Cybersecurity Policy

This policy defines how Amaltash protects its systems, data, and users against cybersecurity threats.

Last Updated: February 2026|Version: 1.0

1. Overview

Rainbow Labs Inc ("Amaltash," "we," "us," or "our") operates an automated trading platform that processes sensitive financial data on behalf of our users. Protecting the confidentiality, integrity, and availability of that data is central to everything we build.

This Cybersecurity Policy describes the administrative, technical, and operational safeguards we maintain to defend against unauthorized access, data breaches, and service disruptions.

Scope

This policy applies to all Amaltash systems, services, employees, contractors, and third-party vendors that access, store, or process Amaltash data or infrastructure.

2. Data Classification & Handling

All data processed by Amaltash is classified into tiers based on sensitivity. Each tier carries specific handling, storage, and access requirements.

ClassificationExamplesHandling
RestrictedExchange API keys, authentication tokens, database credentialsEncrypted at rest and in transit; access limited to production systems via automated processes
ConfidentialUser account details, trading history, strategy configurations, financial dataEncrypted at rest; role-based access; audit logging for all reads and writes
InternalSystem logs, infrastructure configuration, internal documentationAccess limited to authorized personnel; stored in secured internal systems
PublicMarketing content, published documentation, public API specificationsNo special handling required

Data Handling Principles

  • Least privilege: Data is only accessible to individuals and systems that require it for their function
  • Need-to-know: Access to Confidential and Restricted data requires explicit business justification
  • Retention limits: Data is retained only as long as needed for its stated purpose and then securely deleted
  • Secure disposal: When data is no longer needed, it is irreversibly deleted from all storage media

3. Access Control & Privileged Access Management

Amaltash enforces strict access controls across all systems, following the principle of least privilege and defense-in-depth.

Authentication

  • All user accounts require strong, unique passwords with a minimum complexity standard
  • Multi-factor authentication (MFA) is required for all internal administrative access and recommended for all user accounts
  • Sessions are time-limited and automatically expire after periods of inactivity
  • Authentication is managed through our database provider's built-in identity and access management service, which includes protection against brute-force and credential-stuffing attacks

Authorization & Role-Based Access

  • All access is granted on a role-based model — users receive only the permissions needed for their role
  • Row-level security is enforced at the database layer so that users can only access their own data
  • API endpoints validate authentication tokens on every request before processing
  • Service-to-service communication uses scoped credentials with minimal permissions

Privileged Access Management

  • Administrative access to production infrastructure is restricted to a minimal set of authorized personnel
  • Privileged credentials are rotated regularly and stored in a managed secrets service — never in source code or configuration files
  • All privileged actions are logged and auditable
  • Infrastructure changes are deployed through code-reviewed, version-controlled pipelines (Infrastructure as Code) rather than manual access

4. Encryption

All sensitive data is encrypted both at rest and in transit, using industry-standard cryptographic algorithms.

Data in Transit

  • All external communication is encrypted using TLS 1.2 or higher — HTTP traffic is automatically redirected to HTTPS
  • API communications between our services and third-party exchanges are encrypted end-to-end
  • Internal service-to-service traffic within our cloud infrastructure uses encrypted channels

Data at Rest

  • All database storage is encrypted at rest using AES-256 encryption managed by our cloud and database providers
  • Backups are encrypted with the same standards as primary storage
  • Exchange API keys and other Restricted-tier secrets are additionally encrypted at the application layer before storage

Key Management

  • Encryption keys are managed through our cloud provider's key management service
  • Keys are rotated on a defined schedule and access is tightly controlled
  • Application-level secrets are stored in managed secrets infrastructure, not in code

5. Vulnerability Management & Patch Management

Amaltash proactively identifies, prioritizes, and remediates vulnerabilities across its technology stack.

Vulnerability Identification

  • Automated dependency scanning runs on every code change to detect known vulnerabilities in third-party packages
  • Container images and infrastructure configurations are scanned for security misconfigurations
  • We subscribe to security advisories for all major components in our stack

Patch Management

  • Critical vulnerabilities (actively exploited or high CVSS) — patched within 24–48 hours
  • High-severity vulnerabilities — patched within 7 days
  • Medium/low-severity vulnerabilities — addressed in the next scheduled maintenance cycle
  • All patches are deployed through our standard CI/CD pipeline with automated testing

Secure Development

  • All code changes go through peer review before merging
  • Automated security linting and static analysis run as part of the CI pipeline
  • Sensitive operations (payments, credential handling) receive additional security-focused review

6. Incident Response

Amaltash maintains a documented incident response plan to detect, contain, and recover from security incidents.

Incident Response Phases

  1. Detection & Triage — Automated monitoring and alerting systems identify anomalous behavior; incidents are triaged by severity
  2. Containment — Affected systems or accounts are isolated to prevent further impact
  3. Investigation — Root cause analysis is performed using audit logs, system traces, and forensic evidence
  4. Remediation — The vulnerability or vector is patched and verified
  5. Recovery — Services are restored and validated before returning to full operation
  6. Post-Incident Review — A retrospective is conducted and lessons learned are documented and actioned

Notification

  • Users affected by a data breach are notified within 72 hours of confirmed impact, in accordance with applicable regulations
  • Notifications include a description of the incident, data potentially affected, and recommended actions
  • Relevant regulatory bodies are notified as required by law

7. Disaster Recovery & Business Continuity

Our infrastructure is designed for resilience. Disaster recovery planning ensures minimal disruption to users in the event of system failures or outages.

Infrastructure Resilience

  • Core services are deployed across multiple geographic regions for redundancy
  • Automated health checks and failover mechanisms redirect traffic away from unhealthy instances
  • Database replicas are maintained in separate availability zones with automated failover

Backup Strategy

  • Databases are backed up continuously with point-in-time recovery capabilities
  • Backups are encrypted and stored in a geographically separate location
  • Backup restoration is tested periodically to verify data integrity and recovery time

Recovery Objectives

  • Recovery Time Objective (RTO): Services are designed to recover within hours, not days
  • Recovery Point Objective (RPO): Data loss is limited to minutes through continuous replication
  • Recovery procedures are documented and periodically tested

8. Vendor Risk Management

Amaltash relies on a curated set of third-party vendors for cloud infrastructure, database hosting, DNS, CDN, and deployment services. All vendors are selected and managed with security as a primary criterion.

Vendor Selection

  • Vendors must demonstrate compliance with recognized security standards (e.g., SOC 2, ISO 27001)
  • We evaluate vendor security posture, data handling practices, and incident response capabilities before onboarding
  • Preference is given to vendors that offer encryption, audit logging, and fine-grained access controls by default

Ongoing Monitoring

  • Vendor compliance certifications and security posture are reviewed at least annually
  • We monitor vendor security advisories and incident disclosures
  • Data shared with vendors is limited to the minimum necessary for the service

Data Processing Agreements

  • All vendors that process user data are bound by data processing agreements specifying security requirements, breach notification obligations, and data handling restrictions
  • Vendor access to production data is restricted and auditable

9. Employee Security Practices

  • All team members are required to use multi-factor authentication on all company accounts and tools
  • Access to production systems is granted on a need-to-know basis and reviewed quarterly
  • Security awareness training is provided to all team members, covering phishing, social engineering, and safe data handling
  • Offboarding procedures include immediate revocation of all access to systems, repositories, and infrastructure
  • Company devices are required to have full-disk encryption, automatic screen lock, and up-to-date operating systems

10. Policy Review & Updates

This cybersecurity policy is reviewed and updated at least annually, or more frequently when there are significant changes to our infrastructure, threat landscape, or regulatory requirements.

  • Material changes to this policy will be communicated to users through our platform and email notifications
  • Previous versions of this policy are retained for reference and compliance purposes

11. Contact

If you have questions about this policy or want to report a security concern, please contact us:

Rainbow Labs Inc

2261 Market St

San Francisco, CA 94114

Email: security@amaltash.com

Responsible Disclosure

If you discover a potential security vulnerability in our platform, we encourage you to report it responsibly. Please email security@amaltash.com with details. We take all reports seriously and will respond promptly.