Information Security Policy
Arno Information Security Policy
Effective date: 17th May 2026
Security contact: info@arnopro.com
Arno is an NDPC-approved Data Controller/Processor of Major Importance (DCPMI) under NDPA 2023 / GAID 2025. This can be verified on the NDPC register. View our NDPC certification here
Purpose: This policy establishes Arno’s information security objectives and control framework, aligned to
NDPA 2023 / GAID 2025, Kenya’s DPA 2019/General Regulations 2021 (where applicable), and industry
frameworks (ISO 27001/27002; NIST CSF). It applies to all staff, contractors, and vendors with access to Arno
data/systems.
1. Introduction
Arno is a SaaS talent sourcing and recruitment platform. We process information that matters to
talents, recruiters, and employer clients, and protecting that information is fundamental to how
we operate. This policy describes the principles and practices that guide how we secure the Arno
platform.
2. Scope
This policy covers the Arno platform, the cloud and SaaS systems that support it, and the
personnel who build, operate, and administer it. For how personal data is collected, used, and
shared, see the Arno Privacy Policy.
3. Our Security Commitment
We apply appropriate technical and organisational measures to protect the data entrusted to us. Our control framework draws on internationally recognised practices, including ISO/IEC 27001 and 27002 and the NIST Cybersecurity Framework. We continuously review and improve our practices as our platform, our risks, and the wider threat landscape evolve. No internet-based service can guarantee absolute security, and we are open about that with our customers.
4. Security Governance
Security at Arno is led by our Head of Security & Compliance, with oversight from our Data Protection Officer. Senior management reviews security risks, incidents, and improvement programmes on a regular cadence. Our security policies are documented, version-controlled, and reviewed at least annually and after any material change
5. Information Classification and Handling
We classify information by sensitivity, and handle it accordingly. Personal data and other sensitive information receive heightened protection in how they are stored, accessed, transmitted, and disposed of, in line with their classification
6. Access Control
We apply least-privilege and need-to-know principles. Administrative access is limited to authorised personnel and protected by multi-factor authentication and, where supported, single sign-on. Access rights are reviewed periodically and removed promptly when no longer required.
7. Data Protection and Encryption
Customer data is encrypted in transit using TLS, and at rest using strong industry-standard algorithms. Cryptographic keys are managed under controlled access and rotated in line with industry practice.
8. Platform, Cloud, and Application Security
Arno is hosted on infrastructure operated by reputable cloud providers under written security agreements. We apply hardening and security baselines to our environments, protect our publicfacing services against common web threats, and manage secrets and credentials through dedicated tooling rather than embedded in code or documents.
9. Secure Product Development
Security is built into how we design, build, and ship the platform. New features receive security review proportionate to their risk. Our development pipeline includes automated security checks, and our development, staging, and production environments are kept separate.
10. Monitoring, Vulnerability Management, and Testing
We log security-relevant events across the platform and monitor for suspicious activity. We scan our systems, software, and dependencies for vulnerabilities and remediate them on a risk-based basis. We also engage independent specialists for security testing where appropriate.
11. Incident Response
We maintain a documented Incident Response Plan and rehearse it through regular exercises. Where a security incident affects personal data, we notify the relevant data protection authorities — including the Nigeria Data Protection Commission (“NDPC”) — and affected users within the timelines required by applicable law, with the information they need to understand and respond to the event
12. Business Continuity and Backups
Critical platform data is backed up on a regular cycle, with backups encrypted. We periodically test our ability to restore services from backup and maintain a Business Continuity Plan to support recovery from significant disruptions.
13. Vendor and Third-Party Security
We are deliberate about the vendors and sub-processors we engage. Before granting access to Arno data, we assess each vendor’s security and data protection posture and put a written data processing agreement in place. Higher-risk vendors are reassessed at least annually. We maintain a record of the sub-processors that support our platform and make it available to customers on request.
14. Employee and Contractor Responsibilities
Everyone working on or with Arno is responsible for security. All staff and contractors are bound by confidentiality obligations and required to comply with our internal security policies and procedures throughout their engagement with Arno.
15. Training and Awareness
All Arno staff complete security and data protection training when they join and at recurring intervals thereafter. Engineers, administrators, and other staff in higher-risk roles receive additional role-specific training, supplemented by ongoing awareness activities.
16. Compliance and Continuous Improvement
We comply with applicable data protection and security laws in the jurisdictions where we operate, including the Nigeria Data Protection Act, 2023 and the NDPC General Application and Implementation Directive, 2025, and other applicable laws where relevant. We monitor our security posture through internal review, learn from incidents and near-misses, and update our controls accordingly
17. Responsible Disclosure and Security Contact
If you believe you have found a security vulnerability in Arno, please tell us. Send your report to [security@arnopro.com — to be confirmed], with enough detail for us to reproduce and assess the issue. We ask that you give us a reasonable period to investigate and remediate before any public disclosure. We welcome good-faith security research, will acknowledge reports promptly, and will keep you informed of progress
18. Changes to This Policy
We review this policy regularly and update it as our practices and the threat landscape evolve. Material changes will be reflected on the Arno website with an updated effective date.