual reviews ensure continuing adequacy, effectiveness, and compliance

5. DATA CLASSIFICATION AND HANDLING

5.1 Data within the Platform is classified as:

Public
b. Internal
c. Confidential
d. Highly Confidential / Personal Data (subject to PDPL)

5.2 Each classification level includes handling requirements for:

storage;
encryption;
access;
sharing;
disposal.

5.3 Personal Data is processed strictly in accordance with PDPL

6. ACCESS CONTROL AND IDENTITY MANAGEMENT

6.1 Access to Platform systems and data is based on:

least privilege;
role-based access control (RBAC);
need-to-know authorization.

6.2 Administrative access is protected by:

multi-factor authentication (MFA);
strict password policies;
session timeouts;
audit logging.

6.3 User accounts must not be shared, resold, or accessed by unauthorized parties.

7. ENCRYPTION AND CRYPTOGRAPHY

7.1 All data in transit is secured using TLS 1.2+ encryption.

7.2 All data at rest within company systems is encrypted using industry-standard algorithms (AES-256 or equivalent).

7.3 Encryption keys are managed through controlled key management systems with strict access restrictions.

8. NETWORK SECURITY

8.1 Nuvra Tech implements layered defense including:

firewalls;
intrusion detection and prevention systems (IDS/IPS);
DDoS protection;
network segmentation;
continuous monitoring.

8.2 All system access is logged, monitored, and subject to automated anomaly detection.

9. APPLICATION SECURITY

9.1 The Platform undergoes:

secure code reviews;
automated vulnerability scanning;
penetration testing (internal and external);
dependency and library security checks;
API authentication and rate-limiting safeguards.

9.2 Secure development lifecycle (SDLC) practices include:

threat modeling;
security unit testing;
patch and update management;
segregation of development, testing, and production environments.

10. VULNERABILITY MANAGEMENT

10.1 Nuvra Tech maintains a structured vulnerability management process including:

routine assessments;
prioritized remediation;
security patching;
tracking and mitigation of CVEs;
monitoring of zero-day threats.

10.2 Critical vulnerabilities are addressed within industry-standard timeframes or faster, depending on risk severity.

11. PHYSICAL SECURITY

11.1 All production infrastructure is hosted in secure, ISO-certified data centers with:

24/7 surveillance;
access controls;
biometric authentication;
redundant power and cooling systems.

11.2 On-premise corporate locations are secured through:

restricted access policies;
visitor logs;
badge-based entry;
CCTV monitoring.

12. THIRD-PARTY & SUPPLY-CHAIN SECURITY

12.1 Third-party vendors, including cloud providers and payment processors, undergo:

risk assessments;
contractual data protection obligations;
compliance verification;
periodic reviews.

12.2 The Company maintains written agreements ensuring adherence to PDPL and cybersecurity standards.

13. INCIDENT RESPONSE AND BREACH MANAGEMENT

13.1 The Company maintains a formal Incident Response Plan (“IRP”) covering:

detection;
containment;
investigation;
remediation;
recovery.

13.2 In the event of an incident involving Personal Data, Nuvra Tech will:

assess the severity;
b. notify the UAE Data Office where required;
c. notify affected Users;
d. take corrective measures.

13.3 Incident logs and forensics are maintained for regulatory compliance.

14. LOGGING AND MONITORING

14.1 All critical systems implement:

real-time logging;
security event monitoring;
anomaly detection;
access tracking.

14.2 Logs are protected against tampering and retained in accordance with the Data Retention Policy.

15. BUSINESS CONTINUITY & DISASTER RECOVERY

15.1 Nuvra Tech maintains a Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to ensure service resilience in the event of:

infrastructure failures;
cybersecurity attacks;
natural disasters;
cloud outages.

15.2 Redundant systems and automated failover mechanisms may be employed where appropriate.

16. USER SECURITY OBLIGATIONS

Users must:

maintain secure passwords;
use updated and malware-free devices;
avoid sharing credentials;
keep browsers and plugins updated;
refrain from using unauthorized automation tools;
comply with the Acceptable Use Policy at all times.

17. PROHIBITED SECURITY-RELATED ACTIVITIES

Users may not:

attempt to bypass security mechanisms;
b. perform penetration testing without written authorization;
c. deploy malware or malicious scripts;
d. exploit vulnerabilities or security gaps;
e. overwhelm system resources via automation or excessive loads.

Violations may result in suspension, termination, and legal action.

18. SECURITY TRAINING AND AWARENESS

18.1 All Company personnel receive mandatory security training covering:

PDPL requirements;
secure data handling;
phishing and threat awareness;
incident response protocols.

18.2 Contractors with system access are required to adhere to comparable training standards.

19. GOVERNANCE AND REVIEW

19.1 The Chief Information Security Officer (or equivalent authority) oversees Policy enforcement.

19.2 This Policy is reviewed annually or after major system changes.

20. AMENDMENTS

Nuvra Tech may amend this Policy at any time to reflect:

legal updates;
technological changes;
operational needs.

Updates take effect upon publication.

21. GOVERNING LAW

This Policy is governed by:

UAE Federal Laws;
Laws of the Emirate of Abu Dhabi;
Masdar City Free Zone regulations.

22. CONTACT INFORMATION

For security issues or incident reports:

Nuvra Limited
Masdar City Free Zone

Abu Dhabi, United Arab Emirates

security@nuvra.agency