Data Protection & Responsible Disclosure Policy

Purpose

This policy establishes clear principles for:

• Ensuring the confidentiality, integrity, and availability of data entrusted to SentriMorph.
• Providing a structured, ethical process for responsible disclosure of security vulnerabilities.
• Promoting transparency, accountability, and collaboration in cybersecurity defense.

Scope

This policy applies to:

• All employees, contractors, and partners of SentriMorph.
• All systems, applications, networks, and infrastructure owned or operated by SentriMorph.
• Any external individuals or security researchers who discover vulnerabilities related to our platforms or client-facing environments.

Data Protection Principles

SentriMorph adheres to the following key principles of data protection:

• Confidentiality: All client and internal data are protected from unauthorized access or disclosure.
• Integrity: We maintain the accuracy and consistency of all stored and processed information.
• Availability: Systems are designed for resilience and redundancy to ensure service continuity.
• Accountability: Every employee and contractor is responsible for protecting information assets.
• Transparency: Clients and partners are informed about how their data is collected, stored, and used.

Security Controls & Frameworks

To maintain a secure environment, SentriMorph implements controls in line with:

• ISO/IEC 27001 - Information Security Management System (ISMS)
• NIST Cybersecurity Framework (CSF)
• OWASP Top 10 and ASVS for application security
• Zero-Trust Architecture Principles

Our controls include:

• Encryption of data (at-rest and in-transit) using AES-256 and TLS 1.3
• Multi-factor authentication and role-based access control (RBAC)
• Continuous monitoring and intrusion detection (SIEM)
• Regular internal and third-party penetration testing
• Secure data disposal and retention procedures

Responsible Disclosure Policy

SentriMorph welcomes responsible reporting of security vulnerabilities.

a. How to Report:

Send vulnerability reports to security@sentrimorph.com. Reports should include: detailed description, steps to reproduce, proof-of-concept (if available), and contact information.

b. What to Expect:

• Acknowledgement of report within 72 hours
• Security team will investigate and assess the issue
• If valid, remediation and coordinated disclosure with consent
• Public acknowledgement of contribution (with consent) once resolved

c. Rules of Engagement:

• Do not exploit the vulnerability beyond verification
• Do not access, modify, or delete data that does not belong to you
• Do not perform denial-of-service (DoS) or social-engineering attacks
• Do not share the issue publicly before SentriMorph has confirmed remediation
• Violations may lead to legal action

Data Handling for Security Testing

During authorized penetration testing or red-team engagements:

• All test data and credentials are stored in encrypted environments
• Client-specific information is isolated and accessible only to assigned personnel
• Reports are shared securely through encrypted communication channels
• All temporary testing data is securely destroyed after project completion

Data Breach Response

In the unlikely event of a data breach:

• The Incident Response Team (IRT) will be activated immediately
• Containment, eradication, and recovery procedures will begin within defined SLAs
• Affected parties and regulatory bodies will be notified in compliance with applicable laws
• A post-incident review will be conducted to strengthen preventive controls

Legal & Regulatory Compliance

SentriMorph complies with:

• Digital Security Act 2018 and ICT Act 2006 (Bangladesh)
• General Data Protection Regulation (GDPR) (where applicable)
• Global cybersecurity and data protection frameworks relevant to client jurisdictions

Continuous Improvement

We regularly review and update data protection and disclosure practices through:

• Annual internal audits and compliance reviews
• Threat intelligence monitoring and adaptive response updates
• Employee security awareness and ethical hacking training programs.

Contact Us

For vulnerability submissions or data protection concerns: