Skip to main content
PrivacyTermsCookiesSecurityCompliance

Security

Revision: 1.0

At Sophosic™ Inc., security is fundamental to everything we build. We implement industry-leading practices to protect your data, ensure platform reliability, and maintain the trust you place in our services.

1. Security Practices Overview

Our security program encompasses infrastructure, application, and operational security controls designed to protect your data throughout its lifecycle.

  • Defense in depth: Multiple layers of security controls to protect against threats
  • Continuous monitoring: 24/7 automated threat detection and incident response
  • Regular audits: Third-party security assessments and penetration testing
  • Compliance certifications: Adherence to industry standards (SOC 2 roadmap)

2. Data Encryption

We encrypt your data both in transit and at rest using industry-standard cryptographic protocols.

2.1 Encryption in Transit

  • TLS 1.3: All data transmitted between your browser and our servers is encrypted using TLS 1.3
  • HTTPS everywhere: All pages and API endpoints enforce HTTPS connections
  • Certificate pinning: Additional protection against man-in-the-middle attacks

2.2 Encryption at Rest

  • AES-256 encryption: Database and file storage encrypted with AES-256
  • Key management: Encryption keys stored in dedicated key management systems
  • Backup encryption: All backups encrypted before storage

3. Infrastructure Security

Our infrastructure is hosted on secure, SOC 2 compliant platforms with enterprise-grade security controls.

3.1 Hosting & Network Security

  • Render.com: Infrastructure hosted on Render's secure platform (SOC 2 Type II certified)
  • Supabase: Database hosted on Supabase with Row-Level Security (RLS) policies
  • DDoS protection: Automated mitigation of distributed denial-of-service attacks
  • Network isolation: Private networks and VPC segregation for database access

3.2 Database Security

  • Row-Level Security (RLS): PostgreSQL RLS policies enforce data isolation per user
  • Automated backups: Daily encrypted backups with point-in-time recovery
  • Connection pooling: Secure connection management with credential rotation

4. Access Controls & Authentication

We implement strict access controls to ensure only authorized users can access your data.

4.1 User Authentication

  • Supabase Auth: Secure authentication with JWT tokens and refresh token rotation
  • Session management: Short-lived sessions with automatic timeout on inactivity
  • Password requirements: Enforced strong password policies

4.2 Administrative Access

  • Least privilege principle: Employees granted minimum necessary access
  • MFA enforcement: Multi-factor authentication required for all admin access
  • Access logging: Comprehensive audit trails of all administrative actions

5. Vulnerability Reporting

We welcome security researchers and users to report potential vulnerabilities responsibly.

5.1 Responsible Disclosure

If you discover a security vulnerability, please report it to us at:

  • Email: security@sophosic.ai
  • Response time: We aim to acknowledge reports within 24 hours
  • Disclosure timeline: We work with researchers to address vulnerabilities before public disclosure

5.2 Bug Bounty Program

We are planning to launch a bug bounty program to reward security researchers who help us improve our security posture. Stay tuned for details.

6. Compliance & Certifications

We are committed to achieving industry-recognized security certifications to demonstrate our commitment to data protection.

6.1 Current Status

  • GDPR compliance: Full compliance with European data protection regulations
  • CCPA compliance: Adherence to California Consumer Privacy Act requirements
  • Secure infrastructure: Hosted on SOC 2 certified platforms (Render, Supabase)

6.2 Roadmap

  • SOC 2 Type II: On our roadmap for 2025
  • ISO 27001: Planned for future certification

7. Incident Response

In the unlikely event of a security incident, we have a comprehensive incident response plan to quickly contain, investigate, and remediate the issue.

  • Incident detection: Automated monitoring and alerting for suspicious activity
  • Rapid response: Dedicated team available 24/7 for incident handling
  • User notification: Timely communication if your data is affected
  • Post-incident review: Thorough analysis to prevent future incidents

8. Contact Us

For security inquiries, vulnerability reports, or questions about our security practices, please contact:

Security | Sophosic AI | Sophia