Stallion logo

Information Security Policy

Redhorse Technologies Private Limited

Version 1.4 • Effective March 11, 2026

Introduction

At Redhorse Technologies Private Limited, security is foundational to everything we build. This Information Security Policy establishes the framework, principles, and practices we follow to protect our systems, safeguard customer data, and maintain the trust our users place in us.

React Native Stallion operates as a remote-first SaaS service, with all infrastructure hosted in the cloud. We do not maintain on-premises production infrastructure, which allows us to leverage the security capabilities and redundancy of leading cloud providers while maintaining a lean, focused security program.

Scope

This policy applies to all systems, infrastructure, and applications used to deliver React Native Stallion services. It covers all cloud-hosted production, staging, and development environments, as well as all information assets owned or processed by the Company. All personnel associated with Redhorse Technologies, including employees, founders, contractors, and consultants, are expected to comply with this policy.

Governance

Executive management holds ultimate responsibility for information security at Redhorse Technologies. The Information Security Officer serves as the designated security owner, responsible for implementing and maintaining security controls, authorizing access to production environments, coordinating incident response activities, and conducting periodic reviews of security policies and practices.

Directors provide governance oversight of information security risks and support appropriate allocation of resources for security controls. Due to the size of our organization, certain responsibilities may be performed by the same individuals, with appropriate oversight applied.

Information Security Principles

We ensure the confidentiality, integrity, and availability of information through a risk-based approach. Information is protected against unauthorized access or disclosure, safeguarded against unauthorized modification, and maintained in an accurate and complete state. Systems and data are accessible to authorized users when required for business operations.

Our risk management approach involves identifying potential threats and vulnerabilities, assessing potential impact to operations and customers, implementing appropriate safeguards, and reviewing risks periodically and upon significant change.

Operational Security Commitments

Security is integrated into Stallion's operations through controlled access to systems based on business need, use of strong authentication mechanisms, separation of development, staging, and production environments, controlled deployment processes, centralized logging and monitoring, automated cloud-managed backup processes, and defined incident response practices.

Our infrastructure is hosted on Amazon Web Services (AWS), with analytics data stored in Google BigQuery. Content delivery and security services are provided by Cloudflare. We leverage the security capabilities and redundancy of these industry-leading providers while maintaining our own security controls and access management.

Access Control

Access to systems and data is governed by the principle of least privilege. Users are granted only the minimum access necessary to perform their job functions.

Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) is mandatory and enforced for all user accounts accessing the Stallion platform. MFA cannot be disabled or bypassed for any user account. Access to the platform is blocked until MFA enrollment is completed.

Our MFA implementation requires:

  • Passkey authentication as the primary authentication method, providing strong cryptographic authentication
  • Email OTP (One-Time Password) as a secondary authentication factor delivered via email

Users must complete MFA enrollment before gaining access to any platform functionality. This mandatory enforcement ensures that all user accounts are protected by multi-factor authentication from initial account creation.

Single Sign-On (SSO)

Enterprise customers can integrate Stallion with their existing identity providers through:

  • OpenID Connect (OIDC) for OAuth 2.0-based authentication
  • SAML 2.0 for enterprise identity federation

SSO integration enables centralized identity management and allows customers to enforce their own authentication policies, including additional MFA requirements, through their identity provider.

CI/CD Token Authentication

Stallion supports CI/CD token authentication for automated deployment workflows. CI tokens are:

  • Issued with appropriate scopes for specific deployment operations
  • Logged and auditable for security investigations
  • Subject to regular review and rotation

Token Scoping: Fine-grained token scoping capabilities are planned as part of our security roadmap to enable more granular access control for CI/CD tokens, allowing customers to restrict tokens to specific applications, environments, or operations.

Access Management

Production environment access is strictly controlled and limited to authorized personnel with a demonstrated business need. Access rights are reviewed regularly, and permissions are promptly revoked upon role changes, transfers, or termination of employment.

All access events, including successful and failed authentication attempts, are logged and retained for security audit purposes.

Data Protection

We classify data based on sensitivity levels, including public, internal, and confidential categories. All sensitive data is protected using explicit encryption standards and controls.

Encryption in Transit

All data in transit is protected using TLS (Transport Layer Security) version 1.2 or higher. TLS 1.3 is preferred and used where supported. All connections to Stallion services, including API endpoints, web interfaces, and data transfer operations, are encrypted using TLS. We do not support unencrypted connections for any customer data transmission.

Encryption at Rest

All customer data stored at rest is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys), which is the current industry standard for symmetric encryption.

Customer data, including application bundles, configuration data, and metadata, is stored in Amazon Web Services (AWS) S3 with server-side encryption enabled. Encryption keys are managed through AWS Key Management Service (KMS), which provides centralized key management, access control, and audit capabilities.

Key Management and Data Access Separation

Encryption keys are stored separately from encrypted data, ensuring that:

  • Encrypted customer data is stored in AWS S3 buckets
  • Encryption keys are managed independently through AWS KMS
  • Access to encryption keys requires separate authentication and authorization
  • Key access events are logged and auditable

This separation ensures that even if data storage systems are compromised, encrypted data cannot be decrypted without access to the separate key management system.

Customer Data Access Limitations

Stallion services are architected to minimize access to customer data in plaintext. Customer data remains encrypted at rest, and Stallion's operational systems are designed to limit decryption of customer data to explicit, logged, and authorized processes for legitimate business purposes such as providing support, troubleshooting issues, or fulfilling contractual obligations.

When customer data must be accessed for support purposes, such access is:

  • Logged and auditable
  • Limited to the minimum data necessary for the specific purpose
  • Subject to access controls and approval processes
  • Documented in accordance with our data handling procedures

Customer data is treated with the highest level of care and is accessed only when necessary for legitimate business purposes.

Vendor and Third-Party Security

Redhorse Technologies manages third-party risk through a structured vendor risk management process. We perform documented risk assessments prior to onboarding any vendor that will process, store, or access Company or customer data. Vendor security posture is reviewed before onboarding, including evaluation of security certifications, compliance reports, or publicly available security documentation where applicable.

Vendors are classified based on risk level (critical, high, medium, low), and access to systems and data is limited based on business necessity and least privilege. Written agreements defining security and confidentiality obligations are executed before granting access to sensitive data.

Critical and high-risk vendors are reviewed at least annually, while medium-risk vendors are reviewed at least once every 24 months. Vendor reviews include reassessment of security posture and contractual compliance. Vendor risk assessments are updated upon significant service changes or known security incidents.

Payment processing is handled exclusively by PCI DSS-compliant providers including Razorpay, PayPal, and Stripe. Redhorse Technologies does not store, process, or transmit payment card data directly, ensuring that sensitive financial information remains protected by specialized payment processors.

Secure Development Practices

Our engineering teams follow secure coding practices aligned with industry standards, including the OWASP Top 10 and other recognized security guidelines. Development, staging, and production environments are logically separated to prevent unauthorized access and reduce the risk of accidental data exposure.

All changes to production systems undergo review prior to deployment. We employ version control, automated testing, and deployment pipelines that include security checks as part of our continuous integration and delivery processes.

Logging and Monitoring

Comprehensive logging is enabled across all critical systems to support security monitoring, incident investigation, and compliance requirements.

Types of Events Logged

The following categories of events are explicitly logged:

Access Events:

  • User authentication attempts (successful and failed)
  • MFA enrollment and verification events
  • SSO authentication events
  • Session creation and termination
  • API access events
  • CI/CD token usage events

Configuration Changes:

  • System configuration modifications
  • Security policy changes
  • Access control modifications
  • Deployment and update operations
  • Token creation, modification, and revocation

Security-Relevant Events:

  • Failed authentication attempts
  • Unauthorized access attempts
  • Suspicious activity patterns
  • Security policy violations
  • Incident-related activities

Log Retention

All security and audit logs are retained for 30 days from the date of generation. This retention period supports:

  • Operational troubleshooting
  • Security incident investigations
  • Compliance verification
  • Forensic analysis when required

Logs are stored in secure, encrypted storage systems and are accessible only to authorized personnel for legitimate security and operational purposes.

Log Availability for Security Investigations

Retained logs are available for security investigations upon request. When security incidents occur or are suspected, logs can be retrieved and analyzed to:

  • Determine the scope and impact of security events
  • Identify the root cause of incidents
  • Support forensic analysis
  • Provide evidence for compliance or audit purposes

Log access is logged and auditable to ensure that log retrieval activities are themselves subject to security controls.

Audit Trail for Token Changes

All CI/CD token operations are logged and auditable, including:

  • Token creation events (including creator, timestamp, and initial scopes)
  • Token modification events (including scope changes and access modifications)
  • Token revocation events (including revoker, timestamp, and reason)
  • Token usage events (including API calls made using tokens)

This audit trail enables security teams to track token lifecycle and usage, investigate potential security incidents, and ensure compliance with access control policies.

Incident Response

Redhorse Technologies maintains a structured incident response process to ensure rapid and effective handling of security events. Our approach follows five key phases: identification of potential incidents through monitoring and reporting channels, immediate containment and mitigation to limit impact, thorough investigation to determine root cause and scope, notification of affected parties where required by law or contract, and post-incident review to identify improvements and prevent recurrence.

Incident Investigation Support

When security incidents occur or are suspected, we provide investigation support through:

  • Retained Logs: Security and audit logs retained for 30 days are available for incident investigation. These logs enable analysis of access events, configuration changes, and security-relevant activities to determine the scope and impact of security events.
  • Log Analysis: Our technical team can analyze retained logs to identify the root cause of incidents, determine the scope of impact, and support forensic investigation activities.

Customer Notification

Customer notification for security incidents is handled through our established support channels. Customers are notified of security incidents that may affect their data or services through:

  • Direct communication via established support channels
  • Email notifications to registered account contacts
  • In-console notifications where applicable

Notification procedures are designed to provide timely and accurate information while ensuring that incident response activities are not compromised by premature disclosure.

All personnel are instructed to report suspected security incidents immediately to management. We conduct periodic reviews of our incident response capabilities and update procedures based on lessons learned.

Business Continuity and Disaster Recovery

Critical systems and data are backed up regularly using automated, cloud-provider mechanisms. All backups are encrypted and stored in geographically separate locations to protect against regional outages or disasters. Recovery procedures are documented and reviewed periodically to ensure they remain current and effective.

Our infrastructure is designed with redundancy and fault tolerance in mind, minimizing single points of failure and enabling rapid recovery in the event of system disruptions.

Content Delivery Network (CDN) Resilience

Stallion's update delivery infrastructure utilizes a high-availability CDN configuration with primary and secondary failover capabilities. This architecture ensures:

  • Primary CDN: Primary content delivery network handles normal traffic and update distribution
  • Secondary CDN Failover: Automatic failover to secondary CDN in the event of primary CDN unavailability

This redundant CDN architecture minimizes the risk of service disruption and ensures that OTA updates can be delivered even in the event of CDN provider issues.

OTA Update Security and Anti-Rollback Protection

Stallion implements comprehensive security controls for over-the-air (OTA) updates to protect against malicious code injection, unauthorized modifications, and downgrade attacks.

End-to-End Code Signing

All application bundles and patches distributed through Stallion are signed using cryptographic signatures. The signing process includes:

  • Bundle Signing: Application bundles are cryptographically signed before distribution
  • Patch Signing: Incremental patches are signed to ensure integrity
  • End-to-End Verification: The signing process covers the entire update pipeline from build to client deployment

Client-Side Verification

Before applying any OTA update, client applications perform verification:

  • Signature Verification: Client applications verify cryptographic signatures before applying updates
  • Integrity Checks: File-level integrity verification ensures that updates have not been tampered with during transmission or storage
  • Verification Failure Handling: Updates that fail verification are rejected and not applied

This client-side verification ensures that only properly signed and verified updates are applied to customer applications.

Runtime Version Binding and Anti-Rollback Protection

Stallion implements runtime version binding to prevent downgrade attacks:

  • Version Binding: Updates are bound to specific runtime versions of the application
  • Downgrade Prevention: The system prevents installation of updates that would downgrade the application to a previous version
  • Version Validation: Client applications validate version compatibility before applying updates

This protection ensures that attackers cannot roll back applications to versions with known vulnerabilities.

Manual Version Cutoff

Stallion supports manual cutoff mechanisms for older application versions:

  • Version Cutoff: Administrators can manually disable updates for specific application versions
  • Legacy Version Management: Older app versions can be explicitly blocked from receiving updates
  • Security Control: This mechanism enables proactive security control by preventing updates to versions that should no longer be supported

Rollback Mechanisms

Stallion provides both automatic and manual rollback capabilities, implemented as controlled security features:

Automatic Rollback:

  • Crash Detection: Automatic rollback is triggered when an update causes application crashes or critical failures
  • Health Monitoring: Application health is monitored after update deployment
  • Automatic Reversion: Failed updates are automatically reverted to the previous stable version

Manual Rollback:

  • Administrative Control: Administrators can manually trigger rollback of deployed updates
  • Selective Rollback: Rollback can be targeted to specific application versions or deployment groups
  • Audit Trail: All rollback operations are logged and auditable

Rollback mechanisms are designed as security features that enable rapid response to compromised or faulty updates, minimizing the window of exposure and ensuring application stability.

Vulnerability Management and Security Testing

We perform automated vulnerability scanning on a periodic basis to identify potential security weaknesses in our systems and applications. Additional security reviews are conducted during major system changes, new feature releases, and infrastructure modifications.

Formal penetration testing is included in our security maturity roadmap, and we are committed to expanding our security testing program as the organization grows.

Responsible Disclosure

Redhorse Technologies welcomes responsible disclosure of security vulnerabilities from security researchers and the broader community. If you believe you have discovered a security issue affecting our systems or services, we encourage you to report it responsibly.

Please send your findings to support@stalliontech.io and include a clear description of the vulnerability, steps to reproduce the issue if applicable, and an assessment of the potential impact.

We ask that researchers refrain from publicly disclosing vulnerabilities until we have had reasonable opportunity to investigate and implement appropriate remediation. We are committed to acknowledging valid reports and working collaboratively with the security community.

Intellectual Property Protection

Redhorse Technologies recognizes that its software, source code, documentation, designs, and proprietary methodologies constitute valuable intellectual property assets that must be protected from unauthorized use, disclosure, or modification.

All intellectual property created in connection with the development and operation of React Native Stallion, including software code, system architecture, documentation, and internal tools, is the exclusive property of Redhorse Technologies Private Limited unless otherwise contractually agreed.

Access to proprietary source code repositories, build systems, and internal documentation is restricted to authorized personnel based on business need and the principle of least privilege. Source code and development assets are stored in secure version-controlled repositories with controlled access. Changes to source code follow secure software development lifecycle and change management procedures. Repository access is logged and monitored to detect unauthorized activity.

When intellectual property must be shared with third parties or service providers, access is restricted to the minimum required scope and governed by contractual confidentiality obligations. Security controls including authentication mechanisms, access restrictions, and monitoring are used to prevent unauthorized access or leakage of intellectual property.

Security Awareness and Training

All employees receive security awareness guidance during onboarding, covering topics such as password hygiene, phishing recognition, data handling practices, and incident reporting procedures. Personnel are expected to adhere to acceptable use policies and follow security best practices in their daily work.

We foster a security-conscious culture where employees are encouraged to ask questions, report concerns, and contribute to our collective security efforts.

Compliance and Continuous Improvement

Redhorse Technologies complies with applicable legal, regulatory, and contractual requirements. We conduct periodic management reviews and implement continual improvement initiatives to enhance our security posture over time.

Policy Review and Updates

This policy is reviewed periodically and updated when necessary to reflect changes in our systems, security practices, or regulatory obligations. Reviews are conducted at least annually or upon significant operational, technical, or regulatory change.

Related Documents

Contact Us

If you have questions regarding this policy or our security practices, please contact us at:

support@stalliontech.io