leftBack
Security Policy

Latest updated : November 19, 2025

/

SECURITY POLICY

1. Purpose

This policy defines the Tradoly approach to ensuring the security and integrity of its systems, users, and data in compliance with GDPR Article 32.

1.1 Technical and Organizational Measures

Tradoly implements industry-standard technical and organizational security measures to prevent unauthorized access, loss, misuse, or unlawful processing of data. These measures are designed to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

Security measures apply across:

  • User accounts and authentication systems
  • Vehicle listings and uploaded content
  • Messaging and communication systems
  • Payment and transaction workflows

These measures include:

  • Encryption in transit using HTTPS/TLS (TLS 1.2+) with strong cipher suites and HSTS enforcement
  • Secure credential storage using PBKDF2 (SHA-256) hashing with salting for passwords
  • JWT-based authentication with strict validation, token expiry, and protection against tampering or reuse
  • Role-Based Access Control (RBAC) enforced across application and infrastructure layers, with least privilege principles
  • Input validation and output encoding across APIs and user inputs to prevent injection attacks (SQL/NoSQL/XSS)
  • File upload security controls including file type validation, size restrictions, and malware scanning mechanisms
  • Secure cloud configuration including IAM roles, restricted security groups, private networking, and encryption for storage services (e.g. S3, RDS)
  • Continuous monitoring using SIEM for log aggregation, correlation, and anomaly detection across application and infrastructure
  • Protection against brute-force and automated attacks using rate limiting, request throttling, and anomaly detection
  • Regular patching and vulnerability management for operating systems, dependencies, and application components
  • Secure backup mechanisms with encryption and periodic restoration testing

These measures ensure ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

1.2 Risk-Based Security Approach:

Security measures implemented by Tradoly are based on an assessment of risks associated with its marketplace platform, including:

  • User-to-user communication
  • Public listing exposure
  • Financial transactions and payment integrations

Measures are adapted to the level of risk posed to user rights and freedoms, in accordance with GDPR Article 32.

Risks are evaluated based on:

  • Nature of data processed, including personal data, authentication credentials, and transaction-related information
  • Exposure surface of system components, including public-facing APIs, user-generated content, and third-party integrations
  • Sensitivity and criticality of platform functionalities such as authentication, messaging, and payment workflows
  • Likelihood of exploitation based on known attack vectors, system exposure, and historical incident patterns
  • Potential impact on confidentiality, integrity, and availability of systems and user data

Based on this assessment, risks are categorized into severity levels (e.g. low, medium, high) and appropriate technical and organizational controls are applied proportionately.

Risk assessments are conducted periodically and upon significant system changes, including new feature releases, infrastructure modifications, or integration with third-party services. Identified risks are tracked and mitigated through defined remediation processes.

This risk-based approach ensures that security controls are continuously aligned with the evolving threat landscape and platform architecture.

2. Security Controls

  • Encryption: All data transmitted between users and the platform is encrypted via HTTPS/TLS. Sensitive data at rest (e.g. passwords, authentication tokens) is securely hashed or encrypted.
  • Authentication: Secure authentication mechanisms are implemented, including password policies, session management, and optional multi-factor authentication.
  • Access Control: Role-based access controls restrict internal access to systems and user data. Administrative access is logged and monitored.
  • Network Security: Infrastructure is protected using firewalls, intrusion detection systems, and traffic filtering.
  • Backup & Recovery: Regular encrypted backups and business continuity plan.
  • Patch Management: Regular updates and vulnerability fixes.

All data transmitted between users and the platform is encrypted using HTTPS/TLS (TLS 1.2 or higher) with strong cipher suites. Sensitive data at rest is protected using encryption mechanisms such as disk-level encryption. Passwords are hashed using PBKDF2 with SHA-256 and salted to prevent brute-force and rainbow table attacks.

JWT is utilized for authentication and session management. Tokens are signed and validated on each request, with strict expiry enforcement and protection against token reuse or tampering. Password policies enforce minimum complexity.

2.1 Processor Security Compliance

All data processors engaged by Tradoly are required to comply with GDPR security requirements under written data processing agreements. Such agreements ensure that processors implement appropriate technical and organizational measures and process personal data only in accordance with Tradoly's instructions.

2.2 Access Control

Access to personal data is strictly restricted to authorized personnel on a need-to-know basis. Tradoly applies role-based access controls and regularly reviews access rights to ensure compliance with data protection principles.

2.3: User-Generated Content Security

Tradoly enables users to upload listings, images, and communicate with other users.

To mitigate risks:

  • Content may be monitored for malicious or fraudulent activity
  • File uploads are subject to security checks
  • Messaging systems may include abuse detection mechanisms

File upload validation is enforced to prevent the upload of malicious files, including validation of file type, size, and content. Storage services (e.g. object storage buckets) are continuously monitored for suspicious access patterns and malicious activity, with alerting and automated response where applicable.

Users are responsible for the data they choose to share with others.

3. Monitoring and Audits

Tradoly performs continuous system monitoring, periodic penetration testing, and external audits to ensure ongoing compliance with applicable security standards and to detect vulnerabilities or suspicious activities.

Tradoly monitors platform activity to detect:

  • Suspicious login attempts
  • Fraudulent listings or transactions
  • Abnormal usage patterns

Monitoring may involve automated systems and manual review.

Tradoly infrastructure is integrated with a centralized Security Information and Event Management (SIEM) system for real-time event correlation, anomaly detection, and alerting. Logs from application, database, and infrastructure layers are aggregated and monitored.

Periodic vulnerability assessments and penetration tests are conducted. Automated mechanisms are in place to detect and block suspicious or malicious activity, including brute-force attempts, abnormal traffic patterns, and known attack signatures. Tradoly infrastructure is integrated with a centralized Security Information and Event Management (SIEM) system for real-time event correlation, anomaly detection, and alerting. Logs from application, database, and infrastructure layers are aggregated and monitored.

4. Incident Response and Data Breach Handling

Tradoly maintains formal procedures for identifying, reporting, managing, and resolving data breaches in accordance with GDPR requirements.

In the event of a data breach, Tradoly will:

  • Immediately log and investigate the incident.
  • Assess the risk to affected individuals and systems.
  • Take appropriate containment and remediation actions without undue delay.
  • Report the breach to the relevant supervisory authority (AEPD) within 72 hours where required under GDPR Article 33.
  • Notify affected individuals without undue delay where the breach is likely to result in a high risk to their rights and freedoms.

Security incidents may include:

  • Unauthorized access to user accounts
  • Exposure of personal data through system vulnerabilities
  • Compromise of third-party integrations (e.g. payment providers)

Tradoly maintains a formal Incident Response Policy that defines procedures for identification, classification, containment, eradication, and recovery from security incidents. A centralized incident tracking system is used to log, assign, and track incidents through to resolution.

Defined Service Level Agreements (SLAs) and escalation paths ensure timely response and communication. Post-incident reviews are conducted to identify root causes and implement corrective actions.

Affected users may be notified via:

  • Email communication
  • In-platform notifications

Incident notifications are communicated to affected users via registered email addresses and in-platform notifications, where applicable, based on the severity and impact of the incident.

5. User Responsibilities

Users must:

  • Maintain confidentiality of login credentials.
  • Use strong and unique passwords.
  • Avoid sharing sensitive personal data unnecessarily in listings or messages.
  • Verify the identity of other users before engaging in transactions.
  • Report suspicious activity or potential fraud immediately either through email to support@tradoly.com or Tradoly in-app reporting workflow instead of external channels.

6. Continuous Improvement

Tradoly continuously enhances its security framework through:

  • Regular risk assessments
  • Monitoring of emerging threats
  • Adoption of industry best practices (ISO 27001 principles)

A Secure Software Development Lifecycle (Secure SDLC) is implemented, including threat modeling, secure design reviews, and code reviews. Security testing such as Static Application Security Testing (SAST), Dynamic Application Security Testing (DAST), and Software Composition Analysis (SCA) is integrated into the development pipeline. Security monitoring systems, including SIEM, are continuously updated to detect evolving threats. Developers and relevant personnel receive periodic security awareness and secure coding training to ensure security controls are integrated throughout the development lifecycle.

Security measures are updated to changes in technology, regulatory requirements, and platform functionality.

7. Third-Party and Integration Security

Tradoly relies on third-party providers for services such as:

  • Payment processing
  • Hosting and infrastructure
  • Analytics and communication tools

These providers are selected based on their security standards and are contractually required to implement appropriate safeguards.

Third-party services and integrations are secured through:

  • API integrations secured using authentication mechanisms such as API keys, signed requests, or OAuth where applicable
  • Restriction of third-party access using network controls, IP whitelisting, and least privilege access policies
  • Encryption of data exchanged with third-party services using HTTPS/TLS
  • Continuous monitoring of third-party interactions through centralized logging and SIEM integration
  • Periodic security assessments and due diligence of vendors, including review of their security certifications and practices
  • Access to third-party systems is reviewed periodically and revoked when no longer required

Tradoly is not responsible for security vulnerabilities originating from third-party systems beyond its control.

8. Data Minimization and Access Limitation

Tradoly limits access to personal data based on necessity and purpose.

Only data required for:

  • Platform functionality
  • Security monitoring
  • Legal compliance

is processed and retained. Access is periodically reviewed and revoked when no longer necessary.

9. Account and Transaction Security

Tradoly implements safeguards to protect:

  • User accounts from unauthorized access
  • Transactions from fraud or manipulation

These may include:

  • Login anomaly detection
  • Transaction monitoring
  • Temporary account restrictions in case of suspicious activity

Tradoly implements safeguards to protect user accounts and transactions through: Detection of suspicious login behavior including multiple failed attempts and unusual geolocation patterns. Protection against brute-force and credential stuffing attacks using rate limiting, account lockout mechanisms, and anomaly detection. Secure session management using JWT with strict validation, expiration, and protection against token reuse or tampering. Automated alerts and temporary restrictions applied to accounts exhibiting suspicious behavior. Integration with SIEM systems for real-time correlation of account and transaction events across the platform.