Security Policy

ASYNC INTEGRATIONS d.o.o. is committed to maintaining the security and confidentiality of client data and payment information.

This Security Policy outlines our practices for protecting sensitive information, particularly in relation to payment processing and data transmission.

We implement industry-standard security measures and comply with applicable data protection regulations including GDPR.

We use Wise Europe SA as our payment processor for all card and online payment transactions.

Payment Card Industry Data Security Standard (PCI DSS) Compliance:

• Wise is PCI DSS Level 1 certified

• We do NOT store, process, or transmit payment card data on our systems

• All payment card information is handled exclusively by Wise

• Payment transactions are processed through Wise's secure payment gateway

When you make a payment:

• You are redirected to Wise's secure payment platform

• Payment data is transmitted directly to Wise using encryption

• We receive only confirmation of payment status, not your card details

We never ask for your payment card details via email, phone, or unsecured channels.

All data transmitted between you and our systems is protected:

• Our website uses HTTPS/TLS encryption for all connections

• Email communications contain only non-sensitive information when possible

• Sensitive project files are shared via secure, encrypted channels

• We use secure file transfer protocols for deliverables

• Access to our systems requires strong authentication

We recommend that clients also use secure communication methods when sharing sensitive information.

We implement strict access controls to protect your data:

• Access to client data is limited to authorized personnel only

• Team members are granted minimum necessary access (principle of least privilege)

• All access is logged and monitored

• Strong passwords and multi-factor authentication are required

• Regular access reviews ensure only current team members have access

• Contractors and subcontractors are bound by confidentiality agreements

Our technical infrastructure includes multiple layers of security:

• Secure, regularly updated servers and hosting environments

• Firewalls and intrusion detection systems

• Regular security patches and updates

• Encrypted data storage where applicable

• Regular backups with encrypted storage

• Disaster recovery and business continuity plans

Client projects may be hosted on reputable cloud platforms (AWS, DigitalOcean, etc.) that maintain ISO 27001 and SOC 2 certifications.

We follow secure coding practices in all development work:

• Code reviews and security testing

• Regular dependency updates and vulnerability scanning

• Protection against common vulnerabilities (OWASP Top 10)

• Secure authentication and authorization implementations

• Input validation and output encoding

• Secure session management

• Regular security audits of our deliverables

We design systems with security as a core principle, not an afterthought.

We actively monitor for security threats:

• System logs are monitored for suspicious activity

• Automated alerts for potential security incidents

• Regular security assessments and penetration testing

• Incident response plan for rapid response to breaches

In the event of a security incident:

• We investigate immediately to contain and remediate the issue

• Affected clients are notified within 72 hours (as required by GDPR)

• We work with clients to minimize impact

• We report to relevant authorities as required by law

• We implement measures to prevent recurrence

All team members receive security training:

• GDPR and data protection awareness

• Secure coding practices

• Phishing and social engineering recognition

• Incident reporting procedures

• Confidentiality and non-disclosure obligations

Team members sign confidentiality agreements and are bound by our security policies.

Clients share responsibility for security:

• Maintain strong passwords for any accounts we provide

• Do not share login credentials

• Report suspicious activity immediately

• Keep their own systems and software updated

• Follow our security recommendations for deployed applications

• Review and approve security measures in project agreements

We provide security guidance and recommendations, but cannot control client-side security.

We comply with relevant security and privacy regulations:

• EU General Data Protection Regulation (GDPR)

• Croatian Data Protection Act

• PCI DSS (through our payment processor Wise)

• Payment Services Directive 2 (PSD2) where applicable

We stay current with evolving regulations and update our practices accordingly.

When we use third-party services on behalf of clients:

• We vet vendors for security practices

• We require data processing agreements (DPAs) where appropriate

• We verify compliance with relevant standards (ISO 27001, SOC 2, etc.)

• We limit data sharing to what is necessary

Key third-party services:

• Wise (payment processing) - PCI DSS Level 1, GDPR compliant

• Hosting providers - ISO 27001, SOC 2 certified

• Email services - GDPR compliant

This Security Policy is reviewed regularly and updated as needed.

Changes reflect evolving security threats, new technologies, and regulatory requirements.

Material changes will be communicated to active clients.

The 'Last Updated' date at the top of this policy indicates the most recent revision.

If you have security concerns or wish to report a security issue:

Email: hello@asyncintegrations.hr

Subject line: 'SECURITY - [Brief Description]'

Phone: +385 97 7877 127

We take all security reports seriously and respond promptly.

For responsible disclosure of vulnerabilities in our systems, please contact us privately before public disclosure.