Jungle Tech Corporation – Cryptographic Control Policy

Version: 1.0 | Last Updated: March 13, 2026

1. Purpose

This policy defines the standards for the use of cryptographic controls to protect the confidentiality and integrity of Jungle Tech data. It ensures our encryption practices meet statutory, regulatory, and contractual requirements.

2. Approved Algorithms

Jungle Tech only uses industry-standard, non-deprecated cryptographic algorithms. The use of proprietary or "home-grown" encryption is strictly prohibited.

Use CaseApproved AlgorithmMinimum Requirement

Data at RestAES (Advanced Encryption Standard)256-bit keys

Data in TransitTLS (Transport Layer Security)Version 1.2 or 1.3

Digital SignaturesRSA or ECDSA3072-bit (RSA) / 256-bit (ECC)

Hashing (Passwords)Argon2, bcrypt, or PBKDF2High iteration count/Salted

Hashing (Data Integrity)SHA-2 or SHA-3SHA-256 or higher

3. Encryption of Data at Rest

Cloud Storage: All Azure Blob Storage and Managed Disks must have Azure Storage Service Encryption (SSE) enabled.

Databases: Azure SQL and Postgres databases must utilize Transparent Data Encryption (TDE).

End-User Devices: All company laptops must utilize full-disk encryption (e.g., BitLocker or FileVault).

4. Encryption of Data in Transit

Public Endpoints: All web-facing traffic must be encrypted via HTTPS using TLS 1.2 or higher. SSL and TLS 1.0/1.1 are strictly disabled.

Internal Communication: Traffic between internal microservices or virtual networks (VNets) must be encrypted.

Remote Access: Administrative access to servers must be conducted via encrypted channels (e.g., SSHv2 or MFA-protected VPNs).

5. Key Management Standards

Jungle Tech utilizes Azure Key Vault as our centralized Key Management System (KMS).

Separation of Duties: The individuals who design/code the application must not have administrative "Set/Delete" permissions for production encryption keys.

Key Generation: Keys must be generated within the KMS using hardware security modules (HSMs) where high security is required.

Rotation: Production keys must be rotated at least annually or immediately if a compromise is suspected.

Backups: Encryption keys must be backed up to a geo-redundant vault to prevent data loss in the event of a regional disaster.

6. Protection of Cryptographic Secrets

No Hardcoding: Cryptographic keys, secrets, or API tokens must never be hardcoded in source code or stored in version control (GitHub).

Environment Variables: Use Azure Key Vault references to inject secrets into applications at runtime.

7. Policy Compliance

Automated Audits: We use Azure Policy to automatically block the creation of any storage or database resource that is not configured with the approved encryption standards.

Legacy Systems: Any system found to be using deprecated algorithms (e.g., MD5, SHA-1, DES) must be decommissioned or upgraded within 30 days of discovery.