Security note

Your Trust Matters. Your Security is Our Priority.

At Broos Action Innovations, we understand that security isn’t optional; it’s foundational. Every product we build, every service we deliver, and every interaction with our platform is protected by industry-leading security measures, rigorous compliance standards, and a relentless commitment to safeguarding your data.

This page outlines the comprehensive security architecture protecting Broos Action services, best practices for staying safe online, and our transparency commitments to you.

Security at Broos Action

Security is woven into everything we do. Our approach is built on five pillars:

1. Defense in Depth

We don’t rely on a single security measure. Instead, we layer multiple controls:

Network-level firewalls and DDoS protection
Application-level validation and encryption
Database encryption and access controls
Regular penetration testing and vulnerability assessments
Continuous monitoring and threat detection

2. Zero Trust Architecture

We operate under the principle that no user, device, or system is inherently trusted, internal or external. Every access request is:

Authenticated (who are you?)
Authorized (what are you allowed to do?)
Encrypted (is your communication secure?)
Monitored (is this normal behavior?)
Logged (can we audit what happened?)

3. Encryption Everywhere

Data in Transit: All communication between your browser and our servers uses TLS 1.3 (the latest encryption standard).
Data at Rest: Sensitive data in our databases is encrypted using AES-256 encryption.
End-to-End Encryption: Where applicable (e.g., Broos Action Office), we offer end-to-end encryption so only you can read your data.

4. Security by Design

Security reviews happen before code is deployed, not after. We:

Conduct threat modeling during development
Perform secure code reviews
Run automated security testing
Test disaster recovery and failover scenarios
Update security measures as threats evolve

5. Transparency & Accountability

We’re honest about our security posture. We:

Maintain a public security page (you’re reading it)
Pursue industry certifications
Disclose security incidents responsibly
Respond to vulnerability reports immediately
Provide audit logs and transparency reports

Product & Service Security

Aria Studio Security

Aria Studio, our low-code development platform, incorporates enterprise-grade security:

Application Security:

Input Validation: All user inputs are validated and sanitized to prevent injection attacks (SQL injection, XSS, command injection).
Output Encoding: Data displayed to users is properly encoded to prevent rendering-based attacks.
CSRF Protection: Cross-Site Request Forgery tokens protect against unauthorized actions on your account.
Rate Limiting: API endpoints are rate-limited to prevent brute-force attacks and abuse.
Content Security Policy (CSP): Restricts which resources can be loaded, preventing unauthorized script injection.

Code-Level Security:

All code is written with secure coding standards (OWASP Top 10 compliance).
Dependency scanning identifies vulnerable third-party libraries automatically.
Static application security testing (SAST) scans code for common vulnerabilities.
Dynamic testing (DAST) simulates real attacks to identify runtime vulnerabilities.

Access Control:

Role-based access control (RBAC) ensures users can only perform authorized actions.
Multi-factor authentication (MFA) protects accounts from unauthorized access.
API keys and tokens are rotated regularly.
Session timeouts prevent unauthorized access via abandoned sessions.

Cloud Hosting & Infrastructure Security

Our cloud infrastructure is designed for maximum security and reliability:

Network Security:

DDoS Protection: Multi-layer DDoS mitigation blocks volumetric, protocol, and application-layer attacks.
Web Application Firewall (WAF): Blocks common web attacks in real time.
Virtual Private Cloud (VPC): Your infrastructure is isolated in a private network.
Network Segmentation: Different security zones (DMZ, app, database) are isolated from each other.
VPN & Bastion Hosts: Administrative access goes through encrypted VPN tunnels and bastion hosts.

Compute Security:

Virtual Machine Isolation: Each server is isolated from others, with memory and CPU isolation.
Automated Patching: Security updates are applied automatically, often without downtime.
Intrusion Detection: Behavior-based detection identifies and blocks malicious activity.
File Integrity Monitoring: Changes to system files are logged and alerted in real time.

Database Security:

Encryption: Databases are encrypted at rest and in transit.
Access Control: Database access is restricted by IP, user role, and time.
Audit Logging: All database queries are logged for compliance and forensic analysis.
Regular Backups: Encrypted backups are stored geographically separately and tested regularly.

API Security

Our APIs are built with security-first principles:

API Authentication & Authorization:

API keys are long, randomly generated, and rotated regularly.
OAuth 2.0 support for third-party integrations.
Fine-grained permissions control what each API key can access.
Rate limiting prevents abuse and ensures fair resource allocation.

API Encryption:

TLS 1.3 encryption for all API communication.
Payload encryption for sensitive data.
Signature verification to prevent tampering.

API Monitoring:

Real-time detection of abnormal API usage patterns.
Alerting on suspicious activity (e.g., bulk downloads, failed authentication attempts).
Detailed audit logs for compliance and forensics.

Broos Action Office Security

Our privacy-focused collaboration suite includes:

Email Security:

End-to-end encryption (PGP/GPG support) for maximum privacy.
Spam filtering and phishing detection.
Two-factor authentication.
Zero-knowledge architecture (even we can’t read your emails).

Video Conferencing:

End-to-end encryption for all video calls.
No recording without explicit consent.
Waiting rooms and password protection for meetings.
Automatic removal of expired recordings.

Document Management:

Encrypted document storage.
Granular sharing controls.
Version history and audit trails.
Zero-knowledge backup options.

Infrastructure Security

Data Centers & Cloud Providers

We partner with world-leading cloud providers (AWS, Azure, Google Cloud) that maintain:

SOC 2 Type II compliance
HIPAA compliance (for healthcare)
FedRAMP compliance (for US government)
Physical security with biometric access, surveillance, and armed guards
Redundant power, cooling, and network systems
Regular third-party security audits

Geographic Redundancy

Your data is replicated across geographically diverse regions:

Automatic failover if a data center experiences issues
No single point of failure
Disaster recovery tested quarterly
99.9%+ uptime guarantee backed by SLA credits

Monitoring & Alerting

We monitor everything, 24/7:

CPU, memory, disk, and network metrics
Application performance and error rates
Security events and access attempts
Backup and disaster recovery status
Automated alerts notify our team of anomalies

Data Protection

What Data We Collect

We collect only data necessary to provide our services:

Account information (name, email, company)
Usage data (which features you use, when, how often)
Technical data (IP address, browser type, device type)
Payment data (processed securely by PCI-DSS-compliant third parties)

How We Use Your Data

Service Delivery: To provide, maintain, and improve our services
Support: To help you when you contact us
Security: To detect and prevent fraud and abuse
Analytics: To understand usage patterns and improve our product
Legal Compliance: To meet regulatory requirements

We do NOT:

Sell your data to third parties
Use your personal data to target you with advertisements
Share your data with other customers
Train AI models on your proprietary content

Data Retention

Active Accounts: Data is retained while you’re a customer
Deleted Accounts: Data is deleted within 30 days of account deletion (some residual data may exist in backups for 90 days)
Legal Holds: We may retain data longer if required by law

Your Rights

Under GDPR, CCPA, and other privacy laws, you have rights to:

Access: Request a copy of your data
Correction: Update inaccurate data
Deletion: Request permanent deletion (subject to legal obligations)
Portability: Export your data in standard formats
Opt-Out: Limit how we use your data for marketing

To exercise these rights, contact [email protected].

Compliance & Certifications

Industry Standards & Certifications

ISO 27001:2022 (Information Security Management)
Demonstrates our commitment to information security across all systems and processes.

SOC 2 Type II (Service Organization Control)
Annual audit confirms our controls over security, availability, processing integrity, confidentiality, and privacy.

GDPR (General Data Protection Regulation)
Compliance with EU privacy regulations, including data processing agreements and privacy impact assessments.

HIPAA (Health Insurance Portability & Accountability Act)
For healthcare clients, we maintain HIPAA compliance with business associate agreements, encryption, and audit controls.

CCPA/CPRA (California Consumer Privacy Act)
Compliance with California privacy laws, including data sale prohibition and consumer rights support.

PCI DSS (Payment Card Industry Data Security Standard)
For payment processing, we meet PCI DSS Level 1 standards through secure third-party processors.

GDPR Data Processing Agreements
We sign Data Processing Agreements (DPAs) with all customers, confirming our role as a data processor.

Regular Audits

Annual Third-Party Audits: Independent firms audit our security controls and compliance.
Penetration Testing: We hire ethical hackers to test our systems for vulnerabilities quarterly.
Vulnerability Scanning: Automated tools scan our infrastructure and applications daily.
Code Reviews: All code changes are reviewed by at least one other engineer.
Compliance Reviews: We audit our processes against our policies quarterly.

Your Website Security

If you’re using Broos Action services (Aria Studio, hosting, APIs, Office), here’s what’s protecting your data:

HTTPS/TLS Encryption

All Broos Action services use HTTPS (TLS 1.3). You’ll see a padlock icon in your browser—click it to verify our SSL certificate.

What this means:

Your login credentials are encrypted
Your data transfers are encrypted
No one between you and our servers can see your data
The connection is authenticated (you’re really talking to Broos Action, not an imposter)

Account Security

Multi-Factor Authentication (MFA):
Enable MFA on your account to require a second form of authentication (e.g., authenticator app, SMS code) beyond your password. This dramatically reduces account compromise risk.

Session Management:
Sessions expire after inactivity (configurable in your account). Log out when using shared computers.

Password Security:

Use a strong, unique password (16+ characters, mix of types)
Never reuse passwords across sites
Consider a password manager
We never store your password in plain text; we store a cryptographic hash

Phishing & Social Engineering

Be cautious of:

Emails claiming to be from Broos Action asking for your password (we’ll never ask)
Links in suspicious emails (go directly to broosaction.com, broos.io, broos.app, broos.link instead)
Unsolicited calls claiming to be from support (verify by calling our official number)
Downloads from untrusted sources

Malware & Virus Protection

While Broos Action protects our servers, your device is also your responsibility:

Keep your operating system updated
Run antivirus/anti-malware software
Be cautious downloading files from unknown sources
Don’t disable security warnings

Best Practices for Online Security

For Individuals

1. Use Strong, Unique Passwords

At least 16 characters, mixing uppercase, lowercase, numbers, and symbols
Don’t reuse passwords across sites
Use a password manager to store them securely

2. Enable Multi-Factor Authentication (MFA)

Use authenticator apps (Google Authenticator, Microsoft Authenticator) over SMS when possible
MFA prevents account compromise even if your password is stolen

3. Keep Software Updated

Enable automatic updates for your OS, browser, and applications
Vulnerabilities are patched regularly, and updates protect you

4. Use a VPN on Public WiFi

Public WiFi is insecure; use a VPN to encrypt your traffic
A VPN encrypts all your data, preventing eavesdropping

5. Verify URLs Before Clicking

Hover over links to see the actual URL
Phishing links often look similar to legitimate ones
When in doubt, go directly to the site

6. Be Suspicious of Unsolicited Messages

Phishing emails often appear legitimate
Don’t click links or download attachments from suspicious senders
Hover over links to verify the destination
Call companies directly if you’re unsure

7. Monitor Your Accounts

Review login activity regularly
Set up alerts for suspicious activity
Check your credit reports for unauthorized activity

8. Secure Your WiFi

Use WPA3 encryption (or WPA2 if WPA3 isn’t available)
Use a strong, unique WiFi password
Disable WPS (WiFi Protected Setup)
Hide your SSID if possible

9. Back Up Your Data

Use cloud backup (Google Drive, Dropbox, OneDrive) or external hard drives
Test restores periodically
Keep backups offline for ransomware protection

10. Educate Yourself

Learn to recognize phishing attempts
Stay informed about current threats
Take online security courses

For Businesses

1. Implement Identity & Access Management (IAM)

Use single sign-on (SSO) for centralized authentication
Enforce MFA company-wide
Regularly audit user access and remove inactive accounts

2. Data Classification & Encryption

Classify data by sensitivity (public, internal, confidential)
Encrypt confidential data at rest and in transit
Limit access to sensitive data on a need-to-know basis

3. Employee Training

Conduct security awareness training regularly
Simulate phishing attacks to identify vulnerable employees
Create a culture of security consciousness

4. Incident Response Planning

Develop an incident response plan
Designate a security team
Test your plan annually
Know who to contact in case of a security incident

5. Vendor Security Management

Evaluate third-party vendor security before integrating
Require vendors to sign security agreements
Conduct periodic security assessments of critical vendors

6. Network Segmentation

Separate critical systems from general networks
Restrict access between network segments
Monitor traffic between segments for anomalies

7. Regular Backups & Disaster Recovery

Backup critical data regularly
Test restore procedures
Keep backups offline and geographically distributed

8. Penetration Testing

Conduct annual penetration tests
Fix identified vulnerabilities promptly
Document and track all findings

9. Security Monitoring & Logging

Centralize logs from all systems
Monitor for suspicious activity
Set up alerts for critical events
Retain logs for compliance and forensics

10. Compliance Management

Understand applicable regulations (GDPR, HIPAA, PCI DSS, CCPA)
Implement controls to meet compliance requirements
Document compliance efforts
Conduct compliance audits

Responsible Disclosure

If you discover a security vulnerability, we appreciate you reporting it to us responsibly rather than publicly disclosing it.

How to Report a Vulnerability

Email: [email protected]

Include:

Description of the vulnerability
Steps to reproduce
Potential impact
Your contact information
Your GPG key (if you’d like encrypted communication)

Our Commitment

Acknowledgment: We’ll acknowledge receipt within 24 hours
Investigation: We’ll investigate and determine the severity
Fix: We’ll develop and test a fix
Notification: We’ll notify you when the fix is deployed
Credit: We’ll credit you in our security advisory (with your permission)
No Legal Action: We won’t take legal action against good-faith vulnerability researchers

Out of Scope

We don’t consider the following vulnerabilities:

Vulnerabilities in outdated browsers or systems
Issues that require physical access to data centers
Social engineering attacks
Denial of service attacks (unless novel or particularly impactful)
Vulnerabilities in third-party services we use

Security Incident Response

In the unlikely event of a security incident, here’s our process:

Detection & Isolation

Our monitoring systems detect anomalous activity
The security team investigates immediately
Affected systems are isolated to prevent further compromise
Incident severity is determined

Notification

If customer data is breached, we notify affected customers within 24 hours
Notifications include what data was accessed and recommended actions
We provide 24/7 support hotline during incidents
We notify relevant authorities as required by law

Investigation & Remediation

Forensic analysis determines how the incident occurred
Root cause is eliminated
All affected systems are patched and monitored
A third-party forensic firm may be engaged for major incidents

Post-Incident

We conduct a post-mortem to prevent recurrence
Improvements are documented and implemented
Incident summary is published (without compromising privacy)
All remediation measures are completed before systems return to normal

Your Rights During an Incident

Request a copy of our forensic report
Receive regular updates on investigation progress
Receive credit monitoring (if applicable)
Request data deletion post-incident

Disclaimer

Important Legal Notice

No Guarantee of Absolute Security

While Broos Action Inc maintains comprehensive security measures, no system is 100% secure. The internet is inherently risky. We cannot guarantee:

Absolute prevention of all attacks
Recovery from all types of data loss
100% uptime (though we maintain 99.9%+ uptime)
Protection against all future vulnerabilities

Your use of Broos Action services constitutes acceptance of these risks.

User Responsibility

You are responsible for:

Maintaining the confidentiality of your login credentials
Protecting your devices with antivirus software and firewalls
Keeping your software updated
Using secure networks and avoiding public WiFi
Monitoring your account for unauthorized activity
Notifying us immediately of suspected security breaches
Complying with applicable laws and regulations
Backing up your important data

Limitation of Liability

To the maximum extent permitted by law:

Broos Action is not liable for indirect, incidental, consequential, or punitive damages
Our total liability for any claim shall not exceed the amount you paid in the past 3 months (subscription-based services)
We are not liable for loss of data, business, revenue, or profits resulting from security incidents

Third-Party Services

We use third-party services (e.g., cloud providers, payment processors) that have their own security policies. We’re not responsible for their security practices beyond what’s stated in our agreements with them.

Changes to Security Practices

We may update our security measures at any time without notice. Material changes will be communicated via email or on this page.

No Warranty

Broos Action services are provided “as is” without warranty of any kind, express or implied. We make no guarantees regarding:

Merchantability
Fitness for a particular purpose
Non-infringement of third-party rights

Contact & Support

Security Questions & Concerns

Email: [email protected]
Phone: +260 954 922329
Hours: 24/7 for security incidents

Security is a partnership. We invest heavily in protecting our systems and your data, but your cooperation strong passwords, MFA, caution with phishing, regular backups is essential.

If you have questions about our security practices, we encourage you to ask. Transparency builds trust, and trust is the foundation of our relationship.

Thank you for trusting Broos Action Innovations with your business.

Broos Action Security Team
Last Updated: December 30, 2025

Cart review