Information Security Policy

1. Scope

This policy describes the security measures Luxi applies to all systems that process personal data, payment data, or operational data underpinning the booking service. It is reviewed at least annually and after any material incident.

2. Data classification

Confidential — payment card data, government-ID copies (driver onboarding), encrypted at rest with rotated keys.
Restricted — booking PII, contact details, support tickets. Access limited to staff with operational need.
Internal — business analytics, aggregated reports. Access limited to staff.
Public — published content (blog, glossary, marketing pages).

3. Encryption

In transit: all luxi.gr traffic served over HTTPS with TLS 1.2 or higher. HSTS enabled with 1-year max-age. Insecure cipher suites disabled.
At rest: production database encrypted with AES-256. Backups encrypted with separate keys. Credentials and API tokens stored in a dedicated secrets vault.
Payment data: never stored on Luxi infrastructure. Card details captured directly by our PCI-DSS Level 1 payment provider.
Passwords: stored as bcrypt hashes with per-user salt. Plain-text passwords are never logged, persisted or transmitted.

4. Access control

Role-based access control on production systems; least-privilege default.
Multi-factor authentication required for all administrative accounts and any access to confidential or restricted data.
Quarterly access review — departed staff lose access within 1 business hour of departure.
All production access logged centrally with 12-month retention.

5. Vulnerability management

Automated dependency scanning on every code change; critical vulnerabilities patched within 72 hours.
Quarterly external penetration test by an accredited third party.
Bug bounty: responsible disclosure rewarded — report to [email protected]. We commit to a 48-hour acknowledgement and no legal action for good-faith research.

6. Network & perimeter

Cloudflare in front of the origin for DDoS mitigation, WAF (OWASP rule set), bot management.
Origin restricted to Cloudflare IP ranges where supported.
SSH access to servers via key-based authentication only; password authentication disabled.

7. Application security

CSRF protection on all state-changing endpoints.
Output escaping in all user-facing templates by default; explicit raw rendering only where verified safe.
Parameterised database queries throughout; raw SQL avoided.
Content Security Policy headers, X-Frame-Options SAMEORIGIN, X-Content-Type-Options nosniff.
Strict cookie attributes (Secure, HttpOnly where applicable, SameSite=Lax).

8. Backups & recovery

Daily encrypted backups, retained on rolling 35-day schedule.
Weekly restore tests on a non-production environment.
Recovery Point Objective: 24 hours. Recovery Time Objective: 4 hours for booking service, 24 hours for non-critical components.

9. Incident response

We maintain a documented incident response plan covering detection, containment, eradication, recovery and post-incident review. In the event of a personal-data breach reaching the GDPR notification threshold (Art. 33):

Hellenic Data Protection Authority notified within 72 hours of discovery.
Affected individuals notified without undue delay when the breach is likely to result in high risk to their rights and freedoms (Art. 34).
Public incident report published on luxi.gr after investigation.

10. Staff training & conduct

Mandatory security and data-protection training for all staff at onboarding and annually thereafter.
Background checks for staff with access to confidential data.
Confidentiality clauses in all employment and contractor agreements.

11. Reporting a vulnerability

Found something? Email [email protected] with a description, reproduction steps and your contact details. Use this security.txt for PGP key and disclosure terms.