Security Policy
Last updated: 1 July 2026. This page describes how Soul Music Group protects platform data and how to report security vulnerabilities responsibly.
1. Our commitment to security
Soul Music Worldwide Co., Ltd. ("SMG") is committed to maintaining the security and integrity of the OMG Distribution platform and all associated infrastructure. We apply industry-standard security controls to protect client data, content assets, royalty information and platform operations.
If you are a security researcher or have found a potential vulnerability in our systems, please follow the responsible disclosure process described in Section 7 of this policy.
2. Data protection measures
SMG implements the following technical controls to protect data:
- Encryption in transit: All data transmitted between your browser and SMG's servers is encrypted using TLS 1.2 or higher. Connections using older protocols are rejected.
- Encryption at rest: Sensitive data — including personal information, financial records and content assets — is encrypted at rest using AES-256.
- Access controls: Access to production systems, client data and financial records is restricted to authorised personnel on a need-to-know basis. Access is managed via role-based controls and reviewed regularly.
- Authentication: The OMG Distribution platform enforces strong password requirements. Multi-factor authentication (MFA) is available and strongly recommended for all accounts.
- Audit logging: Critical system events, access attempts and administrative actions are logged and retained for security review.
3. Infrastructure security
SMG's infrastructure is hosted on Amazon Web Services (AWS) and protected by Cloudflare's global network. Key infrastructure security measures include:
- DDoS protection and mitigation via Cloudflare's network.
- Web Application Firewall (WAF) rules to filter malicious traffic.
- Network segmentation between public-facing services and internal systems.
- Regular automated and manual security reviews of exposed infrastructure.
- Patching and update management for server operating systems and dependencies.
4. Application security
SMG applies application-level security practices including:
- Input validation and output encoding to prevent injection attacks (SQL injection, XSS, SSRF).
- CSRF protection for state-changing requests.
- Dependency scanning for known vulnerabilities in software packages.
- Secure development practices including code review for security-sensitive changes.
- Secrets management: API keys and credentials are stored in encrypted vaults, not in code repositories.
5. Payment security
SMG does not store complete payment card numbers on our systems. Payment card data is handled exclusively by our PCI-DSS compliant payment processor. Royalty payment details (bank account information) are encrypted at rest and access-controlled.
6. Incident response
In the event of a confirmed security incident affecting client data, SMG will:
- Contain and investigate the incident promptly.
- Notify affected clients within 72 hours where required by applicable data protection law (including GDPR).
- Take remedial action to prevent recurrence.
- Provide a post-incident summary upon request for enterprise and SLA clients.
To report a suspected security incident involving your account or data, contact us immediately at info@soulmusic.asia with "SECURITY INCIDENT" in the subject line.
7. Responsible disclosure
If you discover a potential security vulnerability in soulmusic.asia or app.omgmusic.asia, we ask that you report it to us responsibly before disclosing it publicly.
How to report:
- Email info@soulmusic.asia with the subject line "Security Vulnerability Disclosure."
- Include a description of the vulnerability, the affected URL or component, and steps to reproduce it.
- Attach any relevant screenshots, proof-of-concept code or request/response examples that help us understand the issue.
What you can expect from us:
- Acknowledgement of your report within 5 business days.
- An assessment of the reported issue and estimated timeline for resolution.
- Notification when the vulnerability has been remediated.
Scope — what is in scope:
- soulmusic.asia (this website)
- app.omgmusic.asia (the OMG Distribution platform)
- Authentication and authorisation issues on either domain
- Data exposure or injection vulnerabilities
Out of scope:
- Third-party services and platforms (DSPs, payment providers, AWS, Cloudflare)
- Denial-of-service testing against production systems
- Social engineering attacks targeting SMG staff
- Physical security
We appreciate responsible disclosures and will acknowledge credited researchers in our internal security records. We currently do not operate a formal bug bounty programme.
8. User responsibilities
Users of the OMG Distribution platform should also take steps to secure their own access:
- Use a strong, unique password for your Platform account.
- Enable multi-factor authentication where available.
- Do not share your login credentials with others.
- Log out of shared or public devices after use.
- Report suspected unauthorised access to your account immediately at info@soulmusic.asia.
9. Changes to this policy
SMG may update this Security Policy from time to time to reflect changes in our practices or applicable requirements. The "Last updated" date at the top of this page reflects the most recent revision.
10. Contact
For security-related enquiries, incident reports or vulnerability disclosures:
Soul Music Worldwide Co., Ltd.
info@soulmusic.asia
Tower A, Happy One Central, Thu Dau Mot, Binh Duong Province, Vietnam