VibeTest - Interactive Testing & Trivia Platform

1. Data Safety Overview

At Vibe Tests, your data safety and security are our top priorities. This Data Safety & Security Policy outlines our commitment to protecting your information, the security measures we have implemented, and how we ensure your data remains safe and secure at all times.

🛡️ Your Trust is Sacred: We employ industry-leading security practices and comply with international data protection standards to safeguard your personal and sensitive information.

2. Security Infrastructure

2.1 Data Encryption

🔐 SSL/TLS Encryption (Transport Layer Protection)

All data transmitted between your browser and our servers is encrypted using SSL/TLS protocols. This ensures that sensitive information cannot be intercepted by unauthorized parties during transmission.

🔑 End-to-End Encryption (At Rest)

Sensitive data stored in our databases is encrypted at rest using industry-standard encryption algorithms. Only authorized personnel with proper encryption keys can decrypt this data.

2.2 Password Security

🔐 Hashed Passwords

User passwords are never stored in plain text. We use industry-standard password hashing algorithms (bcrypt) to ensure that even our staff cannot access your password. Each password is salted and hashed uniquely.

🔐 Password Strength Requirements

We enforce strong password policies requiring a minimum of 8 characters with a mix of uppercase, lowercase, numbers, and special characters to prevent weak passwords.

2.3 Two-Factor Authentication (2FA)

✅ Enhanced Security Available: We offer optional two-factor authentication via email and SMS to provide an additional layer of security for your account.

3. Data Access Control

3.1 Role-Based Access Control (RBAC)

We implement strict role-based access control to ensure that employees and systems only have access to the data necessary for their functions. Access is granted on a need-to-know basis.

3.2 Authentication & Authorization

Multi-level Authentication: All internal systems require authentication before access is granted
Session Management: User sessions are securely managed with automatic timeouts after periods of inactivity
API Token Security: API access is controlled through secure bearer tokens with expiration dates
Activity Logging: All access to sensitive data is logged and monitored for suspicious activities

3.3 Access Revocation

When an employee leaves Vibe Tests or changes roles, all access to user data is immediately revoked and verified.

4. Network Security

4.1 Firewall Protection

Our infrastructure is protected by enterprise-grade firewalls that continuously monitor and filter incoming and outgoing traffic. Only authorized connections are allowed.

4.2 DDoS Protection

We employ advanced DDoS (Distributed Denial of Service) protection to prevent malicious attacks from disrupting our services and compromising user data.

4.3 Intrusion Detection & Prevention

Our systems continuously monitor for suspicious activities and potential threats. Automated systems can detect and block intrusion attempts in real-time.

4.4 Secure Network Architecture

Separation of user-facing and administrative networks
Virtual Private Network (VPN) access for administrative staff
Regular network security assessments and penetration testing
Encrypted internal communications

5. Data Storage & Backup

5.1 Secure Data Centers

Your data is stored in secure, geographically distributed data centers with multiple levels of physical security:

24/7 physical surveillance and access controls
Biometric authentication for critical areas
Environmental monitoring (temperature, humidity, fire detection)
Backup power systems and redundancy

5.2 Data Redundancy

Your data is replicated across multiple servers and data centers to ensure availability and protect against data loss due to hardware failures.

5.3 Backup & Recovery

Automated daily backups of all critical data
Encrypted backup storage
Regular testing of backup recovery procedures
Disaster recovery plans in place

5.4 Data Isolation

Each user's data is logically isolated from other users' data. We implement database-level security to prevent unauthorized access to other users' information.

6. Third-Party Security

6.1 Payment Processing Security

We partner with [Flutterwave](https://www.flutterwave.com) for secure payment processing. We do not store complete credit card information on our servers. All payment transactions comply with PCI DSS (Payment Card Industry Data Security Standard) requirements.

6.2 Third-Party Vendor Assessment

All third-party vendors and service providers who access or process user data undergo rigorous security assessments before engagement and are required to sign data processing agreements.

6.3 Vendor Security Requirements

Encryption of data in transit and at rest
Regular security audits and certifications (ISO 27001, SOC 2, etc.)
Data processing agreements with data protection clauses
Liability and insurance requirements

7. Vulnerability Management

7.1 Regular Security Testing

Penetration Testing: Regular third-party penetration tests to identify vulnerabilities
Code Security Scanning: Automated scanning of source code for security vulnerabilities
Dependency Monitoring: Continuous monitoring of third-party libraries for known vulnerabilities
Security Audits: Regular comprehensive security audits of our systems

7.2 Vulnerability Disclosure Program

We maintain a responsible vulnerability disclosure program. If you discover a security vulnerability, please contact our security team immediately:

Email: hello@e86.io

7.3 Patch Management

Critical security patches are applied immediately upon release. Non-critical updates are deployed during scheduled maintenance windows to minimize disruption.

8. Incident Response & Data Breach Notification

8.1 Incident Detection

Our security team monitors systems 24/7 for signs of unauthorized access or data breaches. We employ automated alerts and manual investigation procedures.

8.2 Incident Response Plan

In the unlikely event of a security incident, we follow a comprehensive incident response plan:

Detection: Identify and confirm the security incident
Containment: Limit the scope and impact of the incident
Investigation: Determine what happened and which data was affected
Remediation: Fix the vulnerability and secure the system
Notification: Inform affected users within 72 hours as required by law
Documentation: Maintain detailed records for compliance and improvement

8.3 Data Breach Notification

If a data breach affects your personal information, we will notify you promptly following applicable laws and regulations, including GDPR, CCPA, and Nigerian Data Protection guidelines.

⚠️ Breach Notification: We will notify you within 72 hours of confirmed unauthorized access to your personal data, along with recommended protective measures you should take.

9. Employee Security Training

9.1 Security Awareness Training

All employees undergo comprehensive security training covering:

Data protection best practices
Recognizing and reporting phishing attempts
Password security and account protection
Safe handling of user data
Privacy and confidentiality obligations

9.2 Ongoing Security Education

We provide regular security updates and training to keep our team informed about emerging threats and best practices.

9.3 Non-Disclosure Agreements

All employees who access user data sign confidentiality agreements requiring them to protect user information and comply with our security policies.

10. User Account Security Features

10.1 Account Security Tools Available to You

Password Change: Regularly change your password to enhance security
Two-Factor Authentication: Enable 2FA via email or SMS
Login Activity Monitoring: View all active sessions and login locations
Device Management: Review and remove trusted devices
Account Alerts: Receive notifications of suspicious activity

10.2 Account Recovery

We provide secure account recovery options for locked or compromised accounts:

Email-based account recovery
Identity verification procedures
Account activity review before recovery confirmation

10.3 Session Security

Automatic logout after 30 minutes of inactivity
Secure session tokens that expire regularly
Protection against session fixation attacks

11. Compliance & Standards

11.1 International Data Protection Standards

We comply with or exceed the following international security and privacy standards:

GDPR (General Data Protection Regulation): EU privacy regulation compliance
CCPA (California Consumer Privacy Act): California privacy rights compliance
Nigerian Data Protection Regulation (NDPR): Local data protection compliance
PCI DSS (Payment Card Industry Data Security Standard): Payment security compliance
ISO 27001: Information security management systems certification
SOC 2: Security, availability, and confidentiality standards

11.2 Regular Audits & Assessments

We conduct regular:

Internal security audits
External third-party security assessments
Compliance reviews
Penetration testing

11.3 Compliance Documentation

Documentation of our compliance with various standards is maintained and available for review upon request by authorized parties.

12. Data Retention & Secure Deletion

12.1 Data Retention Policy

We retain your personal data only for as long as necessary to provide our services and comply with legal obligations:

Active Account Data: Retained while your account is active
Deleted Account Data: Deleted within 30 days of account deletion
Legal/Compliance Data: Retained as required by applicable laws
Backup Data: Automatically deleted according to backup retention policies

12.2 Secure Data Deletion

When data is deleted, we employ secure deletion methods:

Cryptographic data deletion (encryption key destruction)
Secure erasure of storage media
Multi-pass overwrite methods
Physical destruction of hardware when necessary

12.3 Right to Erasure

You have the right to request deletion of your personal data. Upon verification of your identity, we will securely delete your information except where retention is required by law.

13. Responsible Disclosure & Bug Bounty

13.1 Security Research

We encourage responsible security research and responsible disclosure of vulnerabilities. If you find a security issue, please do not publicly disclose it. Instead:

Email us at hello@e86.io with details of the vulnerability
Include steps to reproduce the issue
Allow us 30 days to investigate and patch
Work with us on disclosure timing

13.2 Security Researcher Recognition

We recognize and appreciate responsible researchers who help us improve our security:

Public acknowledgment on our security page (if you agree)
Possible bug bounty awards for significant vulnerabilities
Early access to security updates

14. User Best Practices

14.1 Recommended Security Measures

While we maintain strong security, you can enhance your account security:

Strong Passwords: Use unique, complex passwords
Enable 2FA: Activate two-factor authentication
Secure Device: Keep your device updated with security patches
Antivirus Software: Use reputable antivirus and anti-malware software
Public Wi-Fi: Avoid accessing your account on unsecured public Wi-Fi
Phishing Awareness: Be cautious of phishing attempts and suspicious links
Logout: Always logout when using shared devices

14.2 Suspicious Activity

If you notice suspicious activity on your account:

Change your password immediately
Enable two-factor authentication if not already enabled
Review your account activity and connected devices
Contact us at hello@e86.io if you believe your account has been compromised

15. Transparency & Regular Updates

15.1 Security Transparency Report

We are committed to transparency about security incidents and improvements:

Annual security transparency reports
Details about security incidents (non-personally identifying information)
Updates on security improvements and investments
Public disclosure of our security certifications

15.2 Policy Updates

We update this Data Safety & Security Policy regularly to reflect new threats, technologies, and best practices. Material changes will be communicated to users.

🔒 Data Safety & Security Policy