Back to Home Road Asset
Legal

Security Policy

Last updated: January 2026

Our Security Commitment

RoadAsset is designed for critical infrastructure management. We implement enterprise-grade security measures to protect your road asset data, GPS coordinates, and organizational information. Security is not an afterthought—it's built into every layer of our platform.

Infrastructure Security

Cloud Infrastructure

  • Hosted on Cloudflare's global edge network with DDoS protection
  • Database hosted on Aiven with automated backups and encryption at rest
  • Object storage with server-side encryption (AES-256)
  • All infrastructure components are SOC 2 Type II certified

Network Security

  • TLS 1.3 encryption for all data in transit
  • HTTP Strict Transport Security (HSTS) enforced
  • Web Application Firewall (WAF) protection
  • Rate limiting and bot protection
  • Geographic access controls available for Enterprise plans

Data Protection

Encryption

  • All data encrypted in transit using TLS 1.3
  • Database encryption at rest using AES-256
  • Object storage encrypted with server-side encryption
  • Sensitive fields (API keys, tokens) encrypted at application layer

Data Isolation

  • Strict tenant isolation between organizations
  • Role-based access control (RBAC) at project and organization levels
  • Audit logging for all data access and modifications
  • Secure deletion procedures with verification

Backup & Recovery

  • Automated daily backups with 30-day retention
  • Point-in-time recovery capability
  • Geo-redundant backup storage
  • Regular backup restoration testing

Authentication & Access Control

Authentication

  • Passwordless authentication via email OTP and magic links
  • Session tokens with secure, httpOnly cookies
  • Automatic session expiration and refresh
  • SSO integration available for Enterprise plans (SAML 2.0, OIDC)

Authorization

  • Role-based access control: Owner, Admin, Member, Viewer
  • Project-level permissions with granular controls
  • Organization-level role management
  • API access tokens with scoped permissions

Session Security

  • Secure session management with automatic timeout
  • Device and session tracking
  • Ability to revoke all sessions
  • Suspicious activity detection and alerts

Application Security

Secure Development

  • Security-focused code review process
  • Automated dependency vulnerability scanning
  • Static application security testing (SAST)
  • Regular security training for development team

OWASP Top 10 Protection

  • Input validation and sanitization
  • Parameterized queries preventing SQL injection
  • XSS protection with Content Security Policy
  • CSRF protection on all state-changing operations
  • Secure file upload handling with type validation

API Security

  • Authentication required for all API endpoints
  • Rate limiting to prevent abuse
  • Request validation and schema enforcement
  • Detailed API access logging

Monitoring & Incident Response

Security Monitoring

  • 24/7 infrastructure monitoring
  • Real-time alerting for security events
  • Automated threat detection and blocking
  • Regular security log analysis

Incident Response

  • Documented incident response procedures
  • Security incident classification and escalation
  • Customer notification within 72 hours of confirmed breach
  • Post-incident analysis and remediation

Audit Logging

  • Comprehensive audit trails for all user actions
  • Immutable log storage
  • Log retention per compliance requirements
  • Audit log export for Enterprise customers

Compliance & Certifications

RoadAsset is designed to help you meet regulatory requirements:

Data Protection

  • GDPR compliant
  • Malaysia PDPA compliant
  • Data Processing Agreements available

Infrastructure

  • SOC 2 Type II (via providers)
  • ISO 27001 (via providers)
  • PCI DSS compliant infrastructure

Enterprise and Government customers can request compliance documentation and complete security questionnaires. Contact security@roadasset.app.

Vulnerability Disclosure

We appreciate the security research community's efforts in helping keep RoadAsset secure. If you discover a security vulnerability, please report it responsibly.

Reporting Process

  • Email security vulnerabilities to security@roadasset.app
  • Include detailed steps to reproduce the issue
  • Allow us reasonable time to investigate and fix
  • Do not publicly disclose until we've addressed the issue

We Commit To:

  • Acknowledge receipt within 48 hours
  • Provide regular updates on remediation progress
  • Not pursue legal action against good-faith researchers
  • Credit researchers in our security acknowledgments (if desired)

Related Policies

This Security Policy should be read in conjunction with our other policies:

Privacy Policy
How we collect and protect your data
Terms of Service
Rules and guidelines for using our service
Cookie Policy
How we use cookies and tracking
Acceptable Use Policy
Guidelines for appropriate service use

Security Contact

For security-related inquiries or to report a vulnerability:

Security Team: security@roadasset.app

General Inquiries: /contact

enmsid