Rollick takes the security of your data and funds seriously. This policy outlines our security practices, data protection measures, and procedures for reporting and responding to security incidents.

• All data transmitted to/from Rollick is encrypted using TLS 1.3
• Passwords are hashed using bcrypt with per-user salts (never stored in plaintext)
• Payment data is handled by PCI DSS Level 1 compliant processors (Stripe/PayPal)
• Personal data is encrypted at rest using AES-256
• Database access restricted to authorized personnel with role-based access control
• Regular security patches applied to all systems

• Hosted on AWS with multi-region redundancy
• DDoS protection via CloudFlare
• Web Application Firewall (WAF) active on all endpoints
• Automated vulnerability scanning performed weekly
• Penetration testing conducted quarterly by independent security firms
• All infrastructure changes logged and auditable

• Two-factor authentication (2FA) available for all accounts
• Session tokens expire after 24 hours of inactivity
• Concurrent session limits enforced
• Suspicious login attempts trigger account lockout after 5 failed attempts
• Login notifications sent via email for new devices/locations
• Users can view and revoke active sessions from profile settings

The provably fair system uses:

• HMAC-SHA256 for outcome generation (cryptographically secure)
• Server seeds generated via Web Crypto API (CSPRNG)
• Client seeds ensure neither party alone controls outcomes
• All seeds and results are independently verifiable

• Detection: Automated monitoring, intrusion detection systems, and employee reporting
• Assessment: Security team evaluates severity within 1 hour of detection
• Containment: Affected systems isolated immediately to prevent spread
• Notification: Affected users notified within 72 hours per GDPR; regulatory authorities notified per applicable law
• Remediation: Root cause analysis, vulnerability patching, and system hardening
• Post-Incident: Detailed incident report, lessons learned, and policy updates

We welcome responsible disclosure of security vulnerabilities. Report vulnerabilities to [email protected].

When reporting, please include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact

Responsible disclosure guidelines:

• Do NOT access other users' data, disrupt services, or publicly disclose before we've had time to respond
• We aim to acknowledge reports within 48 hours and provide a fix timeline within 7 days
• We will not take legal action against researchers who follow responsible disclosure practices
• Hall of fame recognition available for confirmed vulnerabilities (with researcher's consent)

• All third-party service providers are vetted for security practices
• Sub-processors are contractually required to maintain equivalent security standards
• Annual security reviews conducted for all critical vendors
• Sub-processor list: see Privacy Policy Section 3

• Background checks for all employees with data access
• Annual security awareness training
• Principle of least privilege for all system access
• Separation of duties for financial operations
• All access logged and periodically audited

• Regular automated backups (encrypted, stored in separate geographic regions)
• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour
• Disaster recovery plan tested semi-annually
• Redundant systems ensure platform availability during partial outages

For security issues and vulnerability reports, please contact us:

• Email: [email protected]
• Mail: Rollick Inc., 1209 Orange Street, Wilmington, DE 19801, United States