Security

We design Ughoron Cloud to be safe against three primary classes of risk: insider mistakes, opportunistic external attackers, and targeted intrusions by adversaries with significant resources. Every architectural choice is filtered through this lens.

We assume the network is hostile. We assume employees will sometimes click the wrong link. We assume keys will sometimes leak. Every layer is designed to fail safely, not catastrophically.

All data is encrypted in transit and at rest, using modern algorithms and managed keys.

Internal access to production systems is granted on least-privilege, role-based principles. Direct database access is forbidden; all changes go through reviewed, logged tooling. We use FIDO2 hardware keys for all administrative access; passwords alone never grant production access.

Ughoron Cloud runs on hardened cloud infrastructure operated by MainOne (Nigeria) and AWS (Frankfurt, Cape Town). Each region is isolated; data does not leave the region you select. All traffic crosses Cloudflare's edge for DDoS protection, WAF, and rate limiting.

Internal services communicate over mTLS on a private network. Every service has its own identity; the principle of least authority applies all the way down.

Every code change is reviewed by at least one engineer not on the change author's team, plus an automated security checker that catches the OWASP Top 10. Releases pass through staging, where synthetic monitors and a tiny fraction of real traffic exercise the new code before it rolls out widely.

We run penetration tests twice yearly with independent firms. The most recent report is available to Enterprise customers under NDA.

All databases are backed up continuously, with point-in-time recovery to any moment in the last 35 days. Backups are encrypted, region-pinned, and tested monthly via automated restore drills.

Our Recovery Time Objective (RTO) is 4 hours and our Recovery Point Objective (RPO) is 5 minutes for all paid tiers; Enterprise customers may negotiate stricter targets.

We welcome reports of vulnerabilities from the security community. Email security@ughoron.cloud with the details and a proof of concept; we will acknowledge within 24 hours and keep you updated through resolution.

We pay bounties for valid reports, scaled to severity. We will not pursue legal action against good-faith researchers who follow our disclosure policy (available at ughoron.cloud/security).

We maintain a documented incident response process with clearly defined severity tiers and on-call rotations. For incidents that affect customer data, we notify affected customers within 72 hours of confirming impact, along with what happened, what we did, and what you should do.

Our public status page (status.ughoron.cloud) carries real-time service health and a post-mortem for every Severity 1 incident.

Where we are today on the certifications customers ask about:

Our security team is available at security@ughoron.cloud for any question, concern, or report. For urgent issues affecting live data, mark the subject line URGENT and we will respond within 1 hour.