Coreblue Global

Security Policy

Last updated: January 7, 2026

Information Security Commitment

At Coreblue Global, we recognize that the security of your personal and business information is paramount. We are committed to implementing and maintaining robust information security practices to protect data from unauthorized access, disclosure, alteration, or destruction.

Our security program is built on industry best practices and aligned with:

  • ISO 27001: Information Security Management System standards
  • GDPR: Data protection and privacy requirements
  • Indian IT Act 2000: Information technology and cybersecurity regulations
  • NIST Framework: Cybersecurity best practices

Technical Security Measures

Encryption & Data Protection:

  • Transport Layer Security (TLS 1.3): All data transmitted between your browser and our servers is encrypted using industry-standard SSL/TLS protocols
  • Data at Rest Encryption: Sensitive data stored in databases is encrypted using AES-256 encryption
  • End-to-End Encryption: Confidential communications and document transfers use end-to-end encryption
  • Encrypted Backups: All backup data is encrypted before storage

Network Security:

  • Firewall Protection: Multi-layered firewall architecture protects against unauthorized network access
  • Intrusion Detection/Prevention Systems (IDS/IPS): Real-time monitoring and blocking of suspicious network activity
  • DDoS Protection: Distributed Denial of Service attack mitigation through cloud-based protection services
  • Network Segmentation: Critical systems are isolated in separate network segments
  • VPN Access: Remote employee access is secured through encrypted Virtual Private Networks

Application Security:

  • Secure Development Lifecycle: Security is integrated into all phases of software development
  • Input Validation: All user inputs are validated and sanitized to prevent injection attacks
  • SQL Injection Protection: Parameterized queries and prepared statements prevent database attacks
  • Cross-Site Scripting (XSS) Prevention: Output encoding and Content Security Policy headers
  • Cross-Site Request Forgery (CSRF) Protection: CSRF tokens on all state-changing operations
  • Security Headers: Implementation of HSTS, X-Frame-Options, X-Content-Type-Options, and other security headers

Access Control

Authentication:

  • Multi-Factor Authentication (MFA): Required for admin access and sensitive operations
  • Strong Password Policy: Minimum 12 characters with complexity requirements (uppercase, lowercase, numbers, special characters)
  • Password Hashing: Passwords are hashed using bcrypt with salt (never stored in plain text)
  • Account Lockout: Automatic lockout after 5 failed login attempts to prevent brute force attacks
  • Session Management: Secure session tokens with automatic timeout after 30 minutes of inactivity

Authorization & Privilege Management:

  • Role-Based Access Control (RBAC): Users are granted minimum necessary permissions based on job function
  • Principle of Least Privilege: Access rights are limited to what's required for specific tasks
  • Segregation of Duties: Critical functions require multiple authorized users
  • Regular Access Reviews: Quarterly reviews of user access rights and permissions
  • Immediate Revocation: Access is revoked immediately upon employee termination or role change

Data Protection Measures

Physical Security:

  • Secure Data Centers: Servers hosted in Tier III/IV certified data centers with 24/7 security
  • Access Control: Biometric authentication and key card access to server rooms
  • CCTV Monitoring: Continuous video surveillance of facility entrances and critical areas
  • Document Security: Physical documents stored in locked cabinets with restricted access
  • Secure Disposal: Paper documents shredded; hard drives physically destroyed before disposal

Backup & Disaster Recovery:

  • Automated Backups: Daily incremental backups and weekly full backups
  • Off-Site Storage: Encrypted backups stored in geographically separate locations
  • Backup Testing: Monthly restoration tests to ensure data recoverability
  • Business Continuity Plan: Documented procedures for disaster recovery with RTO of 24 hours and RPO of 4 hours
  • Redundancy: Critical systems have redundant infrastructure to ensure availability

Security Incident Response

Incident Response Plan:

We maintain a comprehensive incident response plan to quickly detect, contain, and remediate security incidents:

  • Detection: 24/7 security monitoring, automated alerts, and log analysis
  • Classification: Incidents categorized by severity (Critical, High, Medium, Low)
  • Containment: Immediate isolation of affected systems to prevent spread
  • Investigation: Forensic analysis to determine root cause and extent of breach
  • Eradication: Removal of threat and closure of vulnerability
  • Recovery: Restoration of systems and data from secure backups
  • Post-Incident Review: Lessons learned and security improvements implemented

Breach Notification:

In the event of a data breach affecting personal information:

  • Affected individuals notified within 72 hours of discovery
  • Regulatory authorities notified as required by law
  • Transparent communication about the nature, scope, and impact of the breach
  • Guidance provided on steps individuals can take to protect themselves
  • Free credit monitoring offered where appropriate

Third-Party Security Assessment

We carefully vet and monitor all third-party vendors and partners:

  • Vendor Security Assessments: All vendors handling data undergo security evaluation before engagement
  • Data Processing Agreements: Contractual requirements for security standards and data protection
  • Regular Audits: Periodic reviews of vendor security practices and compliance
  • Vendor Access Controls: Limited, monitored access to only necessary systems and data
  • SLA Requirements: Service Level Agreements include security and incident response commitments

Employee Security Training

Our employees are our first line of defense against security threats:

  • Mandatory Security Training: All employees complete security awareness training during onboarding
  • Annual Refresher Courses: Yearly security training updates covering emerging threats
  • Phishing Simulations: Quarterly simulated phishing campaigns to test employee vigilance
  • Role-Specific Training: Additional training for employees with access to sensitive data
  • Security Policy Acknowledgment: Employees sign acknowledgment of security policies annually
  • Incident Reporting: Clear procedures for reporting suspected security incidents

Vulnerability Management

Continuous Monitoring:

  • Security Audits: Quarterly internal security audits of systems and processes
  • Penetration Testing: Annual third-party penetration testing of web applications and infrastructure
  • Vulnerability Scanning: Automated weekly vulnerability scans of all internet-facing systems
  • Code Reviews: Security-focused code reviews before production deployment
  • Threat Intelligence: Subscription to threat intelligence feeds for emerging vulnerabilities

Patch Management:

  • Critical Patches: Applied within 48 hours of release
  • High Priority Patches: Applied within 7 days
  • Routine Patches: Applied within 30 days during scheduled maintenance windows
  • Testing: All patches tested in staging environment before production deployment
  • Rollback Plan: Documented rollback procedures in case of patch issues

Reporting Security Issues

Responsible Disclosure:

If you discover a security vulnerability in our systems, we encourage responsible disclosure:

  • Report To: security@biojobz.com
  • Include: Detailed description, steps to reproduce, potential impact, and any proof-of-concept
  • Do Not: Exploit the vulnerability, access data, or disrupt services
  • Response Time: Acknowledgment within 48 hours, resolution timeline provided within 7 days
  • Recognition: Security researchers credited (with permission) in our security hall of fame

Bug Bounty Program:

We operate a bug bounty program to incentivize security research:

  • Rewards based on severity: Critical ($500-$2000), High ($200-$500), Medium ($50-$200)
  • Scope includes web applications, mobile apps, and APIs
  • Out-of-scope: Social engineering, physical attacks, third-party services

Compliance & Certifications

Our security program is audited and certified by independent third parties:

  • ISO 27001:2013: Information Security Management System certification
  • SOC 2 Type II: Annual attestation for security, availability, and confidentiality
  • GDPR Compliance: Full compliance with EU data protection regulations
  • Indian IT Act 2000: Compliance with Sections 43A, 72, and 72A (data protection provisions)

Security Contact Information

For security-related inquiries or to report vulnerabilities:

Security Team
Coreblue Global
By Medulla Recruitment Services Pvt. Ltd.
702, Supreme HQ, Baner, Pune, Maharashtra, India

Security Email: security@biojobz.com
PGP Key: Available on request
General Email: ganesh.bd@biojobz.com
Phone: +91 90497 32444 (business hours)