Security Policy
Last Updated: May 10, 2026
Domain ("we," "us," or "our") is committed to protecting the security of data entrusted to us by users of domain.biz. This Security Policy describes the technical and organizational measures we maintain to safeguard information processed through our platform. By using our services, you acknowledge that you have read and understood this policy.
1. Scope
This policy applies to all systems, infrastructure, personnel, and third-party service providers involved in the collection, storage, transmission, and processing of data on behalf of Domain and its users. It covers our web application, APIs, internal tooling, and any supporting cloud or hosting environments.
2. Data Classification
We categorize data according to sensitivity to apply appropriate controls at each level.
| Classification | Description | Examples |
|---|---|---|
| Public | Information intended for general availability | Marketing content, published course materials |
| Internal | Operational information not for public release | Internal documentation, process guides |
| Confidential | Sensitive business or user information | Account details, usage analytics |
| Restricted | Highly sensitive data requiring strict controls | Payment data, authentication credentials |
Controls applied to each category scale with the sensitivity level, with restricted data subject to the most rigorous protections.
3. Access Control
3.1 Principle of Least Privilege
Access to systems and data is granted only to personnel who require it to perform their job functions. Permissions are scoped to the minimum level necessary and reviewed on a regular basis. Elevated privileges are subject to additional approval and logging.
3.2 Authentication Requirements
All internal systems require strong authentication. Multi-factor authentication is mandatory for access to production environments, administrative consoles, and any system handling confidential or restricted data. Passwords must meet complexity and length requirements defined in our internal access management standards.
3.3 User Account Management
Access rights are reviewed upon role changes and revoked promptly upon termination or resignation. Dormant accounts are disabled after a defined period of inactivity. Shared credentials are prohibited.
4. Encryption
4.1 Data in Transit
All data transmitted between users and our platform is encrypted using TLS 1.2 or higher. Connections that do not meet minimum protocol requirements are rejected. We enforce HTTP Strict Transport Security (HSTS) across all public-facing domains.
4.2 Data at Rest
Sensitive data stored in our databases and file systems is encrypted using industry-standard symmetric encryption algorithms. Encryption keys are managed through dedicated key management services and are rotated on a defined schedule. Keys are never stored alongside the data they protect.
4.3 Backups
All backup copies of data are encrypted prior to storage and are subject to the same access controls as primary data stores. Backup integrity is verified on a regular basis.
5. Network Security
5.1 Perimeter Controls
Our infrastructure is protected by network firewalls, intrusion detection systems, and traffic filtering rules. Ingress and egress traffic is monitored and filtered based on defined rulesets. Unnecessary ports and services are disabled by default.
5.2 Network Segmentation
Production, staging, and development environments are logically separated. Internal services are isolated from public-facing components. Access between network segments is controlled and logged.
5.3 DDoS Mitigation
We employ distributed denial-of-service mitigation services at the network and application layers to maintain availability during volumetric or application-targeted attacks.
6. Application Security
6.1 Secure Development Practices
Our development process incorporates security at each stage. Developers follow secure coding guidelines. Code changes undergo peer review before merging. Security-focused testing is part of our release pipeline.
6.2 Vulnerability Management
We conduct regular vulnerability scans of our application and infrastructure. Critical and high-severity findings are prioritized for remediation based on risk. Dependency libraries are monitored for known vulnerabilities and updated promptly when patches are available.
6.3 Penetration Testing
We engage qualified security professionals to perform penetration testing on a periodic basis. Findings from these assessments inform our remediation priorities and control improvements.
6.4 Input Validation and Output Encoding
All user-supplied input is validated and sanitized before processing. Output is encoded appropriately to prevent injection attacks, including cross-site scripting and SQL injection vectors.
7. Third-Party and Vendor Security
We evaluate third-party vendors and service providers against security criteria before engagement. Vendors with access to confidential or restricted data are required to demonstrate adequate security controls. Data processing agreements are established with vendors where required. Vendor access is scoped, monitored, and revoked upon contract termination.
8. Logging and Monitoring
System and application events are logged centrally and retained for a defined period. Logs include authentication events, administrative actions, and access to sensitive data. Automated alerting is configured for anomalous activity patterns. Log integrity is protected against tampering. Our security team reviews alerts and investigates escalated events.
9. Incident Response
9.1 Incident Detection and Classification
We maintain procedures for detecting, reporting, and classifying security incidents. Incidents are categorized by severity to determine response priority and escalation path.
9.2 Response Process
Upon detection of a confirmed security incident, our response process includes containment, investigation, eradication of the cause, and recovery of affected systems. Actions taken are documented throughout the response lifecycle.
9.3 Notification
In the event of a security incident that may affect user data, we will notify affected users in a timely manner through available contact channels. Notifications will include a description of the incident, categories of data involved, and steps being taken to address the situation.
9.4 Post-Incident Review
Following significant incidents, we conduct a post-incident review to identify root causes, assess the effectiveness of our response, and implement control improvements to reduce the likelihood of recurrence.
10. Physical Security
Our platform is hosted in data centre facilities that maintain physical access controls, environmental monitoring, and redundant power and connectivity. Physical access to servers and networking equipment is restricted to authorized personnel. We rely on hosting and infrastructure providers whose facilities are certified against recognized industry standards.
11. Business Continuity and Disaster Recovery
We maintain documented business continuity and disaster recovery plans to support restoration of services in the event of significant disruptions. Recovery objectives are defined and tested periodically. Data backups are replicated across geographically separated locations to support recovery scenarios.
12. Employee Security
All personnel with access to systems or data receive security awareness training at onboarding and on an ongoing basis. Employees are expected to adhere to our internal security policies and to report suspected security incidents promptly. Personnel handling sensitive data are subject to confidentiality obligations.
13. Security Assessments and Audits
Our security controls are subject to internal review and periodic external assessment. We track findings against defined remediation timelines and report on security posture to leadership. Control effectiveness is evaluated on a continuous basis as our platform and threat environment evolve.
14. Responsible Disclosure
We welcome reports from security researchers and users who identify potential vulnerabilities in our platform. If you believe you have discovered a security issue, please contact us directly at [email protected] before disclosing the issue publicly. We commit to acknowledging receipt of your report promptly and to keeping you informed as we investigate and address the issue. We ask that you refrain from accessing or modifying data beyond what is necessary to demonstrate the vulnerability, and that you avoid actions that could harm users or disrupt service availability.
15. Changes to This Policy
We may update this Security Policy from time to time to reflect changes to our infrastructure, controls, or practices. The date at the top of this page indicates when the policy was last revised. Material changes will be communicated through appropriate channels. Continued use of our services after changes take effect constitutes acceptance of the revised policy.
16. Contact
Questions, concerns, or vulnerability reports related to this Security Policy may be directed to us at:
Domain
898 Simcoe St N, Oshawa, ON L1G 4W2, Canada
Email: [email protected]
Phone: +1 780 542 7066