Security Policy

Last updated: December 19, 2024

1. Data Protection & Encryption

We implement industry-standard security measures to protect your data at rest and in transit:

  • Encryption in Transit: All data transmitted between your device and our servers uses TLS 1.3 encryption
  • Secure File Storage: Files are stored with secure filename generation and access controls
  • Database Security: Database connections are secured with encrypted connections and access controls
  • Password Security: All passwords are hashed using industry-standard Werkzeug security functions

2. Access Control & Authentication

We maintain strict access controls to ensure only authorized personnel can access your data:

  • Role-Based Access Control: Admin, client, and special client roles with proper authorization
  • Session Management: Flask-Login integration with secure session handling
  • Password Security: Minimum 6-character requirements with secure hashing algorithms
  • Google OAuth Integration: Optional secure third-party authentication

3. Infrastructure Security

Our infrastructure is designed with security as a top priority:

  • HTTPS Enforcement: All traffic encrypted with SSL/TLS certificates via Traefik
  • Security Headers: Comprehensive HTTP security headers on all responses
  • Docker Containerization: Secure containerized deployment with health checks
  • Environment Security: Sensitive data stored in secure environment variables

4. Data Isolation & Privacy

Your data is completely isolated from other users:

  • Client Isolation: Complete separation of data between different clients
  • Vector Isolation: AI embeddings are stored separately for each chatbot
  • Domain Restrictions: Chatbots only respond on authorized domains
  • No Cross-Contamination: Files and data never shared between users

5. API Security

Our APIs are secured with multiple layers of protection:

  • Rate Limiting: Active protection against abuse (5-6 requests/minute for critical endpoints)
  • Token-Based Authentication: Unique embed tokens for each chatbot with domain validation
  • Input Validation: All inputs are sanitized and validated to prevent XSS attacks
  • SQL Injection Protection: Parameterized queries using SQLAlchemy ORM
  • Domain Whitelisting: Chatbots only respond from authorized domains

6. File Upload Security

We implement comprehensive security measures for file uploads:

  • File Type Validation: Only PDF, TXT, DOC, and DOCX files are allowed
  • File Size Limits: Maximum 16MB per file to prevent abuse
  • Secure Filename Generation: UUID-based unique filenames prevent path traversal
  • Storage Quotas: Per-user storage limits enforced based on subscription package
  • Content Processing: Safe extraction and processing of document content

7. Incident Response

We have established procedures for handling security incidents:

  • 24/7 Monitoring: Continuous security monitoring and threat detection
  • Incident Response Plan: Documented procedures for security incidents
  • Customer Notification: Prompt notification of any security issues affecting your data
  • Forensic Analysis: Detailed investigation and analysis of security events

8. Compliance & Auditing

We maintain compliance with industry standards and conduct regular audits:

  • Regular Audits: Internal and external security assessments
  • Penetration Testing: Regular security testing by qualified professionals
  • Vulnerability Scanning: Continuous scanning for known vulnerabilities
  • Compliance Monitoring: Ongoing compliance with security standards

9. Employee Security

Our team follows strict security protocols:

  • Background Checks: All employees undergo security screening
  • Security Training: Regular security awareness training
  • Access Controls: Limited access based on job requirements
  • Non-Disclosure Agreements: All employees sign confidentiality agreements

10. Third-Party Security

We carefully vet all third-party services and integrations:

  • Service Provider Vetting: Thorough security assessment of all vendors
  • Data Processing Agreements: Legal agreements ensuring data protection
  • Regular Reviews: Ongoing assessment of third-party security
  • Limited Access: Third parties have minimal access to your data

11. Security Updates & Maintenance

We continuously improve our security posture:

  • Regular Updates: Security patches applied within 24 hours of release
  • Security Monitoring: Continuous monitoring of security threats
  • Best Practices: Implementation of industry security best practices
  • Security Reviews: Regular review and improvement of security measures

12. Reporting Security Issues

If you discover a security vulnerability, please report it immediately:

Security Contact: security@chatzo.cloud

Please include detailed information about the vulnerability and steps to reproduce it.

13. Contact Information

For security-related questions or concerns:

Security Team: security@chatzo.cloud

Data Protection Officer: dpo@chatzo.cloud

Company: Extreme Digital Studio LLP

Address: 22, 14th street NW, Atlanta, Georgia, USA 30309

Create Account Back to Home