Policy Purpose
This Security Policy outlines how Mokzero, Inc. (“Mokzero”, “we”, “us”, or “our”) safeguards the security of Mokzero.app (“App”), its data, and user information.
It establishes rules for access control, data protection, incident response, and compliance with standards like GDPR and SOC 2.
Scope
This policy applies to all Mokzero.app users, employees, contractors, third-party providers, and systems processing App data.
It covers cloud infrastructure (e.g., AWS or similar), web and mobile clients, APIs, and any personal data handled.
Data Classification
We classify data by sensitivity to apply appropriate protections.
| Classification | Description | Examples | Handling Requirements |
|---|---|---|---|
| Public | No sensitivity; freely shareable | Marketing materials, public FAQs | Basic access controls |
| Internal | Limited business impact if leaked | Internal docs, non-sensitive analytics | Encryption in transit; least privilege access |
| Confidential | High business or legal risk | User account data, API keys | Encryption at rest/transit; MFA required; audit logs |
| Restricted | Critical; potential for severe harm | Payment details, health data (if applicable) | Full encryption; restricted access; regular penetration testing |
Access Controls
Access to Mokzero.app and its systems follows the principle of least privilege.
All accounts require strong, unique passwords (minimum 12 characters, no reuse) and multi-factor authentication (MFA).
Role-based access control (RBAC) limits permissions to job needs; automated offboarding revokes ex-employee access immediately.
Single sign-on (SSO) is enforced where possible; session timeouts occur after 15 minutes of inactivity.
Regular access reviews (quarterly) ensure no dormant or over-privileged accounts exist.
Data Protection Measures
We protect data throughout its lifecycle using industry standards.
Encryption: All sensitive data is encrypted at rest (AES-256) and in transit (TLS 1.3+).
Backups: Automated, encrypted backups stored offsite; tested quarterly for integrity and recovery.
Data minimization: We collect only necessary data and delete it when no longer required (e.g., per GDPR storage limitation).
No personal data is stored on employee personal devices.
Physical and Network Security
Servers and data centers (e.g., AWS) use physical access controls, surveillance, and biometric locks.
Network security includes firewalls, intrusion detection/prevention systems (IDS/IPS), DDoS protection, and web application firewalls (WAF).
API endpoints require rate limiting, input validation, and authentication (e.g., JWT tokens).
Security Awareness and Training
All employees and contractors complete annual security training on phishing, secure coding, and compliance.
Users are encouraged to report suspicious activity via [security@mokzero.com].
Third-Party Security
Third-party providers (e.g., cloud hosts, analytics tools like Google Analytics) must meet or exceed our standards via contracts including security audits and data processing agreements (DPAs).
We conduct due diligence and annual reviews of vendors.
Incident Response
We maintain a 24/7 incident response plan.
Detection: Continuous monitoring with SIEM tools; alerts on anomalies.
Response: Incidents classified by severity; containment within 1 hour for high-risk events.
Notification: Affected users notified within 72 hours per GDPR; authorities as required.
Post-incident: Root cause analysis and policy updates.
Vulnerability Management
Weekly automated scans and monthly penetration tests by certified experts.
Critical vulnerabilities patched within 7 days; high within 30 days.
Secure software development lifecycle (SDLC) includes code reviews and dependency scanning.
Compliance and Audits
Mokzero.app complies with GDPR, CCPA (if applicable), and aims for SOC 2 Type II certification.
Annual third-party audits and internal reviews verify adherence.
Contact [compliance@mokzero.com] for audit requests or rights inquiries.
Policy Updates
This policy is reviewed annually or after major incidents/changes. Last updated: 02/16/2026.