Skip to main content

EncryptionPolicy

Encryption Policy
Last updated: January 20, 2023

Introduction

  • Encryption is a process in which data is encoded so that it remains hidden from or inaccessible to unauthorized users. It helps securely protect data that you don't want anyone to have access to. By encrypting our data at rest and in transit, we can better protect private, proprietary and sensitive data and can enhance the security of communication between client applications and servers.

Scope

  • Encryption is a process in which data is encoded so that it remains hidden from or inaccessible to unauthorized users. It helps securely protect data that you don't want anyone to have access to. By encrypting our data at rest and in transit, we can better protect private, proprietary and sensitive data and can enhance the security of communication between client applications and servers.

Encryption at Rest

  • Data at rest is defined as data that is physically stored and not actively moving from one location to another (i.e.: device to device or network to network). This includes data stored on laptops, flash drives and hard drives
  • Zora Communications Ltd encrypts data at rest using a variety of tools including (but not limited to):
  • Utilizing databases managed by our infrastructure provider which have options to encrypt data at rest. In these cases, encryption keys are managed by the infrastructure provider.
  • Utilizing the infrastructure provider's option to encrypt the underlying storage of the assets that persist data. Again, encryption keys are managed by the infrastructure provider.
  • Company laptops are encrypted as outlined in the Endpoint Security Policy

Encryption in Transit

  • Data in transit is defined as data that is actively moving from one location to another (i.e: device to device or network to network). This includes data transferred over public networks such as the internet.
  • Zora Communications Ltd encrypts data in transit using a variety of tools including:
  1. TLS: Always Use HTTPS, SSL enabled (minimum standard is TLS v1.2)
  2. Use security certificates provided by a known, trusted provider for all of Zora Communications public facing properties on the internet.

Rolling your own Crypto

  • Please don't roll your own crypto. If you really think you have a situation where it makes sense to do this, please don't. If you really think this is a good idea, it is still not and please don't. If you're absolutely sure you have an edge case where this makes sense, please engage with the Zora Communications Ltd security team first so they can work with you on finding an alternative.

Password Encryption

  • All passwords of end-users of Zora Communications Ltd system must be encrypted in transit and when stored at rest within the application or database.

Cryptographic Keys

  • Cryptographic keys must be generated and stored in a secure manner that prevents collision, loss, theft, or compromise.

Breaches of Policy

  • The Information Security Officer can monitor compliance to this policy through various methods, including but not limited to reviews of database, code, or infrastructure, or through other internal/external audits. If remediation is required, feedback will be provided to the appropriate staff members. Any staff member or contractor found to be in violation of this policy may be subject to disciplinary action, up to and including termination of employment, or contractual agreement.