Our commitment to protecting your data with enterprise-grade security.
Information Security Management System (ISMS)
AskRev maintains an Information Security Management System aligned with ISO/IEC 27001:2022 standards. Our ISMS covers all aspects of data handling, from collection through processing to secure deletion, ensuring continuous protection of your business data.
Infrastructure Security
| Control | Implementation | ISO 27001 Reference |
|---|---|---|
| Encryption at Rest | AES-256 | A.8.24 |
| Encryption in Transit | TLS 1.3 | A.8.24 |
| DDoS Protection | Cloudflare Enterprise | A.8.20 |
| WAF | Cloudflare WAF + custom rules | A.8.20 |
| Key Management | Hardware Security Modules (HSM) | A.8.24 |
| Backup | Encrypted, geo-redundant, daily | A.8.13 |
Access Controls
- Role-Based Access Control (RBAC): Least-privilege principle enforced across all systems (A.5.15, A.8.3)
- Multi-Factor Authentication (MFA): Required for all staff and admin access (A.8.5)
- Session Management: Automatic timeout, secure token handling (A.8.5)
- Privileged Access: Just-in-time access with audit logging (A.8.2)
PDPA Compliance
As a Singapore-based platform, AskRev fully complies with the Personal Data Protection Act (PDPA) 2012:
- Consent Obligation: Explicit consent obtained before data collection (Section 13)
- Purpose Limitation: Data used only for stated, reasonable purposes (Section 18)
- Notification: Users informed of collection purposes at point of collection (Section 20)
- Access & Correction: Self-service data access and correction tools (Sections 21-22)
- Protection Obligation: Reasonable security arrangements to protect data (Section 24)
- Retention Limitation: Data retained only as long as necessary (Section 25)
- Transfer Limitation: Cross-border transfers with adequate safeguards (Section 26)
- Data Breach Notification: Mandatory notification to PDPC within 3 days of significant breach
Security Operations
- Vulnerability Management: Automated scanning + quarterly penetration tests (A.8.8)
- Incident Response: 24/7 monitoring, documented IR plan, <4hr response time (A.5.24-5.28)
- Business Continuity: RPO <1hr, RTO <4hr, geo-redundant failover (A.5.29-5.30)
- Change Management: All changes reviewed, tested, and approved before deployment (A.8.32)
- Logging & Monitoring: Centralized SIEM with 12-month log retention (A.8.15-8.16)
Audit & Compliance
- Annual internal ISMS audit program (ISO 27001 Clause 9.2)
- External certification audit by accredited body
- Continuous risk assessment and treatment process (Clause 6.1)
- Management review of security objectives (Clause 9.3)
- SOC 2 Type II report available upon request
Responsible Disclosure
We welcome security researchers to report vulnerabilities through our responsible disclosure program. Please email security@askrev.co. We commit to acknowledging reports within 24 hours and providing updates within 72 hours.
For security inquiries, compliance documentation, or to request our ISO 27001 certificate, contact security@askrev.co