Security Policy

1. Infrastructure Security

1.1 Hosting & Deployment

• Application Hosting: Vercel (SOC 2 Type II, ISO 27001, GDPR)
• Database & Auth: Supabase (SOC 2 Type II, GDPR)
• Payment Processing: Stripe (PCI DSS Level 1, SOC 2 Type II)
• Monitoring & Logging: Sentry (SOC 2 Type II, GDPR) and Vercel Analytics

1.2 Geographic Distribution

• Primary Database: AWS US-East-2 (Ohio) via Supabase
• Edge Functions: Globally distributed via Supabase Edge
• Application CDN: Vercel Edge Network (300+ global locations)
• Static Assets: Vercel CDN with automatic optimization

1.3 Network Security

• All traffic encrypted via TLS 1.3
• HTTP Strict Transport Security (HSTS) enabled
• Automatic SSL/TLS certificate management
• DDoS protection via Vercel and Supabase infrastructure
• Rate limiting on API endpoints

2. Data Security

2.1 Encryption

• At Rest: AES-256 (Supabase/AWS)
• In Transit: TLS 1.3
• Backups: AES-256 encrypted
• OAuth Tokens: AES-256-GCM with dedicated encryption key

2.2 Data Isolation

We implement strict data isolation using Row-Level Security (RLS) policies:

• Users can only access documents within their organization
• Organization data is isolated at the database level
• Personal workspaces are completely separate from business workspaces
• Cross-organization data access is prevented by default

2.3 Data Classification

• Public: Marketing content, help docs - No restrictions
• Internal: System logs, metrics - Employee access only
• Confidential: User documents, chat history - RLS + encryption
• Restricted: API keys, credentials - Encrypted secrets vault

2.4 Data Retention

• User Documents: Retained until user deletion or account termination
• Chat History: Retained for 12 months, then archived
• Audit Logs: Retained for 24 months
• Backups: 30-day rolling backups with point-in-time recovery

3. Authentication & Access Control

3.1 User Authentication

• Email/Password Authentication: Passwords hashed using bcrypt with salt
• Multi-Factor Authentication (MFA): Email-based MFA available for all accounts
• Session Management: Configurable session timeout per organization, maximum session duration enforced, concurrent session limits configurable
• OAuth Providers: Google (optional)

3.2 Role-Based Access Control (RBAC)

• Owner: Full access, billing, organization settings, member management, delete organization
• Admin: Full content access, member management, organization settings
• Manager: Content management, team oversight, limited member management
• Member: Create and edit own content, view shared content

3.3 Platform Administration

• Platform administration restricted to company founders
• Admin access logged and auditable
• Privileged access requires additional authentication
• Admin actions subject to review

4. Application Security

4.1 Secure Development Lifecycle

• Code Review: All changes reviewed before merge
• Static Analysis: Automated security scanning on pull requests, including OWASP ZAP dynamic application security testing (DAST)
• Dependency Scanning: Automated vulnerability detection in dependencies
• Secret Detection: Automated scanning for exposed credentials

4.2 API Security

• Authentication: JWT-based with short-lived tokens
• Authorization: Server-side validation on every request
• Input Validation: Strict input sanitization and validation
• Rate Limiting: Per-user and per-IP rate limits
• CORS: Restricted to authorized origins

4.3 Third-Party Integrations

• Google Drive: Document import via OAuth 2.0, scoped permissions
• Trello: Task import via API key + token
• Slack: Notifications via OAuth 2.0

All third-party OAuth tokens are encrypted with AES-256-GCM before storage.

5. AI & Machine Learning Security

5.1 AI Model Providers

• OpenAI: SOC 2 Type II certified, no training on customer data
• Anthropic (Claude): SOC 2 Type II certified, no training on customer data
• Google (Gemini): ISO 27001, SOC 2 certified, no training on customer data

5.2 AI Data Processing

• User queries processed in real-time, not stored by AI providers
• Document embeddings stored in our database, not shared externally
• AI responses generated per-request with no persistent context
• No customer data used to train any AI models

5.3 Prompt Injection Prevention

• Input sanitization on all AI-bound queries
• System prompts isolated from user input
• Output validation before display

6. Payment Security

6.1 PCI DSS Compliance

• We never store, process, or transmit credit card data
• All payment processing handled by Stripe (PCI DSS Level 1)
• Payment forms embedded via Stripe Elements (iframe isolation)
• Subscription management via Stripe Customer Portal

6.2 Billing Security

• Billing history accessible only to account owner
• Usage data anonymized for internal analytics
• Refunds processed only through verified channels

7. Monitoring & Incident Response

7.1 Continuous Monitoring

• Uptime Monitoring: Automated health checks via Vercel and Supabase
• Error Tracking: Real-time error detection via Sentry
• Security Logging: Authentication events logged via Supabase Auth
• Metrics & Alerts: Application metrics and alerting via Vercel Analytics

7.2 Audit Logging

We maintain comprehensive audit logs including:

• User authentication events (login, logout, failures)
• Document access and modifications
• Permission changes
• API access patterns
• Administrative actions

7.3 Incident Response Plan

We follow a structured incident response process:

1. Detection: Automated alerting via monitoring systems
2. Triage: Severity assessment and prioritization
3. Containment: Isolate affected systems as needed
4. Eradication: Remove threat, apply patches
5. Recovery: Restore services, verify integrity
6. Post-Incident: Root cause analysis and documentation

7.4 Breach Notification

In the event of a data breach affecting customer data:

• Affected customers notified within 72 hours
• Regulatory authorities notified as required by law
• Full incident report provided within 30 days

8. Business Continuity

8.1 Backup Strategy

Backup and recovery is managed by our infrastructure provider (Supabase):

• Database: Daily automated backups with point-in-time recovery
• Files: Redundant storage via Supabase Storage (S3-backed)
• Configuration: Version-controlled infrastructure-as-code

8.2 Disaster Recovery

• Database Failover: Managed by Supabase infrastructure
• Storage Redundancy: Multi-availability zone via AWS S3
• Application: Edge deployment via Vercel with automatic failover

8.3 Service Availability

• Availability: We use commercially reasonable efforts to maintain high availability
• Infrastructure SLAs: Subject to Supabase (99.95%) and Vercel uptime guarantees
• Support Response: Best effort response within 24-48 hours
• Scheduled Maintenance: Announced in advance when possible

9. Compliance

9.1 Regulatory Compliance

• GDPR: We follow GDPR requirements for data protection and privacy
• CCPA: We follow CCPA requirements for California residents
• SOC 2: Our infrastructure partners (Supabase, Vercel, Stripe, Sentry) are SOC 2 Type II certified

Note: We implement privacy and security practices aligned with these regulations. Our infrastructure partners maintain their own compliance certifications.

9.2 Data Processing Agreements

• Standard DPA available for enterprise customers
• Sub-processor list maintained and updated
• Data processing limited to service provision

10. Security Contact

Reporting Vulnerabilities

If you discover a security vulnerability, please report it responsibly. See our Responsible Disclosure Policy for full details including scope, rules of engagement, and safe harbor provisions.

• Email: security@simplyasking.io
• Response Time: Initial acknowledgment within 3 business days
• Disclosure: We support coordinated disclosure (90 days)
• Recognition: Hall of Fame listing for valid reports

Security Questions

For general security questions or to request compliance documentation:

• Email: security@simplyasking.io
• Subject Line: "Security Inquiry"

11. Security Questionnaires & Assessments

Enterprise Security Reviews

We support enterprise security assessment requirements and can provide:

• Completed Questionnaires: SIG Lite, SIG Core, CAIQ, VSAQ, and custom formats
• SOC 2 Type II Report: Our infrastructure partners (Supabase, Vercel, Stripe, Sentry) maintain SOC 2 Type II certifications. Reports available upon request.
• Penetration Test Results: We are CASA (Cloud Application Security Assessment) certified, assessed by TAC Security via ESOF AppSec, including DAST scanning and vulnerability assessment. Certification details are available upon request.
• Architecture Documentation: Security architecture diagrams and data flow documents
• Vendor Risk Assessment: Pre-completed assessment for your vendor management process

Request Process

To request security documentation or questionnaire completion:

1. Email security@simplyasking.io with subject "Security Assessment Request"
2. Include your company name, contact information, and deadline
3. Attach the questionnaire or specify the format needed
4. We typically respond within 3-5 business days for standard requests

Response Times

• SIG Lite / CAIQ: 3-5 business days
• SIG Core / Custom: 5-10 business days
• SOC 2 Report Access: 1-2 business days (requires NDA)
• Custom Assessments: Timeline varies based on scope