Information Security Statement
Robelium Ltd
Last Update: 23 March 2026
1. Introduction
Robelium Ltd operates a real-time roadside assistance and vehicle recovery coordination platform.
Given the operational nature of the platform, information security is treated as a core infrastructure requirement rather than a secondary feature.
This statement outlines the principles and technical safeguards implemented to protect data, ensure system integrity, and reduce operational risk.
2. Security Governance
Robelium follows a structured, risk-based approach to information security.
Security responsibilities are embedded within system architecture decisions, backend development, and operational workflows.
Access to administrative tools and internal monitoring systems is role-based and restricted.
Administrative actions are logged and auditable.
3. Infrastructure Security
Robelium's infrastructure is designed with the following controls:
• Encrypted data transmission (HTTPS/TLS)
• Segregation of frontend and backend services
• Server-side validation of all public endpoints
• Rate limiting on exposed APIs
• Origin validation and CORS restrictions
• Environment-based configuration management
Backend services enforce strict schema validation on all inputs.
Database access is restricted, authenticated, and encrypted in transit.
4. Access Control
Access to systems and administrative interfaces is governed by:
• Role-Based Access Control (RBAC)
• JWT-based authentication
• Restricted administrative roles (viewer / moderator / super)
• Controlled export permissions
• Audit logging of sensitive actions
Access is granted on a least-privilege basis.
5. Data Protection Controls
Robelium implements safeguards to protect data integrity and confidentiality:
• IP addresses stored as hashes where applicable
• Secure handling of authentication tokens
• Separation between operational data and optional analytics data
• No storage of full payment card details
• Limited internal visibility of personal data
Consent logs and compliance records are retained for audit defensibility.
6. Application-Level Security
Public endpoints are protected through:
• Input validation
• Strict schema enforcement
• Enumeration protection
• Rate limiting
• Controlled error responses
• Bot protection on public forms (automated challenge verification)
• Content Security Policy (CSP) headers
Analytics and tracking scripts are not loaded without explicit user consent. Cookie preferences are managed through a consent mechanism that blocks non-essential scripts prior to approval.
7. Authentication
Administrative areas are protected by a multi-layer authentication model:
• Network-level access restriction on sensitive routes
• Application-level authentication with token-based session management
• Secure password reset flow with time-limited tokens
• Rate limiting on all authentication endpoints
Access to internal tools is granted on a least-privilege basis and restricted to authorised personnel only.
8. Monitoring and Logging
Robelium maintains structured logging for:
• Administrative actions
• Consent exports
• Compliance interventions
• Operational risk events
Logs support internal review, dispute resolution, and compliance verification.
9. Incident Response
In the event of a security incident:
• Access may be restricted or suspended
• Systems may be isolated
• Relevant logs are preserved
• A risk assessment is conducted
Where required by law, relevant authorities and affected parties will be notified in accordance with UK GDPR obligations.
10. Continuous Improvement
Security controls are reviewed periodically and updated in line with platform evolution, infrastructure changes, and regulatory requirements.
Robelium's objective is operational resilience and controlled risk exposure — not absolute guarantees.
11. Contact
For information security enquiries:
Robelium Ltd
Company No. 17036419
England & Wales