Clavax Limited Information Security Policy Version 2.0

Overview of Clavax™ 

Clavax is a full service outsourced software development company offering bespoke development for companies and business globally. We build systems, apps as well as help businesses with integrations and customization.  

For our clients we integrate with 3rd party services which from time to time handles customer and other identifiable data.  

Clavax also co-owns and operates Novus Loyalty which offers powerful and flexible processing solutions for the following generic environments. Loyalty and Reward Systems; Pre-Paid, Stored Value or Virtual Account Mechanisms; Private Label Card Accounts, Membership & CRM. 

The following document outlines our commitment to data security across all touchpoints of our busines.  

Build and maintain a Secure Network 

This section addresses the ISO & PCI general requirements: 

  • Install and maintain a firewall configuration to protect all personal data. 

  • Do not use vendor-supplied defaults for system passwords and other security parameters. 

Install and maintain a firewall configuration to protect all customer and cardholder data 

Firewall and configuration standards 

Clavax permit firewalls to be implemented in both hardware and software, or a combination of both. 

The firewall host(s) must be dedicated to performing the firewall function. They should not provide other services not a part of the base operating system except those which are integrated into the recommended product (and often into others), specifically routing, DNS, SOCKS, proxy servers, and mail relay, unless those services are directly related to the firewall function (such as user authentication). 

Network design 

Firewall implementation design is dependent on the network traffic requirements of the particular solution provided by either Clavax or third parties. 

Clavax host all data inside of Azure or AWS cloud services and use best practices.  

Database servers must run in Archive Log mode. Daily backups are taken overnight for all databases and the media is stored offsite. The archive logs are backed up throughout the day. 

Standby database servers must run in Standby mode against the Primary database server. If the primary server fails, the standby server automatically takes control to act as primary server maintaining business operations continuity. 

Clavax servers are actively monitored, as is the firewall, database servers and Web Servers. 

Security Policies 

Security Policies that defines the rules for traffic to traverse a firewall and are subject to change. If the firewall is owned by Clavax: 

  • Security Policies are managed by Clavax System Administrators, the ISG Team and ISG Manger. 

  • Requests for Security Policy additions, deletions or changes must be raised as a Corrective Action Report, and subject to Clavax approval or rejection. 

  • The Security Policies are internally audited annually. 

  • Shall formalise access to third parties via Business Partner Contact Agreement. 


The firewall must be configured with “anti-spoofing” filters, which, at a minimum, reject any traffic appearing on any non-secure interface with a source address indicating a secure origin. 


DNS can only run on a firewall host to allow the firewall to provide external resolution for designated hosts, and not for the firewall to function as a general purpose name server. 

Mail Relay 

The firewall may act as a mail relay only but not as a general-purpose mail server. The firewall is prohibited from running end-user mail services such as POP3. 

System Access Logs 

The firewall must log any attempt to connect to it via a “trust” relationship (unless created by the firewall software itself) if the selected software is capable of such logging. 

All traffic denied by the firewall and not specifically excluded from logging as normal “noise” must be logged. 


All administrative access changing the firewall configuration must be logged. 

Review process 

Clavax ensure that all systems undergo periodic security health checking every 90 days, and if required perform corrective actions. 

Clavax store backup or vendor media in protected area, in an office room, which is locked when unattended, or in a locked cabinet when unattended. 

DMZ implementation 

All servers must be protected by firewalls, and be located within a demilitarised zone (DMZ), a subnet that is protected from the Internet by one or more firewalls. 

Vendor-supplied defaults for system passwords and other security parameters 

Clavax do not use vendor-supplied defaults for system passwords and other security parameters. On receipt of vendor products, passwords and other security parameters are immediately reset by Clavax System Administrators. 

Configuration standards 

All Operating Systems, middleware and applications for Clavax installations are installed by Clavax System Administrators. 

On receipt of server or PC hardware, no OS components, or other applications are retained. 

Each server installed to an internal or external location, must be logged in an Asset Register and its configuration documented under change control. Any server movements, changes, or removal of server infrastructure must also be logged with the documented configuration updated. 

Disable non-required services and applications that cause misuse 

Only services and applications relevant and related to the requirements of the customer solution are installed to any server or PC. All redundant or obsolete software components are removed. Sample or trial data including tutorial information is removed at installation. 

Clavax do not install trial software under any circumstances. 

SSL/SSH encryptions 

All data and information sent from the Clavax application to a destination beyond our Firewall is encrypted using Secure Socket Layer (SSL) 128-bit encryption. 

Protect Customer & Cardholder data 

This section addresses the following PCI and general best practice requirements: 

3. Protect stored cardholder data. 

4. Encrypt transmission of customer & cardholder data across open, public networks. 

Protect stored cardholder data 

Retention and disposal policy 

Refer to PTC as no card details are retained in any Clavax/Novus databases. 

PAN storage (credit and debit cards) 

Refer to PTC as no card details are retained in the Clavax/Novus database. 

Protection of any encryption keys (in session encryption) 

Refer to PTC as no card details are retained in the Clavax/Novus database. 

Encrypt transmission of cardholder data across open, public networks 


No Clavax product contains any credit card identification. Card details stored in databases are limited to a single identifier that is mapped to customer or member details. All member details are encrypted when passed across public networks using SSL 128-bit encryption. 

Encryption of PAN 

Refer to PTC as no card details are retained in the Clavax/Novus database. 

Maintain a vulnerability management programme 

This section addresses the following PCI requirements: 

5. Use and regularly update antivirus software. 

6. Develop and maintain secure systems and applications. 

Use and regularly update antivirus software 

Antivirus software is installed to all computer devices under the control of Clavax. 


  • Provide and maintain anti-virus software for all computers and systems; 

  • Respond to virus attacks and initiate corrective action to eliminate detected viruses on all systems; 

  • Implement protection requirements for each user’s computer. 

  • Scan for viruses at least once a week; 

  • Maintain virus definitions constantly, or once a day where the network does not permit. 

Develop and maintain secure systems and applications 

Vendor-supplied patches 

Clavax installs vendor patches once validated by Clavax System Administrators and according to customer Change Management policies. 

Policies and alert service 

A security incident can originate within or outside the Clavax environment, can involve external sites, and can range in severity. IT security incidents potentially involve system penetrations, destruction of data, compromised data, fraud, crime or other serious matter. Other incidents can generally be referred to site management and personnel for resolution. 

Clavax shall coordinate any suspected security incident related to Clavax or one of their systems. Clavax System Administrators are responsible for containing or mitigating damage to data. 

A Security Advisory is a warning of an exposure in a program or process that allows unauthorised users to gain privileged authority on a system, to bypass access controls, or to gain unauthorised access to data. A Security Advisory process is followed to install the fixes. The core requirements for this process are: 

  • Determination of risk severity based on vulnerability rating and exploitation category. 

  • Notification of fix availability 

  • Procedure to determine the schedule for application of the security/integrity fixes. Only advisories with available fixes will be installed. 

  • The process is auditable. 

Security incidents are assigned severities that will be used to determine the implementation time. The following is the criteria used for assigning the severity. 

Vulnerability Rating: 
  • High: Bypassing access control systems or gaining access to a UserID with system or security administrative authority without the need for a general UserID. 

  • Medium: Bypassing access control systems or gaining access to a UserID with system or security administrative authority from an existing general UserID or unauthorised access to data without the need for a general UserID. 

  • Low: Unauthorised access to data from a general UserID or a denial of service attack. 

Exploitation Category: 
  • High: The vulnerability can be exploited by a user with basic skills to bypass access controls intentionally or unintentionally. No understanding of the operating system or environment is needed. Example: by following a simple script. 

  • Medium: The vulnerability can be exploited by a user with intermediate skills to bypass access controls intentionally or unintentionally. Requires the skill to use the command level interface with the operating system or environment. 

  • Low: The vulnerability can be exploited by a user with advanced skills to bypass access controls unintentionally. Requires product specialist or product developer skill levels to use command level interface with the operating system or environment. 

Clavax shall notify customers and issue an implementation schedule on a need-to-know basis. Implementation shall take into account: 

  • Testing. 

  • The availability of the systems that the fix(es) will be applied to ensure no interruption to critical processing unless desired. 

  • The number of systems the fix(es) will be applied to. 

Management signoff 

Systems are maintained as secured by Clavax System Administrators. The CEO of Clavax approves all infrastructure changes to customer systems including security-related updates. 

Access Control measures 

This section addresses the following ISO & PCI requirements: 

7. Restrict access to cardholder data by business need-to-know. 

8. Assign a unique ID to each person with computer access. 

9. Restrict physical access to cardholder data. 

Restrict access to cardholder data by business need-to-know 

User privileges 

Access to all data resources including cardholder data is only to be allowed at the appropriate levels for authorised users, and that access can be denied for unauthorised users. 

Access control system 

Only authorised users can set, modify, or disable system security functions. These are limited to Clavax System Administrators. 

Assign a unique ID to each person with computer access 

UserIDs and passwords are used to access all critical business systems at Clavax. 

User ID's 

Access authority to Clavax systems is based on current business need and controlled by verifying the identity of the user or application.
UserIDs are identifiable to an individual by the assignment of a unique UserID to each individual and the assignment of a password known only to the owner of the UserID.


  • Clavax are a developer of integrations for some clients utilising APIs where personal information is accessed. Access to these APIs vis user ID are provided to developers based on their requirement to access these APIs.

  • No user ID’s are shared between users or developers – each developer must have their own ID

  • All access rights are enforced vis specific group membership

  • This Group membership and access is reviewed no less than quarterly
    Access to all Clavax systems requires that a request is raised by the user needing access, with justification, submitted for approval by Clavax System Administrators.
    When a user leaves the company, goes on leave of absence and is not expected to return to regular employment, or no longer has a valid business need, Clavax System Administrators shall revoke or suspend access immediately.
    The access is reviewed no less than quarterly by Clavax System Administrators.

Password rules 

Clavax password rules apply to all passwords for all systems: 

  • Minimum password length: 8; 

  • Syntax: contain a mix of alphabetic and non-alphabetic characters (number, punctuation or special characters) or a mix of at least two types of non-alphabetic characters; 

  • Maximum change interval: annually / every 12 months where a reminder will be forwarded to each user 4 days prior to the forced change; 

  • Number of password changes where existing passwords cannot be reused: 4; 

  • Sharing of passwords: not permitted. 

  • Factory passwords shipped with software: changed immediately on installation. 

All passwords for all UserIDs on all systems must not be disclosed under any circumstances, or transmitted in clear text form over the Internet, public networks or wireless devices. Passwords must be encrypted at all times. 

Where systems allow, controls should be in place to limit the number of invalid logon password attempts. On reaching the maximum number of retries, the UserID must be locked. 

Passwords associated to UserIDs can be reset on request. 

Where systems allow, business use notices must be used to inform Clavax users of their obligations under this security policy. Recommended text: 

  • “Use of this computer is restricted to authorised users only and for the conduct of business in accordance with your assigned levels of authority. All activity will be monitored. Your use confirms your acceptance of the Clavax Security Policy.” 

Inactivity expiry rules 

Clavax System Administrators actively revalidate all company UserIDs every 6 months. The revalidation determines if there is still a business need for the user to access the system. Users that no longer require access shall have their access revoked. 

Restrict physical access to cardholder data 

Facility entry 

Clavax only installs hardware to Data Centres: 

  • With physical security controls only. 

  • With access strictly limited to Clavax employees whose primary work responsibilities are inside the Data Centre and others with a clear business need for access. 

  • With access only from building areas that the general public does not have access to. 

  • With areas locked even when attended. 

  • With intrusion detection mechanisms. 

  • With implemented Disaster Recovery programmes. 

  • With protection for all Clavax servers and infrastructure devices. 

  • With printed output protected at all times, although printing to printers at the Data Centre location is not Clavax’s responsibility. 


Data Centres housing Clavax infrastructure must have implemented a 24-hour security monitored service to cover: 

  • Intrusion; 

  • Power failures; 

  • Network failures; 

  • Physical disasters such as fire. 

System components are monitored by Clavax such that in the event to a failure (hardware or software), Clavax are immediately alert so as to respond to the issue within any agreed customer SLA agreement. 

Visitor log 

Data Centres housing Clavax infrastructure must have access controls to limit entry to persons authorised to the area only. 

Processes must be in place to identify authorised personnel with a sign in and sign out system. Processes must in place to revoke access where required and to periodically verify continued business need. 

Monitor and test networks 

This section addresses the following PCI requirements: 

10. Track and monitor all access to network resources and cardholder data. 

11. Test security systems and processes. 

Track and monitor all access to network resources and customer/cardholder data 


  • Limit access to networking software to those whose job role includes network support. 

  • Revalidate access to network resources annually. 

Audit trails 

Audit records are created for each successful or unsuccessful access attempt to the system or to protected resources on the system. 

Clavax retains log access for at least 60 days. 

Invalid login attempts 

Clavax retains a log of all successful and unsuccessful access attempts. 

Test security systems and processes 

Clavax has a dedicated test environment for all customer systems. This allows all updates to Production systems to first be validated and approved on Clavax test infrastructure ensuring no risk to Production and customer systems. 

Clavax test staff comply with the Clavax IT Security Policy and the Clavax Software Product Development and Lifecycle Policy. 

Incident Response Plan

As part of our ISO2001:2013 certification – Clavax has an Incident Management policy and set of procedures which cover all data for our organisation set out in our “Information security incident management” document. This also covers companies that we do development with including Amazon.

This plan outlines how we secure and identify threats and incidents and how we report them to all relevant parties.  This Plan is reviewed every 6 months and upon any significant infrastructure changes.

If there is a security incident, it is documented using our Incident Report Template where it is classified as to the nature of the threat and also given a “severity score” which will elevate it to the required management level.

Each incident is the investigated and reported to the Directors of the company and Security Manager who will take appropriate and swift remedial action. Should any of these incidents have a possible impact on partners, or companies or individuals that have data stored in our systems or databases, they are advised and kept informed. Any evidence is retained and stored for complete analysis and disclosure to the relevant persons.

If you want to report an incident to Clavax, please do so via

Maintain Information Security Policy 

This section addresses the following ISO, PCI & general security requirements: 

12. Maintain a policy that addresses information security. 

Maintain a policy that addresses information security 

Clavax will: 

  • Maintain this document. 

  • Review security policies and procedures for effectiveness and recommend improvements on a yearly basis. 

  • Notify customers of significant planned changes to this document and the security policies herein before implementation. 

  • Treat all documentation as confidential, limited to only those employees, customers or other third parties that are required to know. 

  • Manage all documentation using established Change Control processes. 

Clavax security processes include: 

  • Employment Review 

  • UserID Revalidation of Continued Business Need 

  • Health Checking 

  • Security Incident Management 

  • Security/Integrity Advisory Process 

  • TCP/IP Vulnerability Scanning 

  • Host-based Intrusion Detection 

  • Security Technical Tests 

  • Security Process Review 

About Clavax Limited 

Clavax Limited is a specialist software development company focused on the design for itself and clients of various software system incorporating leading-edge technologies. Clavax also develops integration with 3rd party solutions for both ourselves and our clients. 

For more information, go to our Web site at


Book a Consultation

Let's talk to deliver innovation and scale your business faster

First Name
Last Name
Enter Email
Enter Mobile