Parkchung Security Policy

Our commitment to information security and data protection.

Parkchung Security Policy

This Security Policy ("Policy") describes how Parkchung ("Company", "we", "us") protects its information assets, systems, and services in connection with the online marketplace it operates ("Service").

The specific handling of personal data is governed by our Privacy Policy; this Policy focuses on the technical and organisational security measures that support those practices.

1. Purpose, Scope, and Legal Framework

  1. The purpose of this Policy is to protect the Company's information assets and the Service against unauthorised access, disclosure, alteration, and destruction, and to operate securely and continuously in line with Vietnamese law and recognised industry practices.
  2. This Policy applies to all individuals involved in operating or supporting the Service, including officers, employees, interns, contractors, and suppliers ("Personnel").
  3. In implementing security measures, we take into account, among others:
  • Vietnam's data protection regulations, including Decree 13/2023 (PDPD);
  • the Law on Cyberinformation Security, the Law on Cybersecurity, and related decrees (e.g., Decree 53/2022);
  • internationally recognised security standards and practices (e.g., ISO/IEC 27001/27002, OWASP).

2. Governance and Roles

  1. The Company appoints an Information Security Lead (CISO-equivalent) responsible for overall security governance, implementation of this Policy, and oversight of major incidents.
  2. A Data Protection Officer (DPO) or equivalent unit is responsible for PDPD-related matters such as data subject rights, cross-border transfer procedures, and regulatory notifications.
  3. Department heads are responsible for managing access rights, overseeing third-party arrangements, and ensuring training within their areas.
  4. All Personnel must comply with this Policy and related procedures, maintain confidentiality, and complete at least annual security and privacy training.

3. Compliance with Laws and Standards

  1. In the event of a personal data breach, the Company will comply with PDPD requirements, including 72-hour notification to relevant authorities (such as MPS/A05) and, where required, notifications to affected data subjects.
  2. The Company follows the principles of prompt, accurate, and coordinated incident handling under the Law on Cyberinformation Security and relevant guidance.
  3. Where cross-border transfers of personal data occur, the Company will prepare and maintain data transfer impact assessments and conduct necessary filings with the Ministry of Public Security, as required by PDPD, together with appropriate contractual safeguards.
  4. If, in the future, the Company becomes subject to data localisation or local presence requirements under the Law on Cybersecurity and related decrees, it will assess and comply with such requirements, including implementing necessary technical and organisational measures.

4. Risk Management and ISMS

  1. The Company conducts at least annual risk assessments of its information assets, maintains an asset inventory, and classifies assets by criticality (confidentiality, integrity, availability).
  2. The Company maintains a security management framework aligned with standards such as ISO/IEC 27001/27002, including policies, procedures, and records, and reviews them regularly.
  3. Significant risks and incidents are escalated to senior management, with appropriate corrective actions and investment decisions taken as needed.

5. Access Management

  1. Access to systems and data is granted on a least-privilege basis, with appropriate separation of duties.
  2. Multi-factor authentication (MFA) is required for administrative access and for remote management or other sensitive operations, as appropriate.
  3. User accounts are managed throughout their lifecycle (onboarding, role changes, offboarding), with quarterly reviews of access rights.
  4. Privileged operations and critical configuration changes are logged, with tamper-resistant storage of audit logs for a defined retention period.

6. Encryption and Confidential Information

  1. Data in transit is protected using TLS 1.2 or higher (preferably TLS 1.3), and sensitive information such as passwords and payment-related data is further protected through hashing or encryption.
  2. Data at rest is encrypted using AES-256 or comparable industry-standard algorithms, or equivalent protective measures.
  3. Cryptographic keys and certificates are managed separately (e.g., via cloud key management services), with defined rotation and revocation procedures.
  4. The Company does not store payment card numbers directly and instead relies on PCI DSS-compliant payment processors for card transactions.

7. Secure Development and Cloud Security

  1. Security is integrated into the software development lifecycle (SSDLC), with security reviews conducted at key stages (requirements, design, implementation, testing, release).
  2. The Company manages risks associated with open-source and third-party components through software composition analysis (SCA) and uses static and dynamic analysis (SAST/DAST) as appropriate.
  3. Web applications are designed in line with OWASP Top 10/ASVS guidelines, and the Company aims to perform at least annual penetration testing of critical services.
  4. In cloud environments, the Company applies best-practice configurations, including network segmentation, use of WAF and IDS/IPS, default encryption of storage, and prohibition of unnecessary public exposure (e.g., open buckets).
  5. Infrastructure configurations are managed as code (IaC) where feasible, with version control and change tracking.

8. Logging, Monitoring, and Vulnerability Management

  1. The Company collects and monitors access, activity, and error logs in a centralised manner, with the goal of detecting abnormal or suspicious behaviour.
  2. Logs are stored with appropriate protections against unauthorised access and tampering and are retained for periods required by law and business needs.
  3. The Company monitors vulnerability advisories for operating systems, middleware, and applications, and applies patches according to defined service level agreements (SLAs) (e.g., Critical vulnerabilities within 7 days, High vulnerabilities within 14 days), with risk-acceptance processes for exceptions.
  4. Rollback and emergency fix procedures are in place for updates that may impact service stability.

9. Third-Party and Supplier Management

  1. When selecting suppliers or processors that handle personal data or critical information, the Company evaluates their security and data protection practices.
  2. The Company enters into data protection and security clauses (e.g., DPAs) with processors, addressing purpose limitation, confidentiality, security measures, sub-processor controls, and prompt breach notification obligations.
  3. Processors must promptly notify the Company of any personal data breach or other security incident to enable the Company to meet its 72-hour reporting obligations where applicable.
  4. Where cross-border transfers are involved, both the Company and its processors must comply with PDPD requirements, including impact assessments, filings, and contractual safeguards.

10. Incident Response

  1. The Company maintains documented incident response procedures covering prepare-detect-contain-eradicate-recover-lessons learned, and ensures relevant Personnel are familiar with them.
  2. Severity levels for incidents are defined, and for major incidents, initial response (including scoping and containment) is initiated within one business day where practicable.
  3. For incidents involving personal data, the Company will notify competent authorities and, where required, affected users in accordance with PDPD and other applicable laws.
  4. Incident handling is documented, and root-cause analysis and corrective actions are implemented to prevent recurrence.

11. Business Continuity and Disaster Recovery

  1. For critical systems, the Company defines recovery time objectives (RTOs) and recovery point objectives (RPOs), and performs regular backups and at least annual restore tests.
  2. Cloud infrastructure is designed with redundancy (e.g., across availability zones) to reduce the impact of failures.
  3. The Company maintains business continuity plans (BCP) that define priorities and procedures for maintaining or restoring essential services in the event of major disruptions.

12. Physical and Office Security

  1. The Company relies on the physical security and certifications of its cloud service providers' data centres.
  2. For offices and other physical locations under the Company's control, appropriate measures such as access control, visitor registration, and secure storage and disposal of documents and media are implemented.

13. Personnel Security

  1. Subject to applicable law, the Company may carry out appropriate pre-employment checks and requires employees and contractors to enter into confidentiality agreements (NDAs) upon joining.
  2. Personnel receive at least annual security and privacy training, and violations may result in disciplinary measures in accordance with internal rules and contracts.
  3. Access rights are limited to what is necessary for each role, and accounts are promptly disabled and privileges revoked upon termination or contract end.

14. Data Minimisation, Retention, and Deletion

  1. The Company collects and processes personal data only to the extent necessary for specified purposes and avoids unnecessary collection or retention (data minimisation).
  2. Retention periods and deletion procedures are defined in line with the Privacy Policy and applicable laws; when data is no longer needed, it is securely deleted or anonymised.
  3. Requests from data subjects (e.g., access, correction, deletion, restriction) are handled in accordance with the procedures set out in the Privacy Policy and the PDPD.

15. Vulnerability Disclosure and Safe Harbor

  1. The Company welcomes good-faith vulnerability reports from security researchers and users and aims to provide a reasonable safe-harbor approach for such reports.
  2. However, activities that violate law or our Terms of Service—such as unauthorised access, data exfiltration, data destruction, or service disruption—are not permitted.
  3. Vulnerabilities can be reported to:

Email: contact@parkchung.com (please include "Security" or "Vulnerability" in the subject line).

Where needed, the Company can receive encrypted reports for sensitive information.

16. Review and Updates

  1. The Company reviews this Policy at least annually and whenever there are material changes in law, technology, or business operations, and updates it as necessary.
  2. The latest version of this Policy is published on the Company's website and generally becomes effective upon posting, unless otherwise stated.
  3. In case of any inconsistency between this Policy and other Company policies, the Privacy Policy governs the processing of personal data, while the Terms of Service and Insurance & Liability Policy govern allocation and limitation of liability and dispute resolution.