Security

1.1 Encryption

• Data in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (Transport Layer Security) with strong cipher suites (minimum 256-bit encryption).
• Data at Rest: All data stored in our databases is encrypted using AES-256 encryption. This includes user data, form responses, files, and backups.
• Password Storage: User passwords are never stored in plain text. We use bcrypt hashing with salts to protect credentials.

1.2 Infrastructure Security

Our infrastructure is built on industry-leading cloud providers with robust security:

• Hosting: Vercel for application hosting (SOC 2 Type II certified)
• Database: Supabase for data storage (SOC 2 Type II, HIPAA compliant for Team plans)
• CDN: Edge network for fast, secure content delivery
• Backups: Automated daily backups with point-in-time recovery
• Redundancy: Multi-region deployment for high availability

1.3 Network Security

• Firewalls to control and monitor network traffic
• DDoS protection and rate limiting
• Intrusion detection and prevention systems
• VPN and IP whitelisting for admin access
• Segmented networks isolating sensitive systems

2.1 Authentication and Access Control

• Multi-Factor Authentication (MFA): Optional 2FA via authenticator apps for enhanced account security
• Session Management: Secure, HttpOnly cookies with strict expiration policies
• Password Requirements: Minimum 8 characters with complexity requirements
• Role-Based Access Control (RBAC): Granular permissions based on user roles
• Row Level Security (RLS): Database-level access control ensuring users can only access their own data

2.2 Input Validation and Output Encoding

• Server-side validation of all user inputs
• Sanitization to prevent injection attacks (SQL, XSS, CSRF)
• Output encoding to prevent cross-site scripting
• Parameterized database queries to prevent SQL injection
• Content Security Policy (CSP) headers to mitigate XSS risks

2.3 Secure Development Practices

• Code reviews for all production changes
• Static Application Security Testing (SAST) in CI/CD pipeline
• Dependency scanning for known vulnerabilities
• Security-focused linting and code quality tools
• Regular security training for development team

3.1 Data Minimization

We collect only the data necessary to provide our services. We do not collect:

• Government-issued identification numbers
• Financial information (payment processing handled by Polar.sh)
• Biometric data
• Precise geolocation data

3.2 Data Retention

• Active account data: Retained while account is active
• Deleted account data: Permanently removed within 30 days
• Backups: Retained for 90 days, then permanently deleted
• Logs: Retained for 90 days for security monitoring

3.3 Third-Party Security

We carefully vet all third-party services:

• Require security certifications (SOC 2, ISO 27001)
• Execute Data Processing Agreements (DPAs)
• Regular security assessments
• Limit data sharing to only what's necessary

Key partners:

• Supabase: SOC 2 Type II, ISO 27001, HIPAA (Team plans)
• Vercel: SOC 2 Type II, ISO 27001
• Polar.sh: PCI DSS compliant payment processing

4.1 Compliance Frameworks

We align our security practices with industry standards:

• GDPR: EU General Data Protection Regulation compliance
• CCPA: California Consumer Privacy Act compliance
• SOC 2: Infrastructure providers are SOC 2 Type II certified
• HIPAA: Available for Team plans through Supabase's HIPAA-compliant infrastructure

4.2 Availability

Compliance documentation available for enterprise customers:

• SOC 2 Type II reports (from infrastructure providers)
• Data Processing Agreements (DPA)
• HIPAA Business Associate Agreements (BAA) for Team plans
• Security questionnaires and assessments

Contact security@firat.rw for enterprise security documentation.

5.1 Security Monitoring

• Automated log collection and analysis
• Real-time alerts for suspicious activity
• Failed login attempt monitoring
• Anomaly detection for unusual usage patterns
• Regular vulnerability scans

5.2 Incident Response

We maintain a formal incident response plan:

• Detection: Automated monitoring and user reports
• Response: Immediate containment and investigation
• Notification: Affected users notified within 72 hours (GDPR requirement)
• Remediation: Fix vulnerabilities and prevent recurrence
• Post-Mortem: Document lessons learned and improve processes

5.3 Breach Notification

In the unlikely event of a data breach:

• Users will be notified via email within 72 hours
• Notification will include nature of breach, data affected, and recommended actions
• We will work with law enforcement and regulatory authorities as required
• Public disclosure on our status page (for significant incidents)

7.1 Responsible Disclosure

We welcome security researchers to help us maintain security. If you discover a vulnerability:

• Email details to security@firat.rw
• Use our PGP key for sensitive reports (available upon request)
• Allow us reasonable time to address the issue before public disclosure
• Avoid exploiting the vulnerability beyond proof of concept

7.2 What to Include in Your Report

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Suggested remediation (if applicable)
• Your contact information for follow-up

7.3 Our Commitment

• Acknowledge receipt within 2 business days
• Provide status updates every 7 days
• Fix critical vulnerabilities within 30 days
• Credit researchers in our security hall of fame (with permission)

7.4 Out of Scope

The following are not considered valid security issues:

• Social engineering attacks
• Denial of Service (DoS) attacks
• Spam or phishing
• Issues in third-party services (report to them directly)
• Publicly disclosed vulnerabilities already under investigation

8.1 Account Security

• Use a strong, unique password
• Enable Multi-Factor Authentication (MFA)
• Don't share your credentials
• Log out from shared devices
• Review account activity regularly

8.2 Recognizing Phishing

Be cautious of suspicious communications. We will never:

• Ask for your password via email or phone
• Request payment information outside our platform
• Send links asking you to "verify" your account urgently
• Use email addresses other than @snapgenius.tech or @firat.rw

8.3 Report Suspicious Activity

If you notice anything unusual:

• Change your password immediately
• Enable MFA if not already active
• Review account activity logs
• Contact security@firat.rw