Security Policy

OptropicGlobal GmbH Last Updated: February 2026

1. Introduction

OptropicGlobal GmbH ("Optropic") is committed to maintaining the security, confidentiality, and integrity of all systems and data. This policy outlines our security practices for the Optropic platform.

2. Scope

This policy applies to:

All Optropic systems and infrastructure
All employees, contractors, and third-party partners
All customer data processed by Optropic

3. Information Security Management

3.1 Governance

Dedicated security team reporting to executive leadership
Quarterly security reviews with board-level reporting
Annual third-party security assessments

3.2 Risk Management

Continuous risk assessment and treatment
Threat modeling for new features
Regular penetration testing

4. Access Control

4.1 Authentication

Multi-factor authentication (MFA) required for all internal systems
API key authentication for programmatic access
Session timeout after 15 minutes of inactivity

4.2 Authorization

Principle of least privilege
Role-based access control (RBAC)
Regular access reviews (quarterly)

4.3 API Keys

SHA-256 hashed before storage
Scoped to specific GTINs or batches when appropriate
Immediate revocation capability

5. Cryptography

5.1 Algorithms

Purpose	Algorithm	Key Size
Digital Signatures	Ed25519	256-bit
Hashing	SHA-3-256	256-bit
Encryption at Rest	AES-256-GCM	256-bit
TLS	1.3	N/A

5.2 Key Management

Hardware Security Modules (HSMs) for enterprise customers
Key rotation policy (annual minimum)
Secure key backup and recovery procedures

6. Data Protection

6.1 Data Classification

Level	Examples	Controls
Public	API documentation	None required
Internal	Architecture diagrams	Access control
Confidential	Customer data	Encryption + access control
Restricted	Private keys	HSM + strict access

6.2 Data Handling

Data encrypted in transit (TLS 1.3)
Data encrypted at rest (AES-256-GCM)
Data retention per GDPR requirements
Secure deletion procedures

6.3 Privacy by Design

Camera images processed locally, never transmitted
Physical features converted to one-way hashes
Verification possible without network connectivity

7. Infrastructure Security

7.1 Cloud Infrastructure

Hosted on SOC 2 compliant cloud providers
Network segmentation and firewalls
DDoS protection
Regular vulnerability scanning

7.2 Monitoring

Centralized logging and SIEM
Real-time alerting for security events
24/7 security operations monitoring

7.3 Incident Response

Documented incident response plan
Defined severity levels and escalation paths
Post-incident review and remediation
Customer notification within 72 hours for data breaches

8. Application Security

8.1 Secure Development

Security requirements in design phase
Code review for all changes
Static application security testing (SAST)
Dynamic application security testing (DAST)

8.2 Dependency Management

Regular dependency updates
Vulnerability scanning of dependencies
Software bill of materials (SBOM)

8.3 Deployment

Immutable infrastructure
Automated security testing in CI/CD
Staged rollouts with automatic rollback

9. Physical Security

Data centers with 24/7 security
Biometric access controls
Video surveillance
Visitor logging

10. Business Continuity

10.1 Backup

Daily encrypted backups
Geographic redundancy
Regular restoration testing

10.2 Disaster Recovery

Documented recovery procedures
Recovery time objective (RTO): 4 hours
Recovery point objective (RPO): 1 hour

11. Third-Party Security

Security assessment before onboarding
Contractual security requirements
Annual security reviews
Data processing agreements

12. Security Awareness

Security training for all employees
Phishing simulations
Security awareness communications

13. Compliance

GDPR compliance
GS1 Digital Link compliance
SOC 2 Type I (targeted Q2 2026)
ISO 27001 (targeted Q4 2026)

14. Vulnerability Disclosure

Report security vulnerabilities to: security@optropic.com

We commit to:

Acknowledge receipt within 24 hours
Provide status updates every 72 hours
Credit researchers after remediation (if desired)
No legal action against good-faith researchers

15. Policy Review

This policy is reviewed annually and updated as needed. Changes are communicated to all stakeholders.

Contact: security@optropic.com

Document Owner: Chief Technology Officer, OptropicGlobal GmbH

1. Introduction​

2. Scope​

3. Information Security Management​

3.1 Governance​

3.2 Risk Management​

4. Access Control​

4.1 Authentication​

4.2 Authorization​

4.3 API Keys​

5. Cryptography​

5.1 Algorithms​

5.2 Key Management​

6. Data Protection​

6.1 Data Classification​

6.2 Data Handling​

6.3 Privacy by Design​

7. Infrastructure Security​

7.1 Cloud Infrastructure​

7.2 Monitoring​

7.3 Incident Response​

8. Application Security​

8.1 Secure Development​

8.2 Dependency Management​

8.3 Deployment​

9. Physical Security​

10. Business Continuity​

10.1 Backup​

10.2 Disaster Recovery​

11. Third-Party Security​

12. Security Awareness​

13. Compliance​

14. Vulnerability Disclosure​

15. Policy Review​