Security Policy
Aktirak Corporation takes security seriously. This Security Policy outlines our practices, measures, and your responsibilities in maintaining a secure platform.
1. Infrastructure Security
Cloud Infrastructure:
- Hosted on enterprise-grade cloud providers (AWS/Azure/GCP)
- Geographic redundancy and failover capabilities
- DDoS protection and traffic filtering
- Regular infrastructure audits and updates
Network Security:
- Firewalls and intrusion detection systems (IDS)
- Virtual Private Cloud (VPC) isolation
- Network segmentation and access controls
- 24/7 security monitoring
2. Data Security
Encryption:
- TLS 1.3 for data in transit
- AES-256 encryption for data at rest
- Encrypted database backups
- Secure key management systems
Data Isolation:
- Logical separation between customer data
- Dedicated database instances for sensitive operations
- No cross-tenant data access
3. Application Security
We implement security best practices in our code:
- Regular security code reviews
- Automated vulnerability scanning
- SQL injection prevention (parameterized queries)
- Cross-Site Scripting (XSS) protection
- Cross-Site Request Forgery (CSRF) tokens
- Content Security Policy (CSP) headers
- Rate limiting and abuse prevention
4. Authentication and Access Control
User Authentication:
- Strong password requirements (min 12 characters)
- Two-factor authentication (2FA) available
- Session management with secure cookies
- Automatic session timeout after inactivity
- Account lockout after failed login attempts
Access Control:
- Role-based access control (RBAC)
- Principle of least privilege
- Multi-factor authentication for administrative access
- Regular access reviews and audits
5. AI Specialist Security
Security measures for AI interactions:
- Prompt injection attack prevention
- Content filtering and moderation
- Rate limiting on AI requests
- Isolation between user sessions
- No persistent memory across sessions without consent
6. Payment Security
We use Stripe for secure payment processing:
- PCI-DSS Level 1 compliant
- We never store credit card numbers
- Tokenized payment information
- 3D Secure authentication support
7. Security Monitoring
Continuous monitoring and logging:
- Real-time security event monitoring
- Automated alert systems for anomalies
- Comprehensive audit logs
- Log retention for security investigations
- Security Information and Event Management (SIEM)
8. Incident Response
Our incident response process:
- Detection: Automated and manual security monitoring
- Containment: Isolate affected systems immediately
- Eradication: Remove threat and patch vulnerabilities
- Recovery: Restore services safely
- Notification: Inform affected users as required
- Post-Incident: Review and improve security measures
9. Third-Party Security
We carefully vet all third-party services:
- Security assessments for all vendors
- Data Processing Agreements (DPAs)
- Regular third-party security reviews
- Vendor security certification requirements
10. Employee Security
Internal security practices:
- Background checks for employees with data access
- Regular security training and awareness programs
- Secure development lifecycle (SDLC)
- Separation of duties for critical operations
- Immediate access revocation upon termination
11. Vulnerability Management
Proactive vulnerability management:
- Regular penetration testing (quarterly)
- Automated vulnerability scanning
- Responsible disclosure program
- Timely patching of security vulnerabilities
- Security bug bounty program (coming soon)
12. Backup and Disaster Recovery
Business continuity measures:
- Daily automated backups
- Encrypted backup storage
- Geographic redundancy for backups
- Tested disaster recovery procedures
- Recovery Time Objective (RTO): 4 hours
- Recovery Point Objective (RPO): 1 hour
13. Compliance and Certifications
We maintain compliance with:
- GDPR (General Data Protection Regulation)
- CCPA (California Consumer Privacy Act)
- SOC 2 Type II (in progress)
- ISO 27001 (planned)
14. Your Security Responsibilities
To help maintain security, you should:
- Use strong, unique passwords
- Enable two-factor authentication
- Never share your account credentials
- Report suspicious activity immediately
- Keep your contact information current
- Review your account activity regularly
- Use secure networks when accessing the platform
15. Reporting Security Issues
If you discover a security vulnerability:
- DO NOT exploit the vulnerability
- DO NOT disclose publicly before we address it
- Report to our security team
- Include detailed description and steps to reproduce
- We will acknowledge within 24 hours
- We will provide updates on remediation progress
16. Security Contact
For security-related inquiries:
- Contact our security team
- Urgent security issues: Available 24/7