Overview

A short, plain-language summary of our security approach and what this page covers. Explain that we use industry-standard controls (encryption, least-privilege access, regular testing), how we handle incidents, and where to report vulnerabilities. Keep this high-level: the goal is to reassure visitors and link to the detailed sections below.

Data protection

A concise explanation of how we protect user data at rest and in transit. Describe TLS for network traffic, encryption at rest for sensitive fields, brief KMS/key rotation practices, and that backups are encrypted and tested. Make clear we minimize stored data and link to the Privacy Policy for specifics about data handling and retention.

Access control & identity

Describe how we control who can access systems and customer data. Cover the principle of least privilege, role-based access control (RBAC), multifactor authentication (MFA) for admin accounts, audited service accounts, and centralized identity/SSO for staff. Explain that access reviews and onboarding/offboarding controls are used to reduce insider risk.

Infrastructure & hosting

High-level details about where and how we run the service and hardening practices. Note use of reputable cloud providers and CDNs, network segmentation, managed services with automated patching, container/image scanning and that we do not publish internal hostnames, IPs, or detailed network diagrams. Reassure users that changes are controlled and tested.

Vulnerability management & testing

Explain the proactive program used to find and fix vulnerabilities. Mention automated dependency/CVE scanning in CI, static and dynamic analysis (SAST/DAST) in pipelines, regular internal security reviews, and periodic third-party penetration tests (redacted executive summaries may be published later). Note whether a bug bounty or coordinated disclosure program exists or is planned.

Incident response & notifications

Summarize the incident response process and notification commitments. State that we maintain an incident response plan (identify → contain → eradicate → recover → review), centralize logging/monitoring to detect anomalies, and follow relevant notification laws and the Privacy Policy for incidents impacting user data. Explain how major incidents are communicated (status page, email subscriptions).

Responsible disclosure

Clear instructions for security researchers to report issues safely and privately. Provide the preferred secure reporting channel (secure web form and/or monitored email), note a PGP option if available (publish fingerprint), request reproduction steps and impact details, and set expectations (acknowledgement within 72 hours for valid reports). Ask researchers not to publicly disclose issues before triage and remediation.

Compliance & audits

High-level note about audit readiness and compliance posture. Say you follow recognized best practices, maintain documentation and evidence to support audits (SOC 2 / ISO readiness as a future milestone), and that you will publish summary-level audit notes or badges when available. Clarify you will not publish sensitive audit artifacts publicly.