Skip to main content

Legal

Cybersecurity & Breach Policy.

Security controls and breach response. Last updated: 23 May 2026.

Privacy policy Report a concern

HTTPS

baseline

2FA

admin

72h

notify

Incident response

Reasonable controls. Honest about limits. Fast when something is wrong.

Covers technical controls, detection, containment, notification, recovery, and how to report a security or privacy concern.

01 · Security Controls

Security Controls

  • HTTPS / TLS across the entire site.
  • Restricted access to administrative tools; least-privilege principle.
  • Strong password discipline and password manager use.
  • Two-factor authentication where supported.
  • Encryption in transit; encryption at rest where the underlying service supports it.
  • Vendor due diligence on third-party processors.
  • Periodic review of access, logs, and configuration.

02 · No Absolute Guarantee

No Absolute Guarantee

No digital system is 100% secure. Despite reasonable controls, no platform can guarantee that data is fully immune to compromise. By using the site you accept this inherent risk.

03 · Incident Response

Incident Response

If a suspected security incident occurs, the following steps are followed:

  1. Detect — identify the anomaly via logs, monitoring, or user report.
  2. Contain — restrict access, rotate credentials, isolate affected systems.
  3. Assess — determine scope, data categories affected, likely cause.
  4. Notify — inform affected users and, where required by law, regulators.
  5. Recover — restore systems, validate integrity, monitor for recurrence.
  6. Document — record the incident and the corrective actions.

04 · Breach Notification

Breach Notification

If a personal data breach is likely to result in a risk to your rights, we will notify the relevant supervisory authority and affected users without undue delay, consistent with UAE Federal Decree-Law No. 45 of 2021 (Personal Data Protection Law). Where the law specifies a timeframe, we aim to meet or beat it.

05 · User Responsibility

User Responsibility

Users are responsible for protecting their own credentials, devices, and email accounts. We will never ask for your password. We will never ask you to install unsolicited software. Treat any such request as suspicious and report it.

06 · Limitation of Liability

Limitation of Liability

To the extent permitted by UAE law, ashmo.io is not liable for losses caused by events beyond reasonable control, including DDoS attacks, hosting provider outages, third-party processor breaches, supply-chain compromises, and zero-day exploits, where reasonable security controls were in place.

07 · Report a Security or Privacy Concern

Report a Security or Privacy Concern

If you believe you have found a vulnerability, or have a security or privacy concern, email hello@ashmo.io with the subject line "Security concern". We respond as quickly as possible and treat reports confidentially.