SSL / TLS Security Policy

Effective date: October 15, 2025
Company: Ka’Lu Financial Services (“Company,” “we,” “us,” “our”)
Governing law: Florida and Georgia

1) Scope

This page explains how we protect data using SSL/TLS and related security controls across our websites, web apps, and APIs, including customer portals, forms, and payment pages.

2) Transport Encryption (In-Transit)

  • We enforce HTTPS using TLS 1.2+ for all pages and APIs.
  • We use modern cipher suites and disable deprecated protocols (SSLv2/3, TLS 1.0/1.1).
  • We enable HTTP Strict Transport Security (HSTS) to prevent downgrade and cookie-stripping attacks.
  • Sensitive cookies are marked Secure and HttpOnly; where feasible, we set SameSite attributes.

3) Data at Rest

  • Customer data stored by us or approved vendors is protected via encryption at rest where feasible (e.g., full-disk/database encryption) and strict access controls on a least-privilege basis.

4) Certificate Management

  • Certificates are issued by trusted Certificate Authorities.
  • We rotate certificates prior to expiration and monitor for mis-issuance or anomalies.
  • We use automated validation and renewal where supported (e.g., ACME).
  • Internal keys are generated and stored using hardened processes; private keys are never shared publicly.

5) Application & Network Security

  • Role-based access control, MFA for admin functions where feasible.
  • Regular patching of operating systems, frameworks, and libraries.
  • Web Application Firewall (WAF) and rate limiting on sensitive endpoints where appropriate.
  • Dependency scanning and vetting before production deployment.

6) Vulnerability Management

  • Routine vulnerability scans and secure code reviews.
  • Prompt remediation of critical and high-severity issues.
  • Third-party penetration testing may be performed periodically.

7) Payment Security

  • Online payments (if offered) are processed by PCI DSS–compliant payment processors.
  • We do not store full payment card numbers on our servers.

8) Third-Party Services

  • Select vendors (hosting, email, analytics, payments) may process limited data under contract and are required to maintain reasonable security (including HTTPS).
  • Data transfers to vendors are encrypted in transit.

9) Logging & Monitoring

  • We log security-relevant events (e.g., auth failures, cert errors) and monitor for suspicious activity.
  • Logs are access-controlled and retained per our retention schedule.

10) Incident Response

  • If we discover a security incident that affects your personal data, we will investigate, mitigate, and notify you and/or regulators as required by law.
  • Contact details below may be used to report suspected vulnerabilities or incidents.

11) Data Retention & Deletion

  • We keep personal data only as long as necessary for the purposes collected or as required by law.
  • When deleted, data is removed or irreversibly anonymized from active systems and scheduled for secure deletion from backups per policy.

12) Children’s Data

  • Our services are not directed to children under 13, and we do not knowingly collect data from them.

13) Your Responsibilities

  • Use current browsers and keep devices updated.
  • Do not submit sensitive data over non-Company channels.
  • Verify you see the lock icon / “https://” before entering information.
  • Report suspicious emails, links, or pages claiming to be us.

14) Special State Disclosures (Do Not Forget Special States!)

These disclosures supplement our Privacy Policy for residents of the states below. You may exercise these rights via the contact methods at the end of this page.

California (CCPA/CPRA)
  • Rights include know/access, correct, delete, opt-out of sale/share of personal information, limit use of sensitive personal information, and non-discrimination for exercising rights.
  • We do not sell personal information. If we “share” for cross-context behavioral advertising, you may opt out using our “Do Not Sell or Share My Personal Information” link (if applicable) or by contacting us.
Colorado (CPA)
  • Rights include access, correct, delete, data portability, and opt-out of targeted advertising, sale, and certain profiling.
  • You may submit an authenticated request and, if denied, appeal within 45 days.
Connecticut (CTDPA)
  • Similar rights to Colorado: access, correct, delete, portability, and opt-out of targeted advertising, sale, and significant profiling.
Virginia (VCDPA)
  • Rights include access, correct, delete, portability, and opt-out of targeted advertising, sale, and profiling.
  • You may appeal decisions within 45 days.
Utah (UCPA)
  • Rights include access, delete, and opt-out of targeted advertising and sale of personal data (as defined under Utah law).

Note: We authenticate requests and respond within applicable statutory timelines. Some data may be exempt (e.g., to meet legal obligations).

15) International Transfers

If data is transferred outside your jurisdiction, we use appropriate safeguards (e.g., contractual clauses) consistent with applicable law.

16) Changes to This Page

We may update this SSL/TLS Security Policy from time to time. The “Effective date” will indicate the latest version. Material changes will be communicated through the site or by direct notice where required.