Security Policy

Vegebuddy Technologies takes the security of your account, your personal data, and your payment information seriously. This Security Policy describes the controls we have in place and the responsibilities we share with you to keep your VegeBuddy experience safe.

• All traffic between the VegeBuddy app, our website, and our servers is encrypted with TLS 1.2 or higher.
• HTTPS is enforced site-wide on vegebuddy.com via HSTS (HTTP Strict Transport Security).
• Payment fields are sent directly from your device to our PCI DSS–compliant payment processors over their own encrypted channels.

• User and application data are stored on managed cloud infrastructure with provider-level encryption at rest (AES-256).
• Media (photos, posts, profile images) are stored on object storage with restricted, signed-URL access where appropriate.
• Access to production data is limited to authorised engineers and protected by multi-factor authentication.

VegeBuddy does not store full credit-card numbers or full bank credentials. All payment instruments are handled by our certified processor:

• Razorpay Curlec — PCI DSS compliant, Bank Negara Malaysia–approved, covering cards, FPX online banking, and supported e-wallets

Card transactions are protected with 3D Secure (3DS) wherever the issuing bank supports it. See our Payment Policy for more.

We protect your account with:

• Hashing of credentials (passwords are never stored in plaintext)
• Session and token expiry, plus the ability for you to log out remote devices
• Optional sign-in with Apple and Google to reduce password reuse
• Sensitive-action confirmation (e.g. email changes, deletions) via in-app or email verification

To keep your account safe, please:

• Use a unique, strong password that you do not reuse elsewhere
• Keep your phone’s operating system and the VegeBuddy app up to date
• Sign out on shared devices
• Never share your one-time codes or verification links

We collect and use personal data in line with our Privacy Policy and the Malaysian Personal Data Protection Act 2010 (PDPA). You may request access, correction, or deletion of your data at any time by emailing vegelahmy@gmail.com.

• Production access is gated by IAM with least-privilege and audit logging
• Secrets and API keys are stored in managed secret vaults and rotated when exposure is suspected
• Dependencies are continuously scanned for known vulnerabilities; patches are applied promptly
• Server logs are centralised, retained for a limited period, and not used for marketing

If a security incident is suspected, we follow an internal incident-response plan that includes containment, investigation, customer notification (where required by law), and post-incident review. Where the PDPA or other applicable law requires us to notify users or regulators, we will do so without undue delay.

If you believe you have found a security vulnerability in VegeBuddy, please report it confidentially to vegelahmy@gmail.com with:

• A description of the issue and the affected component (app, web, API)
• Reproduction steps or proof-of-concept
• Your preferred contact for follow-up

We may update this Security Policy as our practices evolve. The current version is always available at this URL with the updated effective date.

Security or data-protection enquiries: vegelahmy@gmail.com.