Data Security

At Overlyne, data security is at the heart of our approach. We implement industry best practices to protect our clients' and users' information at every stage. Our security policy is aligned with international standards (ISO 27001, OWASP) and Tunisian data protection regulations.

All communications between your browser and our servers are encrypted via TLS 1.3 protocol, the most recent and secure standard. Sensitive stored data is encrypted at rest with AES-256 algorithm, considered unbreakable by current standards. Encryption keys are managed via automatic rotation and stored in a digital vault (HSM) separate from the data.

Our servers are hosted in certified data centers (Tier III minimum) with: 24/7 biometric access control, redundant power supply (UPS + generators), inert gas fire suppression systems, permanent video surveillance. At network level: next-generation firewalls (NGFW), intrusion detection and prevention systems (IDS/IPS), strict network segmentation (VLAN), real-time monitoring with automatic alerts.

Access to systems and data is strictly controlled: mandatory multi-factor authentication (MFA) for all administrative access, strong password policy (minimum 12 characters, complexity required, quarterly rotation), principle of least privilege (each user only accesses necessary data), quarterly access review, complete logging of all access and actions.

Daily automatic backups with 30-day retention. Incremental backups every 6 hours. All backups are encrypted (AES-256) and stored in geographically distinct locations (multi-site). Monthly restoration tests to ensure integrity. Disaster Recovery Plan (DRP) with RPO < 6h and RTO < 4h. Business Continuity Plan (BCP) documented and tested quarterly.

Semi-annual external penetration testing by independent experts. Static source code analysis (SAST) on every commit. Weekly dynamic security analysis (DAST). Daily automated dependency vulnerability scanning (SCA). Bug bounty program for critical vulnerabilities. Critical security updates are applied within 24 hours.

In case of a security incident, our team follows a structured 5-phase response protocol: Detection (24/7 monitoring, automatic alerts), Containment (immediate isolation of impacted systems), Eradication (threat removal, vulnerability patching), Recovery (service restoration, integrity verification), Post-mortem (root cause analysis, improvement plan). Affected parties are notified in accordance with Organic Law No. 2004-63 and INPDP obligations.

All team members are trained in cybersecurity best practices from onboarding. Continuous training program: quarterly awareness sessions, monthly phishing simulation exercises, mandatory security certification for developers, permanent threat intelligence monitoring.

We strictly comply with: Organic Law No. 2004-63 of July 27, 2004 on personal data protection in Tunisia, INPDP declaration obligations, Tunisian Penal Code regarding computer offenses (Law No. 99-89 of August 2, 1999), OWASP Top 10 standards for application security, ISO 27001 recommendations for information security management.

To report a vulnerability or security incident: [email protected] (guaranteed response within 4 business hours). For general security questions: [email protected]. Address: 01 Rue d'Alger, Monastir 5015, Tunisia.