Chính sách Bảo mật Hệ thống

Security is foundational to MEGASON CRM. We invest heavily in protecting your data and our infrastructure. This document outlines our security practices and how to report potential vulnerabilities. We follow industry best practices including OWASP Top 10 guidelines, SOC 2 principles, and regular third-party security assessments.

Our infrastructure is designed with security at every layer: • Hosted on enterprise-grade cloud infrastructure with 99.9% SLA • Network segmentation and private VPC configurations • Web Application Firewall (WAF) with DDoS protection • Automated vulnerability scanning on all deployments • Regular security patches applied within 24 hours of release • Intrusion detection and prevention systems (IDS/IPS) • 24/7 security monitoring and alerting

All data is protected with strong encryption: • Data at rest: AES-256 encryption • Data in transit: TLS 1.3 with Perfect Forward Secrecy • Database: Encrypted at the storage layer • Backups: Encrypted and stored in geographically separate locations • Encryption keys managed via dedicated Key Management Service (KMS)

Access to MEGASON CRM is protected by multiple layers: • JWT-based authentication with configurable session expiration • Role-Based Access Control (RBAC): ADMIN, MANAGER, SALES roles • All API endpoints require valid authentication tokens • Failed login attempt monitoring and account lockout • Audit logs for all authentication events • Admin-only access to sensitive configuration and user management

Our development process includes: • Secure coding practices and mandatory code review • Automated static analysis (SAST) in CI/CD pipeline • Dependency vulnerability scanning via automated tools • Regular penetration testing by third-party security firms • Input validation and parameterized queries (no SQL injection) • Content Security Policy (CSP) headers • Rate limiting on all API endpoints

In the event of a security incident: • Incidents are triaged within 1 hour of detection • Affected customers are notified within 72 hours as required by law • A full post-mortem is conducted and shared with affected parties • Remediation steps are prioritized and tracked to completion • All incidents are logged and reviewed by our security team

We welcome reports from security researchers. If you believe you have found a security vulnerability, please: 1. Email megasoninfo@gmail.com with subject "Security Disclosure" and details of the vulnerability 2. Include steps to reproduce, potential impact, and any proof-of-concept 3. Allow us reasonable time to investigate and remediate (90 days) 4. Do not publicly disclose the issue until we have addressed it We commit to: • Acknowledge receipt within 48 hours • Provide regular updates on our progress • Credit researchers (with permission) in our security acknowledgments • Not pursue legal action for good-faith security research

MEGASON CRM is designed to help our customers maintain compliance with: • GDPR (General Data Protection Regulation) • Vietnam's Cybersecurity Law (Luật An ninh mạng) • ISO 27001 information security principles • OWASP Application Security Verification Standard (ASVS)

• Email: megasoninfo@gmail.com (đặt tiêu đề "Security Disclosure") • Điện thoại: +84 981 662 361 • Địa chỉ: 81 Cách Mạng Tháng Tám, Phường Bến Thành, Quận 1, TP. Hồ Chí Minh, Việt Nam