Security policy and VDP

Introduction

The main goal of Shiji is to deliver and maintain exceptional service to our customers. Our mission is to provide the hospitality, food service, retail and entertainment industry with a complete and modern technology stack that is secure, scalable, and ready for the future. Security is a foundational element underpinning the achievement of this goal. To ensure the highest security level of the software and information processed by Shiji, the company's Board of Directors decided to implement a Comprehensive Security Strategy and Information Security Management System, addressing the strategy.

The principles of the Information Security Management System, related to the Shiji products have been defined in accordance with the requirements of the standard ISO/IEC 27001:2017 “Information technology - Security techniques - Information Security Management Systems”. Moreover, Shiji Group implemented controls described in the ISE/IEC 27018 standard regarding personal data protection in cloud solutions.

The Information Security Policy covers all employees and contractors, and third parties having access to or processing sensitive information. The Information Security Policy contains rules ensuring Shiji products’ security in the following domains:

Information security policies

Shiji implemented a set of information security policies describing the security strategy, direction, and technical requirements. The policies were published and communicated to all employees. All security policies meet the requirements of the ISO/IEC 27001 standard.

Organization of information security

Shiji established a security management framework, assigned roles and responsibilities for information security. Shiji also implemented a risk management process, ensuring that risks are identified, assessed, and treated according to the risk appetite.

Human resource security

Shiji informs employees about the implemented security policies and their obligations and responsibilities related to information security. Periodically, employees must acknowledge those requirements. Employees are regularly trained to improve their security awareness.

Asset management

Shiji maintains inventories of information assets. All assets are assigned to the owners and classified to ensure they receive appropriate level of protection, based on the criticality of the assets. Customers’ data is among the most sensitive assets that require the highest level of protection.

Zugangskontrolle

Shiji manages access to assets on a need-to-know / least privilege basis. Access to any resource is granted only after required approvals and removed promptly upon termination of employment. Accounts are periodically reviewed.

Cryptography

Shiji applies effective cryptography based on current recommendations, technical requirements and conducted risk assessments.

Physical and environmental security

Shiji premises are protected with physical security measures to prevent unauthorized physical access. Shiji cooperates only with reputable cloud infrastructure vendors, providing the required level of physical security.

Operations security

Shiji implemented security operations to protect the services and data processed within the services. The operations are managed by the Security Team and the Security and Network Operations Center Team working on a 24/7 basis. The team implemented among others, a vulnerability management process, ensuring that vulnerabilities are addressed according to their classification.

Communications security

Shiji implemented network security solutions, to ensure the security and monitoring of networks. All information transmitted via public networks is encrypted.

System acquisition, development, and maintenance

Security is an integral part of the development and systems acquisition. Services are subject of continuous web application and infrastructure threat assessment, source code reviews, and penetration testing.

Supplier relationships

Shiji applied security controls related to suppliers depending on the scope of the cooperation, sensitivity of the exchanged data and risks being a result of the cooperation.

Information security incident management

Shiji implemented a security incident management process, supported by multiple technical solutions. The Security and Network Operations Center Team monitors the performance and security levels on a 24/7 basis. Detected security incidents are resolved timely.

Information security aspects of business continuity management

Shiji created and implemented business continuity plans to ensure the required availability of the service. The services are designed and implemented to address high availability requirements. Business continuity scenarios are tested at least once a year.

Compliance

Shiji identified applicable legislations and contractual requirements, to ensure the services and Shiji are compliant with them. Information security area is periodically reviewed, to ensure that it is implemented and operates in accordance with internal security regulations.

The Shiji Information Security Policy is a subject of continuous improvement, according to the requirements of ISO/IEC 27001 and all stakeholders' recommendations.

To secure a copy of our ISO certificate, we graciously request that you make a formal request via email to itsecurity@shijigroup.com, specifying the product of your interest. This service is available for both our esteemed existing clients and prospective partners, and upon receiving your request, we will promptly provide you with the necessary information.

Shiji Group Vulnerability Disclosure Policy

Introduction

Shiji Group welcomes feedback from security researchers and systems’ users to help improve our security. If you believe you have discovered a vulnerability, privacy issue, exposed data, or other security issues in any of our assets, we want to hear from you. This policy outlines the steps for reporting vulnerabilities to us, what we expect, and what you can expect from us.

Systems in Scope

This policy applies to any digital assets owned, operated, or maintained by Shiji Group.

Out of Scope

Assets or other equipment not owned by Shiji Group. Vulnerabilities discovered or suspected in out- of-scope systems should be reported to the appropriate vendor or applicable authority.

Scope Limitations

This policy does not authorize you to:

• Perform any actions that could negatively impact the availability, integrity, or confidentiality of our systems or our customers' data.
• Perform any physical or social engineering attacks, including but not limited to phishing, smishing, or other similar attacks.
• Perform any vulnerability testing on third-party applications or systems not owned or maintained by Shiji.
• By submitting a vulnerability report, you acknowledge that you have read and understood this policy and agree to comply with its guidelines.

Our Commitments

When working with us, according to this policy, you can expect us to:

• Respond to your report promptly, and work with you to understand and validate your report.
• Strive to keep you informed about the progress of a vulnerability as it is processed.
• Work to remediate discovered vulnerabilities in a timely manner, within our operational constraints.
• Extend Safe Harbor for your vulnerability research that is related to this policy.

Our Expectations

In participating in our vulnerability disclosure program in good faith, we ask that you:

• Play by the rules, including following this policy and any other relevant agreements. If there is any inconsistency between this policy and any other applicable terms, the terms of this policy will prevail.
• Report any vulnerability you have discovered promptly.
• Avoid violating the privacy of others, disrupting our systems, destroying data, and/or harming user experience.
• Use only the email itsecurity@shijigroup.com to report vulnerability.
• Provide us a reasonable amount of time (at least 90 days from the initial report) to resolve the issue before you disclose it publicly.
• Perform testing only on in-scope systems, and respect systems and activities which are out- of-scope;
• If a vulnerability provides unintended access to data; limit the amount of data, you access to the minimum required for effectively demonstrating a Proof of Concept. Cease testing and submit a report immediately if you encounter any user data during testing, such as Personally Identifiable Information (PII), Personal Healthcare Information (PHI), credit card data, or proprietary information.
• Act in good faith: Engage in responsible vulnerability disclosure and refrain from any malicious activities that could harm our systems or our customers.
• Comply with applicable laws: Ensure that your research and activities comply with the relevant local and international laws and regulations.

Official Channels

Report security issues to itsecurity@shijigroup.com, providing all relevant information. The more details you provide, the easier it will be for us to triage and fix the issue. Please include the following details:

• Vulnerability name
• Vulnerability description
• Vulnerability score (CVSS3)
• Product(s) affected
• Your name
• Your email
• Technical details (endpoint, payload, other)

Safe Harbor

When conducting vulnerability research, according to this policy, we consider this research conducted under this policy to be:

• Authorized concerning any applicable anti-hacking laws, and we will not initiate or support legal action against you for accidental, good-faith violations of this policy.
• Authorized concerning any relevant anti-circumvention laws, and we will not bring a claim against you for circumvention of technology controls.
• Exempt from restrictions in our General Terms and Conditions that would interfere with conducting security research, and we waive those restrictions on a limited basis.
• Lawful, helpful to the overall security of the Internet, and conducted in good faith.

You are expected, as always, to comply with all applicable laws. If legal action is initiated by a third party against you and you have complied with this policy, we will take steps to make it known that your actions were conducted in compliance with this policy.

If at any time you have concerns or are uncertain whether your security research is consistent with this policy, please submit a report through our Official Channel before going any further.

Note that the Safe Harbor applies only to legal claims under the control of the organization participating in this policy, and that the policy does not bind independent third parties.

Disclosure Policy:

• As a vulnerability report submitter, I will give the chosen Security Team reasonable time to investigate and mitigate an issue I report.
• While the Security Team investigates, I refrain from discussing my discovery in any way with a third party (e.g., fellow researchers, colleagues, companies, governments).
• Acting in good faith, I will try to avoid privacy violations and disruptions to others, including but not limited to destruction of data and interruption or degradation of any services.
• I will not exploit a security issue I discover for any reason. This includes demonstrating additional risk, such as attempted compromise of sensitive company data or probing for additional issues.