Security Policy

Security Policy

PruTAN is built with security as a foundational principle. We maintain a comprehensive Information Security Management System (ISMS) across organizational, physical, and technical domains. Intellocore Pte Limited is certified under:

• ISO 27001:2022: Information Security Management System covering confidentiality, integrity, and availability of information assets
• ISO 42001:2023: Artificial Intelligence Management System ensuring responsible and secure implementation of AI technologies

These certifications demonstrate our commitment to maintaining the highest standards of information security and responsible AI practices.

Organizational Security

Artificial Intelligence Governance (ISO 42001:2023)

As an ISO 42001:2023 certified organization, Intellocore Pte Limited implements comprehensive AI governance controls:

• Dedicated AI oversight committee for governance and risk management
• AI impact assessments for all new AI features and systems
• Transparency reports on AI system performance and accuracy
• Bias detection, monitoring, and mitigation mechanisms
• Regular third-party audits of AI systems for fairness and reliability
• Human-in-the-loop processes for critical AI decisions
• Continuous monitoring for unintended consequences of AI systems
• Training programs ensuring all staff understand AI risks and responsible use

AI Data & Model Management

• All data used for AI training is handled with same security as production data
• AI models are versioned, audited, and tested before deployment
• Model documentation includes intended use, limitations, and known biases
• Regular retraining ensures AI systems remain accurate and fair
• Explainability mechanisms allow understanding of AI-driven recommendations

Personnel Security

• Verification includes criminal records, employment history, and credentials
• Mandatory confidentiality and acceptable use agreements
• Comprehensive security and compliance training for all staff
• Continuous awareness programs on information security
• Role-specific training based on responsibilities

Governance & Compliance Certifications

• Dedicated security and privacy teams
• Appointed Data Protection Officer (DPO)
• ISO 27001:2022 Certification: Information Security Management System covering confidentiality, integrity, and availability
• ISO 42001:2023 Certification: Artificial Intelligence Management System for responsible AI governance
• Regular internal and third-party audits validating compliance with ISO standards
• All employees sign confidentiality agreements and receive certification training

Infrastructure Security

Network Security

• Multi-layered firewalls and access controls
• Network segmentation protecting sensitive data
• Isolation of testing/development from production systems
• Daily firewall rule reviews with quarterly updates
• 24/7 Network Operations Center monitoring
• DDoS prevention from established providers

Redundancy & Availability

• Distributed grid architecture preventing single-point failures
• Fully redundant platform components
• Automatic failover during outages
• Multiple ISPs and redundant infrastructure

Server Hardening

• All servers hardened: unused ports disabled, defaults removed
• Base OS image includes security hardening
• Consistent hardening across all instances
• Regular patching and security updates

Data Security

ISO 27001:2022 Compliant Data Protection: All data security measures below are implemented in compliance with ISO 27001:2022 Information Security Management System standards, ensuring systematic protection of confidentiality, integrity, and availability of information.

Encryption

In Transit: Transport Layer Security (TLS 1.2/1.3) with strong ciphers. Perfect Forward Secrecy (PFS) ensures past communications remain secure.

At Rest: 256-bit Advanced Encryption Standard (AES) for sensitive data. Data encryption keys encrypted using master keys stored separately with restricted access.

Data Isolation

• Each customer's data logically isolated using secure protocols
• No customer can access another customer's data
• Customer retains all data ownership
• Data not shared with third parties without consent

Development Security

• All code changes require authorization via change management
• Secure coding guidelines and mandatory code review
• Vulnerability scanners and code analysis on all changes
• Manual security review by security engineers
• OWASP-based framework mitigating SQL injection, XSS, DoS

Access Control & Identity

Authentication & Authorization

• Single Sign-On (SSO) with integrated IAM
• SAML support for enterprise identity providers
• Multi-Factor Authentication with multiple modes
• Strong password policies enforced platform-wide

Administrative Access

• Least privilege and role-based access control principles
• Production access requires strong passwords + 2FA + SSH key
• Separate hardened network for administrative access
• All administrative operations logged and audited

Operational Security

Monitoring & Logging

• Comprehensive monitoring of services, network, and devices
• Event logs, audit logs, fault logs, operator logs collected
• Automated alerting for anomalies and suspicious activity
• Detailed audit trails for all data modifications
• Logs stored in secure, isolated servers

Vulnerability Management

• Continuous vulnerability scanning with certified tools
• Regular manual and automated penetration testing
• Active monitoring of security advisories and threat intelligence
• Vulnerabilities prioritized by severity and assigned to owners

Malware & Threat Protection

• Automated file scanning systems
• Custom anti-malware engine with regular updates
• Machine learning-based detection
• DMARC, SPF, DKIM authentication
• Proprietary detection for abuse and malicious activities

Backup & Disaster Recovery

• Daily incremental and weekly full backups
• AES-256 encryption for all backups
• RAID array storage for redundancy
• 3-month retention for active data, 6-month archive
• Automatic integrity and validation checks
• Near real-time replication across data centres
• Automatic failover to secondary centre

Incident Management

• Dedicated incident management team
• Notification with recommended actions for applicable incidents
• Root cause analysis for all incidents
• Evidence collection when applicable
• 72-hour breach notification to authorities (PDPA, GDPR)
• Customer notification of security incidents

Physical Security

Office & Facilities

• Access controlled via access cards with role-specific permissions
• Different access levels for employees, contractors, vendors, visitors
• Access logs maintained and reviewed
• CCTV monitoring throughout premises

Data Centres

• Co-location provider manages building, cooling, power, security
• Access restricted to authorised personnel only
• All access via ticket request and approval
• Two-factor and biometric authentication required
• Access logs and footage maintained for investigations

Vendor & Third-Party Management

• Vendors evaluated and qualified against security standards
• Risk assessments conducted before onboarding
• Contracts require vendors to maintain security and confidentiality
• Periodic reviews of vendor security controls

Data Disposal

• Data removed from active systems within 60 days of termination
• Data purged from backups after 90 days
• Hard drives degaussed and physically destroyed
• SSDs crypto-erased and shredded
• Disposal handled by verified, certified vendors

Your Security Responsibilities

To protect your account and data:

• Maintain unique, strong passwords and protect them
• Enable and use multi-factor authentication
• Keep browser, OS, and applications updated
• Exercise caution when sharing data
• Monitor account activity and active sessions regularly
• Be aware of phishing and social engineering attempts
• Report suspicious activity to info@intellocore.com

Last Updated: May 2026