🛡️AutoCycle

Security Policy

Protecting your data and our systems to the highest security standards

Effective Date: February 2026 | Scope: Employees, partners, and all system users

Home/Security Policy
1

Introduction

AutoCycle ("we," "us," "our," or "Company") is committed to maintaining the highest standards of security and protecting the confidentiality, integrity, and availability of all information systems and data. This Security Policy outlines our comprehensive approach to information security, covering both customer-facing practices and internal security procedures.

2

Security Governance

Security Organization

Chief Information Security Officer (CISO)Responsible for overall security strategy and compliance
Security TeamImplements security policies and responds to incidents
IT DepartmentManages infrastructure and system security
Compliance TeamEnsures regulatory compliance and audits
All EmployeesResponsible for following security policies and reporting issues
3

Data Encryption

🔒 Encryption in Transit

  • TLS 1.2 or higher protocol
  • 256-bit encryption for all web traffic
  • Valid SSL certificates from trusted CAs
  • Certificates renewed before expiration
  • Green padlock icon confirms secure connection

🛡️ Encryption at Rest

  • AES-256 for all sensitive data in databases
  • Sensitive files encrypted on storage systems
  • All backup copies encrypted
  • Encryption keys stored securely with restricted access
  • Key rotation at minimum annually

💳 Payment Data Encryption

  • Full PCI DSS compliance
  • Credit card details NOT stored by AutoCycle
  • Paymob handles all payment data
  • Payment tokens used instead of actual card numbers
  • Payment data transmitted through encrypted channels only
4

Authentication & Access Control

User Authentication

Password RequirementsMinimum 12 characters, mix of uppercase, lowercase, numbers, symbols
Password ExpirationEvery 90 days
Password HistorySystem prevents reuse of last 5 passwords
Account LockoutLocked after 5 failed attempts for 30 minutes

Multi-Factor Authentication (MFA)

  • All administrative accounts require MFA
  • MFA Methods: TOTP, SMS, email verification
  • Users provided with backup codes for account recovery
  • MFA devices registered and tracked for security

Access Control

  • Role-Based Access Control (RBAC) — specific permissions per role
  • Principle of Least Privilege — minimum permissions needed
  • User access reviewed quarterly
  • Segregation of duties to prevent unauthorized actions
  • All access attempts logged and monitored

Session Management

Session Timeout30 minutes of inactivity
Concurrent SessionsMaximum 3 concurrent sessions
Session InvalidationUpon logout or password change
Secure CookiesMarked as secure and httponly
5

Network Security

🔥 Firewall Protection

  • Multi-layered firewall protection
  • Only necessary ports allowed inbound
  • Outbound traffic monitored and restricted
  • All firewall events logged
  • Tested quarterly for effectiveness

🔎 Intrusion Detection & Prevention (IDS/IPS)

  • Real-time network traffic monitoring
  • Attack pattern database regularly updated
  • Automatic blocking of suspicious traffic
  • Immediate alerts to security team for threats

🛡️ DDoS Protection

  • Advanced DDoS protection services
  • Malicious traffic filtered before reaching infrastructure
  • Rate limiting per source to prevent flooding
  • Automatic failover to backup systems during attacks

🔐 VPN & Secure Remote Access

  • All remote access requires VPN connection
  • VPN encrypted using IKEv2 or OpenVPN
  • VPN authentication: username + password + MFA
  • All VPN connections logged and monitored
6

Endpoint Security

🦠 Antivirus & Malware Protection

  • Enterprise-grade antivirus on all devices
  • Real-time scanning of all files and processes
  • Virus signatures updated daily
  • Detected threats automatically quarantined

💻 Device Hardening

  • OS configured with security best practices
  • Only required services enabled
  • Security patches applied promptly
  • Full-disk encryption (BitLocker / FileVault)

📱 Mobile Device Security

  • All mobile devices enrolled in MDM
  • Device encryption enabled
  • Screen lock with PIN or biometric
  • Remote wipe capability if device is lost
7

Application Security

Secure Development

  • Developers trained in secure coding standards
  • Code reviewed by senior developers before deployment
  • All user inputs validated and sanitized
  • All outputs encoded to prevent injection attacks
  • Errors handled securely without exposing sensitive info

Web Application Security (OWASP Top 10)

  • Protected against OWASP Top 10 vulnerabilities
  • Parameterized queries to prevent SQL injection
  • Input validation & output encoding to prevent XSS
  • CSRF tokens for state-changing operations
  • Security headers (CSP, X-Frame-Options, etc.)

API Security

  • All APIs require authentication (API keys, OAuth tokens)
  • Rate limiting to prevent abuse
  • All API inputs validated and sanitized
  • All API calls logged for audit and monitoring
8

Data Security

Data Classification

Public

Marketing materials, public documentation — freely shareable

Internal

Policies, procedures, internal communications — internal use only

Confidential

Financial data, strategic plans, customer lists

Restricted

Personal data, payment data, credentials — strict controls required

Data Backup & Recovery

Backup FrequencyDaily for all critical systems and data
Backup EncryptionAll backups encrypted with strong algorithms
Backup StorageGeographically diverse locations
Backup TestingMonthly restore tests
Recovery Time Objective (RTO)Critical systems recovered within 4 hours
Recovery Point Objective (RPO)Data loss limited to maximum 1 hour
9

Security Audits & Testing

📋 Regular Security Audits

  • Quarterly audits of all systems and processes
  • Internal audits by security team
  • Annual independent external audits
  • Detailed reports with findings and recommendations

🔍 Vulnerability Scanning

  • Weekly automated scans of all systems
  • Network infrastructure scanning
  • Web app scanning for OWASP Top 10 vulnerabilities
  • Database scanning for misconfigurations

⚔️ Penetration Testing

  • Professional penetration testing annually
  • Covers network, applications, physical security
  • Follows OWASP and NIST methodologies
  • All critical findings remediated before next test

Security Compliance Assessment

  • Annual PCI DSS compliance assessment
  • Alignment with ISO 27001 standards
  • Compliance with applicable Egyptian regulations
  • Regular compliance reports to management
10

Employee Security Training

Security Awareness Training

  • Mandatory annual training for all employees
  • Topics: Password security, phishing, social engineering, data protection
  • New employees complete training within first 30 days
  • Additional training for roles with elevated security responsibilities

Phishing Awareness & Simulation

  • Monthly simulated phishing emails to employees
  • Training on how to report suspected phishing emails
  • Phishing click rates and reporting rates tracked
  • Employees who click phishing links receive additional training

Secure Development Training

  • Developers trained on secure coding and OWASP Top 10
  • Annual security training refresher for all developers
  • Code reviewers trained on security review techniques
  • Training on use of security testing tools
11

Incident Management & Response

1
Within 1 Hour

Detection & Reporting

  • Detected via monitoring systems or user reports
  • Incident assessed for severity and impact
  • Classified: Critical, High, Medium, Low
  • Logged in incident management system
2
Immediately

Containment & Isolation

  • Immediate steps to contain and limit incident impact
  • Affected systems isolated to prevent spread
  • Unauthorized access revoked and credentials reset
  • All evidence preserved and documented
3
Days 1-7

Investigation & Analysis

  • Digital forensics if data breach suspected
  • Root cause analysis of incident
  • Detailed investigation report generated
  • Systems restored from clean backups
4
Days 7-30

Post-Incident Activities

  • Post-incident review for lessons learned
  • Security processes improved based on findings
  • Preventive measures to prevent recurrence
  • Stakeholders informed of resolution and improvements
12

Third-Party & Vendor Security

  • Comprehensive security assessment before vendor engagement
  • All vendor contracts include comprehensive security and data protection clauses
  • Vendors required to immediately notify of any security breaches
  • Continuous monitoring of vendor security practices + annual reviews
  • Vendors granted access only to data required for their service delivery
  • Data deletion required upon contract termination
13

Physical Security

🚪 Facility Access Control

  • Access cards to enter secure facilities
  • Visitors sign in and wear visitor badges
  • Visitors escorted by employee at all times
  • All facility access logged and monitored

📹 Surveillance & Monitoring

  • CCTV cameras in all secure areas
  • Continuous recording retained for 90 days
  • 24/7 security monitoring center
  • Alarm systems installed and monitored 24/7

🖥️ Server Room Security

  • Server rooms locked and access restricted
  • Temperature and humidity controlled
  • Fire suppression systems installed
  • UPS and backup generators installed
14

Business Continuity & Disaster Recovery

Business Continuity Plan

  • Covers critical business functions and recovery procedures
  • Business functions prioritized by criticality
  • Communication procedures during business disruption
  • Procedures for operating from alternate locations
  • Business continuity plan tested annually

Disaster Recovery Plan

  • RTO: Critical systems recovered within 4 hours
  • RPO: Data loss limited to maximum 1 hour
  • Backup systems maintained and tested regularly
  • Alternate data center for critical systems
  • Monthly failover tests
15

Compliance & Regulatory

Egyptian Regulations

Data protection & privacy laws

PCI DSS

Payment Card Industry Standard

ISO 27001

Information Security Management

Industry Standards

Applicable best practices

16

Security Contact Information

🚨 Incident Reporting

📧 incidents@autocycle.com.eg

📞 Security Hotline: +201551911115

🕐 24/7 Security Operations Center

🔐 Vulnerability Disclosure & Security Contact

📧 CISO: ciso@autocycle.com.eg

📧 Security Team: security@autocycle.com.eg

Mark subject as "Security Vulnerability"

17

Policy Review & Updates

  • Security policy reviewed and updated annually
  • Changes follow a formal change management process
  • Policy reviewed by security team, IT, management, and legal
  • Policy updates require approval from CISO and management
  • Policy updates communicated to all employees and stakeholders