Information Security Policy for Atly Apps

Atly Apps strives to build quality software while rigorously safeguarding the privacy of our users and their data. This policy outlines our internal policies for handling information securely, based on the ISO 27001:2013 standard, NIST Cybersecurity Framework and industry-accepted best practices.

This policy was last updated on 30 April 2025.

Objectives

The key objectives of this policy are to list the measures employed by Atly Apps to safeguard any information controlled by us. Furthermore, it seeks to set standards that drive an organizational culture of security.

Scope

This policy applies to all employees of Atly Apps, and includes devices and residences used to conduct their work. It includes information in all of its forms, whether physical or digital, on assets maintained by both Atly Apps and any external parties.

Information security governance

Security is a shared responsibility throughout Atly Apps, and it should be considered throughout the lifecycle of product development.

The management of Atly Apps will be ultimately responsible for the security of information throughout the organization, and there will exist clear lines of communication for conversations about information security to flow through the organization.

Data security

Information relevant to Atly Apps will be rigorously safeguarded to achieve confidentiality, integrity, and availability goals. Wherever possible, data is encrypted using industry-accepted best-practice encryption algorithms both during storage and transmission.

Physical environment security

Access to physical locations containing Atly Apps information must be safeguarded by appropriate physical security limitations which only allows authorization employees access to information and assets. These limitations should protect against malicious actors attempting to deliberately gain unauthorized access, as well as natural disasters.

Personnel security

The threat of unauthorized information disclosure or malicious access to information by insiders will be managed through a combination of human resources processes, such as background checks, and ongoing awareness and education campaigns. Education campaigns will ensure that users understand the roles and responsibilities associated with their role and function within the organization and act accordingly.

Network security

Networks will be designed and implemented using industry-accepted best practices and with appropriate access control to prevent unauthorized access. Where possible, network segmentation and proactive monitoring and defense technology will be employed in network implementation. Furthermore, regular auditing will be implemented to ensure there is no anomalous usage of Atly Apps networks.

Asset management

Information assets and devices will be securely provisioned, transferred or destroyed throughout their lifecycle. Such relevant assets will also be tracked in a centralized manner.

Employees of Atly Apps will ensure that they use only approved platforms on approved assets for communication and completing their tasks as part of their employment.

Continuous monitoring

Where possible, technology will be utilized to proactively monitor and defend the organization from potential threats to information security. For example, email spam filters will be utilized to prevent potential phishing attacks, and vulnerability scanners will be utilized to prevent vulnerabilities in Atly Apps' products or their dependencies from being delivered to customers.

Identity and access management

All systems and software used by Atly Apps will have the ability to manage and audit user access, and enforce appropriate security mechanisms, such as Two Factor Authentication.

Access to systems will be provided adhering to a principle of least privilege, in which access will be provided to the minimum allowable set of information that is required for someone to complete their job.

If an employee no longer requires access to a system they will be removed from that system as soon as possible.

Backup and disaster recovery

All systems containing important information relevant to Atly Apps will be backed up in multiple places in such a way as they are able to be restored in case of a disaster. These backups should be regularity verified to ensure business continuity in the case of a disaster, or other event which require restoration from backup.

Incident Management

If a security incident is identified, such as a possible breach of this information security policy or a previously unknown situation that may be relevant to information security, it must be reported and escalated through the appropriate channels in the organization.

If required, partner organizations and/or law enforcement must be notified, based on the type and severity of the identified incident.

After the deceleration of an incident, relevant evidence must be collected for analysis throughout the incident process and potentially afterwards.

Once an incident has been concluded, a post-mortem must be performed to highlight learnings that can be taken away from the incident in order to try and prevent such an incident from arising again.

Changes to this policy

At our discretion, we may change our privacy policy to reflect updates to our business operations or legislative or regulatory changes.

Contact us

For any questions or concerns regarding your privacy or this policy, please contact our internal Data Protection Officer at support@atly.io.