Security Statement

1. Security Governance

ASTERIA KYC maintains a security governance approach intended to support confidentiality, integrity, availability, privacy, operational resilience, and risk management.

Security responsibilities may include internal policies, access governance, engineering controls, operational monitoring, incident response, vendor review, and periodic improvement of security practices.

2. Access Control

ASTERIA KYC applies access control principles designed to limit access to systems and data based on role, need, and authorization.

Access control practices may include:

• role-based access permissions
• least-privilege principles
• administrative access restrictions
• account lifecycle management
• credential protection
• access review
• logging of privileged activity
• separation of duties where appropriate

3. Authentication and Credentials

Customer administrators and users are responsible for protecting login credentials, API keys, tokens, secrets, and other authentication mechanisms.

Customers should use strong passwords, multi-factor authentication where available, secure key storage, credential rotation, and internal access controls.

ASTERIA KYC may suspend or rotate credentials if compromise, leakage, abuse, or unauthorized use is suspected.

4. Data Protection

ASTERIA KYC uses technical and organizational measures designed to protect Customer Data and personal data against unauthorized access, loss, misuse, alteration, or disclosure.

Measures may include encryption in transit, protected storage, network security controls, access restrictions, logging, monitoring, backup controls, and secure operational procedures.

5. Encryption and Transmission Security

ASTERIA KYC aims to protect data in transit using secure transmission protocols where appropriate.

Customers must ensure that their own integrations, endpoints, callback URLs, storage systems, and internal networks are configured securely.

6. Application Security

ASTERIA KYC’s application security approach may include secure development practices, code review, dependency management, vulnerability assessment, testing, environment separation, input validation, authentication controls, authorization controls, logging, and monitoring.

7. Infrastructure Security

Infrastructure security may include secure hosting practices, network controls, environment hardening, system monitoring, patch management, backup procedures, disaster recovery planning, and restricted administrative access.

8. Logging and Monitoring

ASTERIA KYC may collect logs and operational events to support security monitoring, fraud prevention, troubleshooting, auditability, abuse detection, service performance, and incident response.

Logs may include access events, system events, API activity, security alerts, configuration changes, error events, and workflow activity, subject to applicable law and retention policies.

9. Vulnerability Management

ASTERIA KYC aims to identify, assess, prioritize, and remediate vulnerabilities based on risk.

Vulnerability management may include scanning, dependency review, security testing, patching, remediation tracking, and responsible disclosure handling.

Security researchers must follow ASTERIA KYC’s Vulnerability Disclosure Policy and must not conduct disruptive or unauthorized testing.

10. Incident Response

ASTERIA KYC maintains incident response procedures designed to detect, investigate, contain, mitigate, and recover from security incidents.

If a confirmed incident affects Customer-controlled personal data, ASTERIA KYC will notify affected Customers as required by applicable law or agreement.

11. Backup and Recovery

ASTERIA KYC may maintain backup and recovery procedures to support service continuity, data integrity, and resilience.

Backup retention, recovery scope, and restoration timelines may vary depending on service architecture, data type, legal requirements, and operational considerations.

12. Vendor and Subprocessor Security

ASTERIA KYC may use third-party vendors and subprocessors to support hosting, storage, security, monitoring, communications, support, analytics, and operational administration.

Vendor security review may include assessment of confidentiality, security practices, data handling, access controls, and contractual safeguards, where appropriate.

13. Customer Security Responsibilities

Customers are responsible for:

• securing their own systems and integrations
• protecting API keys and credentials
• validating webhooks and callbacks
• restricting internal user permissions
• reviewing administrator access
• securing downloaded reports and exported data
• implementing endpoint and network security
• training staff
• promptly reporting suspected compromise
• following ASTERIA KYC technical documentation
• avoiding insecure storage of verification data

14. Secure API Integration

Customers using ASTERIA KYC APIs must implement secure server-side integration practices.

Customers should:

• keep API keys secret
• avoid embedding secrets in client-side code
• validate callback signatures where available
• use secure transport
• apply input validation
• store results securely
• handle errors safely
• monitor API activity
• rotate credentials if compromise is suspected

15. Data Export Risk

Customers may have the ability to export verification results, reports, case records, or personal data.

Once data is exported from ASTERIA KYC, the Customer is responsible for protecting it, restricting access, applying retention controls, and deleting it when no longer needed.

16. No Absolute Security Guarantee

No technology platform can guarantee complete security. Cyber threats, fraud techniques, vulnerabilities, operational failures, and human errors may occur.

ASTERIA KYC’s security measures are designed to reduce risk, but Customers should maintain their own layered controls and incident response plans.

17. Security Inquiries

Customers may request security information through official channels, subject to confidentiality, commercial reasonableness, and security restrictions.

18. Updates

ASTERIA KYC may update this Security Statement to reflect changes in security practices, technology, operations, or legal requirements.