Security Practices Disclosure

1. Governance & Security Leadership

Vibble’s security program is overseen by:

• Chief Information Security Officer (CISO)
• Security Engineering & Threat Response Division
• Security Governance, Risk & Compliance (GRC)
• Vulnerability Management & Research Team
• Incident Response & Digital Forensics Unit

Nexa-Group maintains unified governance standards aligned with ISO 27001, NIST CSF, SOC2, GDPR, DSA, OSA, and global cybersecurity frameworks.

2. Infrastructure & Network Security Controls

• Zero-Trust Network Architecture
• Multi-region redundant cloud deployment
• WAF, Bot Mitigation, DDOS Shielding (Layer 3–7)
• Encrypted VPC-to-VPC private networking
• Ephemeral compute instances for sensitive workloads
• Continuous traffic anomaly detection

3. Application Security & SDLC Controls

Vibble applies a secure development lifecycle (SDLC):

• Automated dependency scanning (SCA)
• Static & dynamic application testing (SAST/DAST)
• Threat modeling for all new features
• Secure code reviews by senior engineers
• CI/CD pipeline signing + artifact integrity checks
• Secrets never stored in code (central secret vault)

4. Data Protection Controls

• Encryption at rest: AES-256
• Encryption in transit: TLS 1.3 or higher
• Hashed passwords using Argon2id
• Role-based access control (RBAC)
• Privileged Access Auditing (PAM)
• Event-level monitoring on all data access

5. Continuous Monitoring & Threat Detection

• SIEM with real-time correlation
• 24/7 SOC monitoring
• Automated anomaly detection for: login patterns, botnet behavior, ATO signatures
• Red/yellow alert tiering for rapid escalation
• Behavioral analysis to detect abuse and malware

6. Internal Security Training

All employees undergo:

• Mandatory security onboarding
• Quarterly phishing simulations
• Annual secure engineering certification
• Role-based access training

7. Contact

Security Team: security@vibble.com
Nexa-Group Security: security@nexa-group.org
Emergency Response: emergency@vibble.com