Security Policy

Last updated: January 2026

1. Our Security Commitment

Zaky Systems Ltd is committed to providing enterprise-grade security for our clients, partners, and users. We understand that trust is foundational to our software development and SaaS delivery services. This Security Policy outlines our comprehensive approach to protecting your data and systems.

2. Security Framework

Our security program is built on industry-leading frameworks and standards:

  • SOC 2 Type II: We maintain annual SOC 2 Type II compliance audits to verify our security controls
  • ISO 27001: Our information security management system follows ISO 27001 standards
  • GDPR Compliance: Full compliance with the General Data Protection Regulation for EU data
  • Kenyan Data Protection Act: Compliance with Kenya's Data Protection Act, 2019
  • OWASP Guidelines: Secure development practices following OWASP Top 10 guidelines

3. Data Encryption

We implement robust encryption for data at rest and in transit:

  • Data in Transit: All communications are encrypted using TLS 1.3
  • Data at Rest: Sensitive data is encrypted using AES-256 encryption
  • Key Management: Encryption keys are managed through AWS KMS or equivalent secure key management services
  • Database Security: Database encryption with field-level encryption for sensitive data

4. Infrastructure Security

Our cloud infrastructure is hosted on industry-leading platforms with enterprise security:

  • Cloud Providers: AWS, Azure, and GCP with enterprise security certifications
  • Network Security: VPC isolation, security groups, and Web Application Firewalls (WAF)
  • DDoS Protection: Cloud-native DDoS protection and rate limiting
  • Redundancy: Multi-AZ deployment for high availability and disaster recovery
  • Backups: Automated daily backups with encrypted offsite storage

5. Access Control

We implement strict access control measures:

  • Role-Based Access Control (RBAC): Granular permissions based on job functions
  • Multi-Factor Authentication (MFA): Required for all employee access to production systems
  • Principle of Least Privilege: Minimum necessary access granted to perform job duties
  • Access Logging: Comprehensive audit logs of all access and actions
  • Regular Access Reviews: Quarterly review of user access rights

6. Application Security

Our software development process incorporates security at every stage:

  • Secure Development Lifecycle: Security requirements integrated from project inception
  • Code Reviews: Mandatory peer review for all code changes
  • Static Application Security Testing (SAST): Automated scanning in CI/CD pipeline
  • Dynamic Application Security Testing (DAST): Regular penetration testing
  • Dependency Scanning: Automated vulnerability detection in third-party libraries
  • Input Validation: Comprehensive validation and sanitization of all user inputs

7. Incident Response

We maintain a robust incident response program:

  • 24/7 Monitoring: Continuous security monitoring and alerting
  • Incident Response Plan: Documented procedures for security incidents
  • Defined Roles: Clear responsibilities for incident handling
  • Communication Protocols: Established procedures for client notification
  • Post-Incident Reviews: Thorough analysis and remediation after any incident

8. Employee Security

Our team is trained and vetted for security excellence:

  • Background Checks: Comprehensive pre-employment screening
  • Security Training: Mandatory annual security awareness training
  • Secure Coding Training: Developers trained on secure development practices
  • Confidentiality Agreements: All employees sign confidentiality and NDAs

9. Vulnerability Management

We proactively identify and address vulnerabilities:

  • Regular Scanning: Automated vulnerability scanning weekly
  • Penetration Testing: Annual third-party penetration testing
  • Patch Management: Critical patches applied within 48 hours
  • Bug Bounty: Responsible disclosure program for security researchers

10. Business Continuity

Our disaster recovery and business continuity plans ensure service availability:

  • 99.9% Uptime SLA: Commitment to high availability
  • Redundant Infrastructure: Multi-region deployment with automatic failover
  • Recovery Procedures: Documented disaster recovery procedures tested quarterly
  • Data Backup: Automated backups with point-in-time recovery capability

11. Client Responsibilities

Security is a shared responsibility. We recommend our clients:

  • Use strong, unique passwords and enable MFA where available
  • Keep software and systems updated
  • Report security concerns promptly through designated channels
  • Follow best practices for user access management
  • Review audit logs regularly for unusual activity

12. Reporting Security Issues

If you discover a security vulnerability or have security concerns about our services, please contact our security team at security@zaky.co.ke. We appreciate responsible disclosure and will work with you to address any issues promptly.

13. Contact Us

For questions about our security practices, please contact us at info@zaky.co.ke or call us at +254701887881.