Data Security Policy

How We Protect Your Information

Last Updated: October 5, 2025

At CSE Investing LK, we take the security of your data seriously. This Data Security Policy outlines the technical and organizational measures we implement to protect your personal information, financial data, and portfolio records from unauthorized access, loss, or misuse.

Security Limitation: While we implement robust security measures, no system is 100% secure. We cannot guarantee absolute security against all possible threats. By using our service, you acknowledge and accept this inherent risk.

1. Authentication & Access Control

User Authentication

  • Password Hashing: All passwords are hashed using bcrypt algorithm with salt, making them irreversible and secure
  • No Plain Text Storage: Passwords are never stored in plain text or reversible encryption
  • Session Management: Secure PHP sessions with server-side validation
  • Automatic Timeout: Sessions expire after period of inactivity to prevent unauthorized access
  • Login Validation: Multiple failed login attempts are logged for security monitoring

Access Control

  • User Isolation: Each user can only access their own portfolio data
  • Role-Based Access: Separate admin and user roles with different permission levels
  • API Authentication: All API endpoints require valid session authentication
  • SQL Injection Prevention: Prepared statements and parameterized queries protect against SQL injection attacks

2. Data Encryption & Protection

Data at Rest

  • Database Security: MySQL database with restricted access credentials
  • Password Encryption: Bcrypt hashing with cost factor of 12 for password storage
  • File Permissions: Strict file and directory permissions on the server
  • Secure Configuration: Database credentials stored in protected configuration files

Data in Transit

  • HTTPS Recommended: SSL/TLS encryption should be enabled for all data transmission
  • Secure Headers: HTTP security headers to prevent common attacks
  • API Security: JSON-based API with authentication validation

Note: HTTPS/SSL implementation depends on hosting configuration. Contact your administrator to ensure SSL is properly configured.

3. Database Security

SQL Injection Prevention

  • PDO prepared statements
  • Parameterized queries
  • Input sanitization
  • Type validation

Access Restrictions

  • Limited database user privileges
  • No direct database access for users
  • Separate credentials per environment
  • Regular credential rotation recommended

Backup & Recovery

  • Regular automated backups
  • Secure backup storage
  • Point-in-time recovery capability
  • Backup encryption recommended

Monitoring

  • Error logging and tracking
  • Access logs maintained
  • Unusual activity detection
  • Performance monitoring

4. Application Security

Secure Coding Practices

  • Input Validation: All user inputs are validated and sanitized before processing
  • Output Encoding: Data is properly encoded before display to prevent XSS attacks
  • CSRF Protection: Session tokens prevent cross-site request forgery
  • Error Handling: Secure error handling without exposing sensitive information
  • Code Review: Regular code audits and security assessments

Vulnerability Management

  • Dependency Updates: Third-party libraries kept up-to-date
  • Security Patches: Prompt application of security updates
  • Vulnerability Scanning: Regular security assessments
  • Bug Reporting: Responsible disclosure process for security issues

5. File Upload Security

For payment slips and transaction documents:

  • File Type Validation: Only approved file types (JPG, PNG, PDF) are accepted
  • File Size Limits: Maximum file size restrictions to prevent abuse
  • Content Validation: Files are scanned and validated before storage
  • Secure Storage: Uploaded files stored outside web root when possible
  • Access Control: Users can only access their own uploaded files
  • Filename Sanitization: Original filenames are sanitized and made unique

6. Server & Infrastructure Security

Server Hardening

  • Regular security updates
  • Firewall configuration
  • Unnecessary services disabled
  • Secure SSH access only

Network Security

  • Secure hosting environment
  • DDoS protection measures
  • Network monitoring
  • Isolated database access

7. Data Retention & Secure Deletion

User Control

  • Users can delete individual transactions and records at any time
  • Full account deletion available through user dashboard
  • Clear database function for removing all portfolio data

Deletion Process

  • Deleted data is removed from active database within 24 hours
  • Backup copies may exist for up to 90 days
  • Secure deletion methods prevent data recovery
  • Confirmation required before irreversible deletions

8. Security Incident Response

In the event of a security breach or data incident:

Our Response Plan

  1. Immediate Action: Contain and isolate the incident to prevent further damage
  2. Assessment: Evaluate the scope and impact of the breach
  3. Notification: Inform affected users within 72 hours of discovery
  4. Remediation: Fix vulnerabilities and strengthen security measures
  5. Documentation: Maintain detailed incident reports
  6. Prevention: Implement measures to prevent similar incidents

Report Security Issues: If you discover a security vulnerability, please report it immediately to niroshlk@gmail.com. We appreciate responsible disclosure and will address issues promptly.

9. Your Security Responsibilities

Security is a shared responsibility. You play a crucial role in protecting your account:

Best Practices for Users

  • Strong Passwords: Use complex passwords with letters, numbers, and special characters
  • Password Uniqueness: Don't reuse passwords from other websites
  • Logout: Always log out when using shared or public computers
  • Secure Devices: Keep your devices and browsers updated with security patches
  • Phishing Awareness: Be cautious of suspicious emails or messages asking for login credentials
  • Monitor Activity: Regularly review your transaction history for any unauthorized changes
  • Report Suspicious Activity: Contact us immediately if you notice unusual account activity

10. Third-Party Services

We use select third-party services for platform functionality:

  • CDN Services: Tailwind CSS, Alpine.js, Font Awesome (served via trusted CDNs)
  • Hosting Provider: Secure hosting infrastructure with industry-standard protections

We carefully vet all third-party providers to ensure they meet our security standards.

11. Compliance & Security Standards

We strive to follow industry best practices and security standards:

  • OWASP Top 10: Protection against common web application vulnerabilities
  • Data Protection Principles: Adherence to data minimization and purpose limitation
  • Secure Development: Following secure coding guidelines and best practices
  • Regular Audits: Periodic security reviews and assessments

12. Policy Updates

We may update this Data Security Policy as we enhance our security measures or in response to changing threats. Significant changes will be communicated to users via email or platform notification.

Contact Security Team

For security-related questions, concerns, or to report vulnerabilities:

Email: niroshlk@gmail.com

Developer: Nirosh Ranathunga

We take security reports seriously and will respond within 48 hours.

Related Documents

Privacy Policy Terms of Service Back to Home