Moonrock
Information Security Policy

Version 1.0 – October 2025

1. Purpose & Overview

Moonrock builds immersive experiences for millions of players and fans across digital and real-world platforms. With that scale comes responsibility — to protect the information entrusted to us by our clients, partners, and users.

This Information Security Policy defines how Moonrock manages and safeguards information across our infrastructure, teams, and projects. It applies to all employees, contractors, and vendors involved in the design, development, hosting, or operation of Moonrock products and services.

Our objectives are simple: protect data, ensure continuity, and maintain the trust that powers every experience we build.

2. Scope

This policy covers all data processed or stored by Moonrock and its affiliates, including internal systems, client projects, hosted environments, and partner integrations.

It applies to:

  • All Moonrock staff, contractors, and vendors.
  • All Moonrock-managed systems, platforms, and networks.
  • All data collected or processed during project development or delivery, including user, partner, and client information.

3. Governance & Responsibility

Moonrock’s executive leadership oversees the company’s information security program. A designated Information Security Lead is responsible for maintaining compliance, managing reviews, and coordinating responses in the event of an incident.

All employees and contractors are expected to follow this policy, maintain secure practices, and immediately report potential security concerns or incidents. Security responsibilities are reviewed during onboarding and reinforced through ongoing communication and training.

4. Hosting & Infrastructure

Moonrock’s web games and digital experiences are hosted primarily on Cloudflare Pages, with back-end systems deployed on Cloudflare Workers. This infrastructure is globally distributed and designed for scalability, resilience, and security.

  • Cloudflare’s data centers are ISO 27001, SOC 2 Type II, and PCI DSS compliant.
  • Deployment to production environments is managed through GitHub integration with Cloudflare Pages.
  • Access and deployment privileges are limited to authorized team members and reviewed regularly.
  • Cloudflare provides DDoS protection, SSL termination, and advanced traffic monitoring for all hosted projects.

5. Access Control

Access to production systems follows the principle of least privilege.

  • Cloudflare Pages deployment access: Tony, Krishna, Dylan (pending removal), Arta
  • GitHub repository (auto-deploys to production): Arta, Andres, Marcus, Tony, Argon, Krishna
  • Total: 7 people currently have access (one pending removal).
  • All systems use secure authentication and unique credentials.
  • Access is revoked immediately upon role change or termination.
  • Shared accounts are not permitted, and remote access is logged and encrypted.

6. Change Management & Development Practices

Moonrock uses structured version control and peer review to ensure secure, stable deployments.

  • All code and configuration changes are tracked in GitHub.
  • Peer review and QA testing are required before deployment to production.
  • Only authorized engineers may deploy to production environments.
  • Emergency changes are documented and reviewed post-deployment.
  • Dependencies and third-party libraries are periodically reviewed for vulnerabilities.

7. Data Collection & Retention

Moonrock does not collect any personally identifiable information from players.

  • Only anonymized gameplay statistics are recorded.
  • The only potentially sensitive information is players’ IP addresses, which are stored temporarily in logs for operational and security purposes.
  • No names, emails, or contact information are collected.
  • All stored data is statistical and non-identifiable.

Data retention follows a structured approach:

  • Cloudflare D1 automatically performs daily backups, retained for 24 hours.
  • Logs are purged regularly and never used for profiling or marketing.
  • All deletions are performed securely to prevent unauthorized recovery.

8. Encryption & Data Protection

Moonrock uses industry-standard encryption protocols to protect all data in transit and at rest.

  • All communication between users and Moonrock-hosted applications occurs over SSL (HTTPS).
  • Cloudflare’s encryption protocols protect all web traffic and stored data.
  • Sensitive system data is encrypted using strong standards such as AES-256.
  • Encryption keys are securely managed and rotated periodically.

9. Business Continuity & Disaster Recovery

Moonrock maintains documented procedures for continuity and recovery to minimize downtime and data loss.

  • Cloudflare’s distributed architecture provides redundancy and failover by default.
  • Cloudflare D1 ensures daily automated backups with point-in-time recovery.
  • In the event of an outage, Moonrock aims to restore essential functionality rapidly using established recovery procedures.
  • Backup systems and recovery processes are tested periodically for reliability.

10. Human Resources & Personnel Security

Moonrock enforces clear security expectations for all personnel.

  • All employees and contractors sign confidentiality agreements before gaining access to systems.
  • Access privileges are reviewed and removed immediately upon offboarding.
  • All devices used for company work must employ endpoint protection, encryption, and updated operating systems.
  • Security awareness is reinforced through ongoing communications and project-based reviews.

11. Privacy

Moonrock’s privacy practices align with global data protection regulations such as GDPR and CCPA.

  • Moonrock does not collect or store personally identifiable information for this project.
  • Anonymized analytics are used solely for performance monitoring and optimization.
  • The Privacy Policy (available at moonrock.biz/privacy) provides further detail on data handling and user rights.

12. Incident Response

Moonrock maintains a defined incident response plan to handle potential security events.

  1. Identify and contain the incident.
  2. Investigate scope and root cause.
  3. Notify affected clients or partners if applicable.
  4. Remediate and apply corrective measures.

All incidents are logged, tracked, and reviewed by leadership to prevent recurrence.

13. Vendor & Third-Party Security

Moonrock uses only reputable cloud providers and tools that meet industry security standards.

  • Core infrastructure is hosted on Cloudflare, with some services utilizing AWS and equivalent providers.
  • Vendors must comply with data protection and confidentiality standards.
  • Any third-party integrations are reviewed to ensure compliance and minimal data exposure.

14. Monitoring & Audit

System access and deployment activity are logged for accountability.

  • Logs are monitored for unauthorized or anomalous activity.
  • Security configurations and permissions are reviewed quarterly.
  • Regular audits ensure adherence to Moonrock’s internal policies and client commitments.

15. Policy Review & Maintenance

This policy is reviewed annually or when significant operational, technical, or regulatory changes occur.

Updates are approved by Moonrock leadership and distributed to all relevant personnel.

16. Contact

For security inquiries or compliance requests, please contact:

Moonrock Information Security Team
Email: security@moonrock.biz

Contact us today.

Let’s build something memorable, together.

Contact Us