Security Policy

Version 3.0. Applies to all Trusted Rw users globally.

Last updated:

1. Overview and Platform Commitments

Security is a shared responsibility between Trusted Rw and the people who use the platform. This policy describes the technical and organisational controls we apply to protect your data and account, and the controls we ask you to maintain on your side.

Our security commitments to you

We apply industry-standard encryption to data in transit and at rest. We enforce least-privilege access for all internal systems. We log security-relevant events and review them regularly. We notify affected users promptly following any confirmed data breach. We patch known critical vulnerabilities within defined response windows. We do not sell your data and do not grant third parties access to your account without legal compulsion or your explicit written consent.

2. Encryption

Data in transit

All communication between your browser and Trusted Rw servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on every endpoint. HTTP requests are redirected automatically to HTTPS. HSTS headers are set to prevent protocol downgrade attacks.

Data at rest

Sensitive fields in the database (including authentication tokens, payment references, and identity-verification evidence) use application-level encryption in addition to underlying disk encryption. Database backups are encrypted before being written to storage.

Password storage

Passwords are never stored in plaintext. We use strong adaptive hashing with per-user salts, which is resistant to brute-force and rainbow-table attacks. We do not store your original password in any form after hashing is complete.

3. Authentication Security

We implement multiple layers of authentication protection:

Control	Description
Email and password login	Passwords must meet minimum strength requirements. Failed login attempts trigger progressive rate-limiting. Accounts are temporarily locked after repeated failures to prevent credential stuffing.
Multi-factor authentication (MFA)	Email-based one-time PIN MFA is available and encouraged. Sensitive account actions (password change, account deletion, payment method changes) may require MFA re-verification regardless of session age.
Google Sign-In (OAuth 2.0)	We use the OAuth 2.0 authorisation code flow. We do not receive or store your Google password. Access tokens are short-lived and scoped only to the data fields required for account creation and sign-in. Token revocation is attempted on account deletion.
Session management	Sessions use cryptographically random identifiers stored in HttpOnly, Secure, SameSite=Lax cookies. Sessions expire after a configurable inactivity period. Signing out invalidates the server-side session immediately.
CSRF protection	Every state-changing request requires a valid CSRF token bound to the user session. This prevents cross-site request forgery on all form submissions and API calls.
Login hint cookie	The `trusted_g_hint` cookie stores only display name and email for UI convenience. It contains no credential, no access token, and cannot be used to sign in. It is readable by JavaScript only on trusted.rw and is cleared immediately if a different account is chosen.

4. Access Control and Least Privilege

Access to production systems and user data is restricted to personnel with a documented operational need. We apply the following controls:

Role-based access: Internal staff roles are defined with the minimum permissions required for each function. Developers do not have default access to production databases. Support staff access only the data fields necessary to resolve a reported issue.
Privileged access review: Administrative permissions are reviewed at least quarterly. Permissions are revoked promptly when a team member changes role or leaves the organisation.
Two-factor authentication for staff: All team members with access to production infrastructure are required to use MFA. Strong cryptographic authentication is required for all server and infrastructure access.
No shared credentials: All access is individual and traceable. Shared passwords or service accounts with broad permissions are not permitted.
Vendor access: Third-party vendors with any access to our infrastructure are bound by data processing agreements that include security requirements consistent with this policy.

5. Infrastructure Security

Network controls

Production servers operate behind firewalls and reverse proxies. Only ports required for public web traffic are exposed. Administrative interfaces require additional authentication controls and are not accessible over the public internet.

Dependency and patch management

We track dependencies with known CVEs and apply security patches according to the following schedule:

Severity	Remediation priority
Critical	Treated as an emergency. Remediation begins immediately upon confirmation and is prioritised above all other work until resolved.
High	Addressed as a high priority within the current development cycle. Mitigating controls are applied if a full patch cannot be deployed immediately.
Medium	Scheduled for the next available release cycle. Risk is tracked and mitigated as needed until resolved.
Low	Assessed and addressed in the next planned maintenance window based on overall risk posture.

Container and deployment security

Application environments use minimal, hardened configurations. Secrets are injected at runtime and are never stored in version-controlled files or deployment artifacts. All deployment artifacts are scanned for known vulnerabilities before promotion to production.

6. Audit Logging and Monitoring

We log security-relevant events to support traceability, incident investigation, and compliance review. Logs are stored separately from the primary application database, protected from modification, and retained for a minimum of 12 months.

Event category	Examples of logged events
Authentication events	Successful login, failed login attempts, password changes, MFA enrolment and verification, account lockout triggers, session creation and destruction
OAuth and token events	Google OAuth flow initiation, token exchange, token revocation on sign-out or account deletion
Account lifecycle events	Account creation, email change, account deletion request, deletion completion, data export requests
Administrative actions	Staff privilege grants and revocations, content moderation actions, data access by support staff
Security exceptions	CSRF validation failures, rate-limit triggers, suspicious request patterns flagged by application-layer controls

Logs are monitored for anomalies. Automated alerts are configured for critical event patterns including repeated authentication failures, privilege escalation attempts, and abnormal data-export volumes.

7. Incident Response

We maintain a documented incident response plan. All security incidents follow this structured lifecycle:

Detection: Automated alerts, user reports, or security monitoring surface a potential incident. A designated incident owner is assigned promptly upon detection.
Containment: The affected system, account, or data is isolated. Compromised credentials or sessions are invalidated. External access is blocked as needed to limit spread.
Investigation: Log evidence is preserved. Root cause is determined. The scope of impact (which data, which accounts, what period) is defined before remediation begins.
Remediation: The vulnerability or misconfiguration is fixed. Affected systems are restored from known-good state or rebuilt. Security controls are tested before returning to production.
Notification: We notify affected users within 72 hours of confirming a breach that involves their personal data, consistent with Rwanda Law No. 058/2021 and GDPR obligations. Notifications include what happened, what data was involved, and what action (if any) you should take.
Post-incident review: A written post-incident report is completed within 14 days. Lessons learned are incorporated into updated controls and this policy where relevant.

8. Data Deletion and Token Revocation

You may request deletion of your account and associated data at any time through account privacy controls or by contacting privacy@trusted.rw. The following applies to all deletion requests:

Item	How we handle it
Identity and profile data	Removed from active systems within 30 days of a verified deletion request
Google OAuth linkage	Google token revocation is performed and the OAuth link record is removed from our database. Any `trusted_g_hint` cookie issued for your account is rendered meaningless once the underlying account record is deleted.
Session data	All active sessions are invalidated immediately when a deletion request is confirmed
Audit logs	Security logs may be retained for up to 12 months after deletion for legal compliance and fraud prevention purposes. Retained logs are not used for marketing or profiling.
Backup copies	Deleted records are removed from active databases immediately. Backup sets are rotated on a rolling schedule; deleted data is aged out of all backups within the defined retention window.
Legal hold	Where we are required by law or court order to retain specific records, deletion of those records is deferred only for the legally required period and only to the minimum extent necessary. You will be informed of any such hold to the extent permitted by law.

9. Backup Security

Database and media backups are a critical part of our continuity and recovery posture. The following controls apply to all backup data:

Encryption: Backups are encrypted at rest using strong symmetric encryption. Encryption keys are stored separately from the backup data and rotated on a scheduled basis.
Access restriction: Backup storage is not publicly accessible. Access is limited to the automated backup service account and authorised operations personnel. All access is logged.
Integrity verification: Backup restoration is tested on a regular schedule to confirm recoverability. Corrupted or incomplete backups are flagged and replaced automatically.
Retention limits: Backups are retained only as long as operationally necessary. Older backup sets are deleted according to a defined rotation schedule. Retained backup data is subject to the same data minimisation requirements as live data.
Geographic separation: Where infrastructure permits, backups are stored in a physically separate location from primary application servers to protect against localised failure.

10. User Security Controls

Your account security depends in part on choices you make. The following controls are available to all registered users:

Control	What it does	Where to find it
Strong password	Choose a unique password not reused across other sites. Use a password manager. Passwords should be at least 12 characters with mixed character types.	Account settings
Email MFA	Adds a one-time PIN sent to your email address as a second factor before sign-in completes. Recommended for all accounts.	Security settings
Active session review	View all active sessions tied to your account. Revoke any session you do not recognise immediately.	Security settings
Google account link review	View and disconnect your linked Google account. Disconnecting ends future Google-based sign-in without deleting your Trusted Rw account.	Account settings
Account deletion	Permanently removes your account, profile, and personal data within 30 days. This action is irreversible once confirmed.	Privacy settings
Data export	Download a copy of your personal data in portable format before deletion or for your own records.	Privacy settings

Your responsibilities: You are responsible for keeping your password confidential, signing out of shared devices, and reporting suspicious account activity promptly to security@trusted.rw. Trusted Rw staff will never ask for your password by email, phone, or message.

11. Responsible Disclosure

If you discover a security vulnerability in Trusted Rw, we ask that you report it to us responsibly before public disclosure. We are committed to the following process:

Send details of the vulnerability to security@trusted.rw with enough information to reproduce the issue (steps to reproduce, affected URL or feature, impact assessment, and any proof-of-concept).
We will acknowledge your report within 3 business days and provide an initial severity assessment within 7 business days.
We will keep you informed of our remediation progress and notify you when the issue is resolved.
We will not pursue legal action against researchers who report vulnerabilities in good faith, provided the research does not involve accessing, modifying, or deleting user data beyond what is necessary to demonstrate the issue, and does not degrade service availability.
We recognise researchers who responsibly disclose verified vulnerabilities with public credit (where the researcher wishes to be named) upon fix deployment.

Out of scope: social engineering of Trusted Rw staff or users, physical security testing, denial-of-service testing, and automated high-volume scanning without prior written agreement.

12. Third-Party and Supply Chain Security

We rely on a limited number of third-party services and open-source libraries. For each, we apply the following controls:

Vendor assessment: Third-party services that process personal data are evaluated for security posture before onboarding. We review their published security policies and data processing agreements.
Contractual obligations: Data processors are bound by data processing agreements that impose security requirements at least as stringent as those in this policy.
Dependency scanning: Open-source dependencies are scanned for known vulnerabilities using automated tooling. Dependencies with known critical CVEs are remediated before deployment.
Minimal integration surface: Third-party scripts and SDKs are granted only the permissions they require. We do not grant third parties unrestricted access to our database, user records, or internal APIs.
Google API compliance: Our use of Google Sign-In complies with the Google API Services User Data Policy. We request only the minimum OAuth scopes required (email and profile). We do not transfer Google user data to third parties except as necessary to provide the service.

13. Changes to This Policy

We may update this Security Policy to reflect changes in our infrastructure, threat landscape, legal obligations, or security practices. When we make material changes we will:

Update the "Last updated" date at the top of this page.
Post a platform notice for at least 14 days before material changes take effect.
Notify registered users by email when changes significantly affect the security controls protecting their accounts or data.

Continued use of the platform after notice is given constitutes acknowledgement of the updated policy. If a change reduces the security protections you rely on, you may close your account before the change takes effect.

14. Contact

For security-related inquiries, vulnerability reports, or breach notifications, contact us at:

Security issues: security@trusted.rw
Privacy and data requests: privacy@trusted.rw
Postal address: Trusted Rw, Kigali, Rwanda
Response time: Security reports acknowledged within 3 business days. General inquiries within 30 days.

If you believe your account has been compromised, contact us immediately. We will prioritise account recovery and incident containment. You may also lodge a complaint with the Rwanda National Cyber Security Authority (NCSA) if you believe your data security rights have been violated.

15. Change History

Version	Date	Summary of changes
3.0		Full rewrite. Added encryption controls, authentication security table, access control framework, infrastructure patching schedule, audit logging table, incident response lifecycle, deletion and token revocation table, backup security controls, user security controls guide, responsible disclosure programme, third-party supply chain controls, and NCSA complaint right. Aligned with Rwanda Law No. 058/2021 and Google API Services User Data Policy.
2.0	2025	Added Google OAuth token revocation on deletion, MFA email controls, and session management detail.
1.0	2024	Initial policy. Covered data deletion, retention, encryption, and incident response at a high level.

Go Back | Home