Information security is a top priority at Sainskerta. This page explains the security practices and policies we apply to protect client data, source code, and our infrastructure.
1. Encryption
All data transmission between user browsers and our servers is secured with TLS 1.3 and automatically renewed certificates.
Sensitive stored data (databases, backups, file storage) is encrypted at rest using AES-256. Encryption keys are managed via separate cloud key-management services with periodic rotation.
2. Access Control
We follow the principle of least privilege: every team member has access only to the systems and data strictly required for their work.
Access to production systems requires mandatory multi-factor authentication (MFA), single sign-on (SSO), and full audit logs of every activity. Access is reviewed quarterly.
3. Auditing and Monitoring
All system and data access is recorded in immutable audit logs retained for at least 12 months. Anomalies are detected automatically by our SIEM and triaged 24/7 by our on-call team.
We run automated vulnerability scanning across all code (pre-commit, CI, and production runtime) using tools like Snyk, Dependabot, and gitleaks.
4. Incident Response
We maintain a tested incident-response playbook with a 24/7 on-call team for production client systems.
If a data incident occurs that could cause harm, we will notify clients and relevant authorities within 72 hours, in line with UU PDP 27/2022. A complete postmortem is shared with affected clients.
5. Regulatory Compliance
We operate in compliance with Indonesia's UU PDP 27/2022 and its implementing regulations. For financial-sector clients, we support OJK compliance including POJK rules on information technology and AI model use.
For clients requiring ISO 27001, SOC 2, or similar certification, we are ready to collaborate with third-party auditors.
6. Vulnerability Reporting
If you discover a security vulnerability in our site or services, we sincerely appreciate responsible disclosure.
Send reports to security@sainskerta.id. Include a description, reproduction steps, and potential impact. We will respond within 48 hours and inform you once the issue is resolved.
We will not pursue legal action against security researchers who report in good faith and follow responsible-disclosure practices.