Skip to main content
QriibQriib

Security Policy

Last updated: February 2026

At Tawteen Tech, security is a fundamental part of our platform and services infrastructure. We are committed to protecting your data and user data, ensuring secure and reliable communication. This policy outlines and clarifies the security measures we follow in accordance with industry best practices.

1. Encryption

At Tawteen Tech, we adhere to internationally recognized encryption standards, such as those from the National Institute of Standards and Technology (NIST) and ISO/IEC 27001, to ensure the highest levels of information protection in line with global best practices. For example:

During Transit: All data, including messages, calls, and shared files, is encrypted using protocols such as SSL and TLS 1.2/1.3 to prevent unauthorized interception.

During Storage: Sensitive data stored on our servers is encrypted using AES-256, ensuring a high level of protection against unauthorized access.

End-to-End Encryption (E2EE): Where applicable, we provide end-to-end encryption for calls and messages to ensure maximum privacy.

2. Identity & Authentication

Single Sign-On (SSO): We support SSO integration using protocols like SAML 2.0, OAuth 2.0, and OpenID Connect, ensuring seamless and secure user access across various systems and services.

Password Management: We enforce strict password management policies to ensure the confidentiality, integrity, and availability of our systems and user data. All user credentials must comply with complexity standards based on global security best practices, including NIST SP 800-63B and OWASP Authentication Guidelines. These requirements include:

  • Enforcing sufficient password complexity levels.
  • Preventing the use of repetitive or predictable patterns.
  • Prohibiting the reuse of compromised passwords.

Password management is integrated with Multi-Factor Authentication (MFA), SSO technologies, and OpenID and JWT standards to ensure advanced protection levels.

Account Lockout & Recovery: To protect accounts from unauthorized access and brute-force attacks, accounts are temporarily locked after a specified number of failed login attempts. In case of a lockout, secure verification procedures are followed to restore access, such as email verification or MFA, ensuring secure account recovery without compromising security. Users are notified of account lockouts with clear recovery instructions, balancing usability and strict protection.

3. Data Governance

Data Storage and Access Control: Data is stored using irreversible encryption to protect sensitive information, with access restricted to authorized individuals only, based on the principles of Least Privilege and strict identity verification, ensuring the highest levels of security and compliance.

Data Retention Policy: We follow structured data retention policies to comply with legal and business requirements.

User Control and Data Requests: Users can request the deletion or export of their data in accordance with GDPR and CCPA compliance requirements.

4. Infrastructure Security

Network Protection: We implement advanced firewalls, Intrusion Detection and Prevention Systems (IDPS), and DDoS protection to secure our infrastructure.

Secure Cloud Hosting: Our platform operates on trusted cloud infrastructure from certified providers compliant with the highest security and compliance standards, including ISO 27001, SOC 2, PCI DSS, GDPR, and HIPAA, ensuring data and operational protection per global best practices.

Periodic Security Audits: We conduct regular vulnerability assessments and security tests to identify and mitigate risks.

5. Compliance & Certifications

Tawteen Tech is committed to global security and privacy standards, ensuring compliance with the following:

  • ISO 27001: International standard for information security management systems to ensure data and system protection.
  • ISO 27017: A security framework for cloud services, providing additional guidelines for data protection in cloud environments.
  • ISO 27018: A standard focused on protecting personal information in cloud storage, enhancing privacy compliance.
  • ISO 27701: Privacy Information Management System (PIMS), defining a framework for managing personal data per global best practices.
  • ISO 22301: Business continuity standard, ensuring the platform's ability to respond effectively to incidents and recover quickly from crises.
  • ISO 42001: A standard for artificial intelligence management systems (AIMS), providing a framework for the responsible and secure governance of the use, development, and application of artificial intelligence technologies.
  • GDPR Compliance: Ensuring lawful and transparent processing of users' personal data.
  • CCPA Compliance: Protecting consumer rights under the California Consumer Privacy Act.

6. Incident Response & Monitoring

Continuous Security Monitoring: We continuously monitor systems and services, with 24/7 activity analysis using Security Information and Event Management (SIEM) systems, AI, and machine learning technologies, enabling real-time threat detection and response with periodic internal analytics.

Unified Communications Protection: As our company provides unified communications solutions, we implement advanced security measures for meetings, virtual classrooms, and related APIs, including comprehensive E2EE and data protection during transit and storage per ISO 27001 and GDPR standards.

Incident Response Procedures: We have a structured response plan per NIST and ISO 22301 standards, involving specialized teams to handle security incidents, assess severity, isolate affected systems, recover data, and ensure business continuity without impacting users.

Immediate Incident Notification: In case of a security incident affecting user data or platform operations, we notify affected parties based on the incident's nature and impact, per regulatory compliance requirements.

Incident Analysis and Continuous Learning: Post-incident, we conduct Root Cause Analysis (RCA) and prepare detailed reports identifying vulnerabilities and improvement plans, updating security policies and preventive measures to avoid recurrence.

Interdepartmental Collaboration: Incident response is coordinated between legal, IT, quality, and infrastructure teams to ensure integrated legal and technical measures protect data and ensure regulatory compliance.

7. Application & API Security

API Security: All APIs are secured using robust authentication mechanisms, including JSON Web Token (JWT) for secure identity and authentication management. We use unique API keys for access control and Refresh Tokens for securely extending session validity without frequent re-authentication, enhancing application security and user experience.

SAML Protocol Support: We support SAML 2.0 authentication for SSO capabilities for organizations relying on this protocol.

Security Assessments: We conduct periodic penetration testing for all applications to ensure no security vulnerabilities exist.

SDK Security: We provide Software Development Kits (SDKs) compliant with the highest security standards.

8. User Responsibilities

Account Security: Users must maintain the confidentiality of their login credentials, as outlined in the terms and conditions

Reporting Security Issues: Users are required to report any suspicious activity or potential vulnerabilities to our support team immediately.

Compliance with Tawteen Tech Policies: Users are responsible for adhering to all policies, terms of service, and other guidelines available in the Trust Center on the official website

9. Continuous Improvement

We regularly review and enhance our security policies based on evolving threats, industry trends, and compliance updates.

This security policy is designed to provide a secure environment for you and all Tawteen Tech users. For any inquiries or additional information, please contact our support team support@qriib.com