Security Policy

At Mirana Property Management Software, the security of your data is paramount. This Security Policy outlines the measures we take to protect your personal and financial information, maintain system integrity, and ensure compliance with applicable Ethiopian laws and international best practices.

1. Organizational Security

• Security Governance: Our leadership team has established a dedicated Security Committee responsible for defining and enforcing security policies, ensuring adherence to Ethiopian regulations such as Proclamation No. 518/2007 (Cybercrime Proclamation), and aligning with ISO/IEC 27001 guidelines.
• Roles & Responsibilities: All employees and contractors undergo mandatory security training and are assigned clear responsibilities for protecting Mirana’s systems and data. We require background checks for personnel handling sensitive information.
• Vendor Management: Third-party partners, including EthioInfo, NAC, Chapa, and telebirr, are vetted for security compliance. We require them to maintain security practices consistent with our standards and sign data protection agreements.

2. Physical Security

• Data Centers: Our production servers are hosted in ISO/IEC 27001-certified data centers within Ethiopia and abroad (redundancy). Physical access is restricted to authorized personnel via multi-factor authentication, biometric controls, and 24/7 surveillance.
• Office Security: Mirana’s Addis Ababa office employs access control (key cards) and CCTV monitoring. Visitor logs and escorted access are enforced.

3. Network Security

• Firewalls & Segmentation: We deploy enterprise-grade firewalls (Fortinet) and VLAN segmentation to isolate sensitive environments (e.g., production, Q A).
• Intrusion Detection & Prevention: We utilize IDS/IPS solutions (Snort) and continuous network monitoring to detect and respond to suspicious activity in real-time.
• VPN & Secure Remote Access: Authorized employees use a secure VPN with multi-factor authentication (MFA) for remote access. All remote connections are logged and regularly audited.

4. Application Security

• Secure Development Lifecycle (SDL): All code is developed following OWASP Secure Coding Guidelines. Pull requests undergo mandatory code review, and static application security testing (SAST) is integrated into our CI/CD pipeline (GitLab CI).
• Dynamic Testing & Penetration Testing: We conduct quarterly dynamic application security testing (DAST) using tools like OWASP ZAP. Annual third-party penetration tests are performed by certified security firms.
• Dependency Management: Dependencies are scanned for vulnerabilities using Dependabot. Outdated or vulnerable packages are patched or replaced promptly.
• Input Validation & Sanitization: All user inputs are validated and sanitized to prevent SQL injection, Cross-Site Scripting (XSS), and other common web vulnerabilities.
• Authentication & Authorization: We enforce strong password complexity, store credentials using bcrypt hashing, and require MFA for all administrative accounts. Access controls follow the principle of least privilege.

5. Data Security

• Encryption in Transit: All data transmitted between users and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints.
• Encryption at Rest: Sensitive data (e.g., passwords, payment tokens) is encrypted at rest using AES-256. Database backups are encrypted and stored in secure offsite locations.
• Key Management: Encryption keys are managed via AWS KMS (or local HSM) with strict access controls and periodic rotation.
• Data Minimization & Anonymization: We collect only necessary data and anonymize or pseudonymize where possible. Aggregated analytics data is stored in a de-identified manner.

6. User and Access Management

• Role-Based Access Control (RBAC): Access to application modules and data is governed by RBAC. Roles are regularly reviewed and adjusted to ensure least privilege.
• Multi-Factor Authentication: Mandatory MFA for all Mirana staff. Property Management s and Renters can enable MFA for their accounts, which we strongly recommend.
• Session Management: Sessions expire after 30 minutes of inactivity. Users are logged out after 24 hours or upon password change.
• Account Lockout: After five failed login attempts, accounts are temporarily locked for 30 minutes to prevent brute-force attacks.

7. Infrastructure Security

• Server Hardening: Operating systems and servers are hardened according to CIS Benchmarks. Unused services and ports are disabled.
• Patch Management: Servers and software receive security patches weekly. Critical vulnerabilities are patched within 48 hours of release.
• Configuration Management: Infrastructure is defined as code using Terraform or Ansible. Changes undergo peer review and automated testing.

8. Monitoring & Logging

• Centralized Logging: All logs (application, system, and security logs) are shipped to a centralized SIEM (e.g., ELK Stack or Splunk) for analysis and retention.
• Real-Time Monitoring: We monitor system performance and security events 24/7. Alerts are configured for suspicious activities such as multiple failed logins or unusual data access patterns.
• Log Retention: Logs are retained for a minimum of one year to meet forensic and compliance requirements under Ethiopian law.

9. Incident Response & Breach Management

• Incident Response Plan: We maintain a documented Incident Response Plan detailing roles, communication channels, and steps to contain, eradicate, and recover from security incidents.
• Incident Detection & Reporting: Security incidents are detected via automated alerts and manual reports. All employees are required to report suspected incidents immediately to the Security Team.
• Post-Incident Review: After any incident, we conduct a root cause analysis and implement corrective measures to prevent recurrence.
• Notification Obligations: In compliance with Ethiopian Data Protection regulation (Proclamation No. 35/1996) and best practices, affected users and regulators will be notified promptly if personal data is compromised.

10. Business Continuity & Backup

• Data Backups: Daily backups of critical data are performed and stored encrypted in geographically separate locations. Backup integrity is tested weekly.
• Disaster Recovery Plan: Our Disaster Recovery Plan outlines RTO/RPO objectives, recovery procedures, and alternate infrastructure. We conduct annual drills to validate readiness.
• High Availability: Production systems are deployed across multiple availability zones to ensure redundancy and minimize downtime.

11. Compliance & Audits

• Regulatory Compliance: We comply with Ethiopian laws including Proclamation No. 35/1996 (Computer Crime) and any sector-specific regulations. We also align with global best practices such as ISO/IEC 27001.
• Third-Party Audits: Annual security audits and penetration tests are conducted by certified external auditors. Findings are remediated within agreed SLAs.
• Internal Audits: Our Security Committee performs quarterly internal audits to assess adherence to security policies and identify areas for improvement.

12. Employee Training & Awareness

• Security Training: All employees complete mandatory security training upon hire and annual refreshers covering topics such as phishing, password hygiene, and secure coding.
• Phishing Simulations: We conduct quarterly phishing simulations to gauge employee awareness and provide additional coaching where needed.
• Policy Acknowledgment: Employees must acknowledge our Information Security Policy and Data Protection guidelines during onboarding and whenever updates occur.

13. User Responsibilities

• Account Security: Users must choose strong, unique passwords and enable MFA where available. Do not share credentials.
• Safe Usage: Log out of accounts when not in use and avoid using shared or public devices without proper logout.
• Reporting: Report any suspicious activity, unauthorized access, or security incidents to security@miranapm.com immediately.

14. Children’s Privacy & Security

Our Services are not intended for individuals under 18. We do not knowingly collect or store personal data from minors. If you believe a minor’s data has been collected, contact security@miranapm.com to request deletion.

15. Changes to This Security Policy

We may update this Security Policy to reflect new security practices, legal requirements, or risk assessments. Changes will be posted here with an updated effective date. Users are encouraged to review periodically.

16. Contact Us

For security-related inquiries or to report incidents, contact: