1. Security Introduction

This security policy applies to our website, mobile applications, and all digital services. Our main objectives are:

• Data Confidentiality: Protecting your personal and financial information from unauthorized access.
• Data Integrity: Ensuring information is not altered or destroyed without authorization.
• Service Availability: Keeping services running and available to authorized users.
• Risk Reduction: Identifying and preventing potential security threats.

Security Level: 95%

Our security systems are regularly updated and audited by third parties. We are committed to maintaining the highest security standards.

2. Data Encryption

We use strong encryption technologies to ensure your data security:

• SSL/TLS Encryption: All data transfer between website and users is protected with 256-bit SSL encryption.
• Database Encryption: Sensitive information (passwords, NID numbers, birth dates) is stored in encrypted format.
• End-to-End Encryption: Critical information exchange ensures end-to-end encryption.
• Password Hashing: Passwords are never stored in plain text. bcrypt algorithm is used for hashing.

3. User Data Protection

We implement the following measures to protect your personal information:

• Minimum Data Collection: We collect only the minimum information necessary for service delivery.
• Limited Data Use: Your information is used only for specific purposes with your consent.
• Data Retention Period: Information is stored only as long as necessary, then securely deleted.
• Access Control: Only authorized officials can access your information, with all activities logged.
• Third-Party Sharing: Information is not shared with third parties without legal obligation or your explicit consent.

4. Password Security

To ensure your account security, we follow these password policies:

• Password Complexity: Minimum 8 characters with uppercase, lowercase, number, and special character.
• Password Hashing: Passwords are never stored in plain text. bcrypt algorithm is used.
• Password Expiry: Passwords must be changed every 90 days for security.
• Password Reset: Password reset available via email or SMS verification.
• Two-Factor Authentication: 2FA is mandatory for important transactions.

5. Session Management

To ensure your login session security:

• Session Timeout: Automatic logout after 15 minutes of inactivity.
• Session ID Encryption: Session IDs are stored encrypted and changed regularly.
• Concurrent Sessions: Multiple sessions from the same account are not allowed.
• Session Monitoring: All sessions are monitored for suspicious activity.
• Logout Button: Always click logout button when ending your session.

6. DDoS Protection

Our website is protected against DDoS (Distributed Denial of Service) attacks:

• Cloud-Based Protection: Using Cloudflare and AWS Shield for DDoS attack prevention.
• Rate Limiting: Limiting requests from a single IP address.
• Web Application Firewall: WAF filters malicious traffic.
• Traffic Analysis: Real-time traffic analysis to detect abnormal activity.
• Automatic Scaling: Automatic resource scaling during traffic spikes.

Last 12 months: 150+ DDoS attacks successfully prevented with zero service disruption.

7. Malware Protection

Protection measures against malware and viruses:

• Regular Scanning: All files and databases are regularly scanned for malware.
• Real-Time Monitoring: Every uploaded file is scanned for viruses in real-time.
• File Type Restriction: Only allowed file types (PDF, JPG, PNG) can be uploaded.
• Antivirus Software: Latest antivirus software installed on servers and regularly updated.
• Secure Coding: Protection against SQL Injection, XSS, and CSRF attacks.

8. Data Backup

To protect against data loss:

• Regular Backup: Full database backup taken daily.
• Incremental Backup: Changed data backup every 6 hours.
• Multiple Locations: Backups stored in three geographically separate locations.
• Backup Retention: Daily: 30 days, Weekly: 3 months, Monthly: 1 year.
• Backup Testing: Regular testing of data restoration functionality.

9. Security Incident Management

Our response procedure for security incidents:

• Detection: Security incidents detected through automated monitoring systems.
• Investigation: Analysis of incident cause and impact.
• Containment: Quick action to limit damage (isolating affected systems, blocking access).
• Resolution: Problem resolution and system restoration.
• Reporting: Notification to relevant authorities and affected users.
• Prevention: Measures to prevent future occurrences.

10. User Responsibilities

You also have responsibilities to ensure security:

• Keep Password Secure: Never share your password with anyone. Use strong passwords.
• Logout: Always click the logout button when ending your session.
• Report Suspicious Activity: Report any unusual activity immediately.
• Software Updates: Keep your device's browser and antivirus updated.
• Public Computers: Clear browser cache and history when using public computers.
• Phishing Awareness: Be cautious of suspicious emails/SMS using the Union Council's name.

11. Digital Holding Tax Management System Security

Union Council Union Council uses the Digital Holding Tax Management System developed by Const-tech Software. This system includes additional security features:

Security Compliance

We conduct annual third-party security audits and submit reports to relevant authorities. Last security audit completed: April 11, 2026

Vulnerability Disclosure

If you discover any security vulnerability in our system, please inform us. We respect responsible disclosure:

• Send details to security@dhtms.xyz
• Provide minimal information to demonstrate the vulnerability
• Do not attempt unauthorized access to others' information
• Allow us time to resolve the issue before disclosure