Security Policy

1. Our Commitment to Security

At Sentio, we take security seriously. This document outlines our security practices and how you can help us maintain a secure environment for all users.

BETA NOTICE: While we implement industry-standard security measures, our Service is in beta testing and may contain undiscovered vulnerabilities. We continuously monitor and improve our security posture.

2. Security Measures

2.1 Infrastructure Security

• Hosting: Deployed on Vercel's secure infrastructure with automatic HTTPS
• Database: Supabase with Row Level Security (RLS) policies
• DDoS Protection: Cloudflare protection against distributed attacks
• Rate Limiting: API rate limits to prevent abuse
• Monitoring: 24/7 security monitoring and alerting

2.2 Data Protection

• Encryption in Transit: TLS 1.3 for all data transmission
• Encryption at Rest: AES-256 encryption for stored data
• Password Security: Bcrypt hashing with salt
• Database Isolation: User data isolated with RLS policies
• Backups: Automated daily backups with 30-day retention

2.3 Authentication & Access Control

• Session Management: Secure HTTP-only cookies
• JWT Tokens: Signed tokens with expiration
• 2FA (Coming Soon): Optional two-factor authentication via TOTP
• Role-Based Access: Principle of least privilege
• Account Lockout: Protection against brute-force attacks

2.4 Application Security

• Input Validation: Server-side validation with Zod schemas
• SQL Injection: Parameterized queries (no raw SQL)
• XSS Protection: Content Security Policy (CSP) headers
• CSRF Protection: SameSite cookies and token validation
• Dependency Scanning: Automated vulnerability scanning with npm audit

2.5 Payment Security

• PCI DSS Compliance: Stripe handles all payment processing (Level 1 PCI DSS)
• No Card Storage: We never store payment card details
• Webhook Verification: HMAC signature validation for Stripe webhooks
• Price Validation: Server-side tier and price validation

3. Third-Party Security

We rely on trusted third-party services for critical infrastructure:

3.1 Infrastructure Providers

• Vercel: SOC 2 Type II certified hosting
  Vercel Security
• Supabase: SOC 2 Type II compliant database
  Supabase Security

3.2 Service Providers

• Stripe: PCI DSS Level 1 payment processing
  Stripe Security
• xAI: AI processing (primary)
  xAI Legal
• OpenAI: SOC 2 compliant AI processing (fallback)
  OpenAI Security

4. Responsible Disclosure Policy

4.1 Reporting Security Vulnerabilities

If you discover a security vulnerability, we appreciate your responsible disclosure. Please:

• Email: [TODO: setup info@sentio.fit] with details
• Subject: Include "SECURITY VULNERABILITY" in the subject line
• Details: Describe the vulnerability, affected components, and steps to reproduce
• Impact: Explain potential impact and severity

4.2 What to Include

To help us understand and fix the issue quickly, include:

• Type of vulnerability (e.g., XSS, SQL injection, authentication bypass)
• Affected URL or component
• Proof-of-concept or steps to reproduce
• Any relevant screenshots or logs
• Your contact information for follow-up

4.3 Our Commitment to You

• Acknowledgment: We'll respond within 48 hours
• Timeline: We'll provide a fix timeline within 7 days
• Updates: We'll keep you informed of our progress
• Credit: With your permission, we'll credit you in our security acknowledgments
• No Legal Action: We won't pursue legal action for responsible disclosure

4.4 Safe Harbor

We consider security research conducted in accordance with this policy as "authorized" under the Computer Fraud and Abuse Act. We will not pursue legal action against researchers who:

• Act in good faith and follow responsible disclosure practices
• Do not intentionally compromise user data or service availability
• Do not exploit vulnerabilities beyond what's necessary to prove they exist
• Do not publicly disclose details before we've issued a fix

5. Out of Scope

The following are not considered vulnerabilities:

• Social Engineering: Phishing, physical attacks, social engineering
• Denial of Service: DoS/DDoS attacks
• Third-Party Services: Issues in OpenAI, Stripe, Supabase, etc.
• Public Information: Information already public or in documentation
• Beta Bugs: Non-security bugs (report via [TODO: setup info@sentio.fit])
• Best Practices: Missing security headers that don't lead to exploits
• Brute Force: Rate limiting bypass without actual compromise

6. Bug Bounty Program

NO MONETARY REWARDS: We do not currently offer monetary rewards for vulnerability reports. As a beta startup, we rely on the security community's goodwill.

We do offer:

• Public Recognition: Credit on our security acknowledgments page
• Swag: Sentio t-shirts and stickers for significant finds
• Early Access: Beta access to new features
• Direct Contact: Opportunity to work with our security team

7. Security Best Practices for Users

7.1 Account Security

• Strong Passwords: Use unique, complex passwords (12+ characters)
• Password Managers: Use a password manager (1Password, Bitwarden)
• 2FA (When Available): Enable two-factor authentication
• Phishing Awareness: Verify email sender before clicking links
• Logout: Log out on shared devices

7.2 Data Protection

• Sensitive Data: Don't submit highly sensitive or personal data
• Backups: Export important analysis data regularly
• Access Review: Review active sessions and revoke unknown devices

7.3 Reporting Suspicious Activity

If you notice suspicious activity on your account:

• Change your password immediately
• Review recent account activity
• Contact us at [TODO: setup info@sentio.fit]
• Check for unauthorized subscription changes

8. Data Breach Response

8.1 Our Commitment

In the event of a data breach, we will:

• Investigate: Immediately investigate the scope and impact
• Contain: Contain the breach and prevent further access
• Notify: Notify affected users within 72 hours (GDPR requirement)
• Remediate: Fix the vulnerability and strengthen security
• Report: Report to relevant authorities as required by law

8.2 User Notification

We will notify you via:

• Email to your registered address
• In-app notification banner
• Public disclosure on our website (if legally required)

8.3 What We'll Tell You

• Nature of the breach (what happened)
• Data potentially affected
• Steps we're taking to address it
• Recommended actions for you to take

9. Security Audits & Testing

9.1 Internal Testing

• Code Reviews: Peer review for all code changes
• Automated Testing: 790+ security and functional tests
• Static Analysis: ESLint with security rules
• Dependency Scanning: npm audit and Snyk scanning

9.2 External Audits

We plan to conduct:

• Penetration Testing: Annual third-party pentests (post-beta)
• Security Audits: SOC 2 compliance audits (post-beta)
• Code Audits: External security code reviews

9.3 Compliance

We are working towards:

• SOC 2 Type II: Security and availability controls
• GDPR: EU data protection compliance
• CCPA: California privacy rights compliance
• ISO 27001: Information security management (future)

10. Security Acknowledgments

We thank the following security researchers for responsibly disclosing vulnerabilities:

• No vulnerabilities reported yet (service in beta)

Want to be listed here? Report a vulnerability to [TODO: setup info@sentio.fit]

11. Contact Us

For security-related inquiries:

• Security Issues: [TODO: setup info@sentio.fit]
• Privacy Questions: [TODO: setup info@sentio.fit]
• General Support: [TODO: setup info@sentio.fit]

PGP Key: Available upon request for encrypted communication

12. Updates to This Policy

We may update this Security Policy as our practices evolve. Updates will be posted with a new "Last Updated" date. Material changes will be communicated to users.