Security Policy | ORGNavi
Security Policy

ORGNavi Security Policy

We protect your organization's critical data with enterprise-grade security.

Data Encryption

Transport Encryption (HTTPS)Applied

All data is transmitted in encrypted form via SSL/TLS. HTTP requests are automatically redirected to HTTPS.

Data-at-Rest EncryptionApplied

Sensitive data stored on our servers is encrypted at rest.

Regular Backup & RecoveryApplied

Data is backed up regularly and can be restored quickly in the event of a failure.

Customer Data Isolation

Per-Tenant Database IsolationApplied

Each customer's data is managed in a completely separate database, structurally preventing data cross-contamination. (On-premise ORGNavi)

Access Permission IsolationApplied

An account belonging to Customer A cannot access Customer B's data. Strictly enforced at the application level.

Authentication & Access Control

Role-Based Access Control (RBAC)Applied

Features and data are granularly controlled by role — Administrator, Editor, and Viewer.

Auto Session ExpiryApplied

Sessions automatically expire after a period of inactivity, preventing threats from unattended sessions.

Login Failure LockoutApplied

Accounts are temporarily locked after consecutive failed login attempts to defend against brute-force attacks.

Two-Factor Authentication (2FA)In Dev

Supports OTP-based 2FA via Google Authenticator. Even if a password is leaked, access is blocked without the second factor.

Social Login IntegrationIn Dev

Supports login via social accounts such as Google, leveraging the security infrastructure of those platforms.

Network & Infrastructure Security

AWS Korea RegionApplied

All ORGNavi services run on the AWS Seoul region (ap-northeast-2). Customer data is processed and stored domestically, supporting local compliance requirements and delivering low latency.

AWS RDS Managed DatabaseApplied

We use AWS RDS (Relational Database Service) for database operations. Automatic backups, Multi-AZ redundancy, and automatic patching provide structural stability through AWS-managed infrastructure.

VPC-Based Network IsolationApplied

Databases and internal services run exclusively inside a VPC (Virtual Private Cloud) isolated from the public internet. Direct external access is structurally impossible.

DDoS ProtectionApplied

AWS Shield provides defense against abnormal high-volume traffic attacks.

IP-Based Access ControlConfigurable

Customer administrators can register permitted IP addresses. Access from unregistered IPs can be blocked or require additional authentication.

Application Security

SQL Injection PreventionApplied

All database queries use parameterized binding, fundamentally blocking SQL injection attacks.

XSS Attack DefenseApplied

Thorough validation and escaping of user input prevents cross-site scripting attacks.

API Authentication TokensApplied

All API requests undergo token validation. Token expiry and refresh policies minimize the risk of stolen token abuse.

Regular Security Vulnerability ScanningActive

Security vulnerabilities are scanned and patched on a regular basis.

Monitoring & Audit

Access Log RecordingApplied

A complete record of who logged in, when, and from where is maintained.

Anomaly Detection & AlertsIn Dev

Administrators are alerted when anomalies are detected, such as new IPs or logins at unusual hours.

Enterprise-Only Options

Dedicated InstanceNegotiable

A dedicated server instance is operated separately for large enterprises and security-sensitive customers. Multiple affiliates can be managed in a single instance.

VPN IntegrationNegotiable

A VPN tunnel is configured between the dedicated instance and the customer's internal network. Access from outside the customer's network is structurally blocked.

On-Premise InstallationNegotiable

Installed directly on the customer's own servers. All data operates entirely within the customer's environment, eliminating the risk of external leakage.

Security Inquiries

For security inquiries or additional requirements, please contact us anytime.

Submit an Inquiry