Security Policy

Last Updated: December 14, 2024

1. Our Commitment to Security

At SAM Alerts, we take security seriously. This policy outlines our security practices and how we protect your data.

2. Data Protection Measures

2.1 Encryption

  • In Transit: All data transmitted between your browser and our servers uses TLS 1.2+ encryption
  • At Rest: Sensitive data (passwords, payment information) is encrypted in our databases
  • End-to-End: Authentication tokens use industry-standard encryption

2.2 Access Controls

  • Role-based access control (RBAC) for internal systems
  • Multi-factor authentication (MFA) for administrative access
  • Principle of least privilege for all system access
  • Regular access audits and reviews

2.3 Password Security

  • Passwords hashed using bcrypt with appropriate work factors
  • Minimum password requirements enforced
  • No plain-text password storage
  • Secure password reset mechanisms

2.4 Infrastructure Security

  • Regular security patches and updates
  • Firewalls and intrusion detection systems
  • DDoS protection and rate limiting
  • Isolated production environments

3. Third-Party Security

3.1 Service Providers

We carefully vet third-party providers for security compliance:

  • Payment Processing: PCI DSS compliant providers (Stripe)
  • Cloud Hosting: SOC 2 Type II certified infrastructure
  • Email Services: Secure, reputable email delivery platforms

3.2 API Security

  • API keys encrypted and rotated regularly
  • Secure credential storage using secrets management
  • No API keys in source code or client-side code

4. Application Security

4.1 Secure Development

  • Security-first development practices
  • Code reviews for security vulnerabilities
  • Dependency scanning for known vulnerabilities
  • Regular security testing

4.2 Common Protections

  • CSRF (Cross-Site Request Forgery) protection
  • XSS (Cross-Site Scripting) prevention
  • SQL injection prevention via parameterized queries
  • Clickjacking protection
  • Content Security Policy (CSP) headers

4.3 Session Management

  • Secure session token generation
  • Automatic session expiration
  • Session invalidation on logout
  • Protection against session fixation attacks

5. Monitoring and Incident Response

5.1 Security Monitoring

  • 24/7 automated monitoring for suspicious activity
  • Log aggregation and analysis
  • Anomaly detection systems
  • Regular security audits

5.2 Incident Response Plan

In the event of a security incident, we will:

  1. Detect: Identify and confirm the incident
  2. Contain: Limit the scope and impact
  3. Investigate: Determine root cause and extent
  4. Remediate: Fix vulnerabilities and restore security
  5. Notify: Inform affected users as required by law (typically within 72 hours)
  6. Review: Conduct post-incident analysis and improve processes

5.3 Breach Notification

If we experience a data breach affecting your personal information, we will:

  • Notify you via email within 72 hours of discovery
  • Provide details about what information was compromised
  • Explain steps we're taking to address the breach
  • Advise you on protective measures you can take
  • Comply with all applicable breach notification laws

6. Responsible Disclosure

6.1 Reporting Security Vulnerabilities

We welcome reports of security vulnerabilities from the security research community.

How to Report:

  • Email: security@samalerts.app
  • Subject: "Security Vulnerability Report"
  • Encrypt sensitive details using our PGP key (available on request)

Include:

  • Description of the vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information (optional but helpful)

6.2 Our Commitment to Researchers

  • We will acknowledge receipt within 48 hours
  • We will not pursue legal action against good-faith security researchers
  • We will work with you to understand and resolve the issue
  • We will credit you (if desired) after the issue is resolved

6.3 Response Timeline

  • Initial Response: Within 48 hours
  • Status Update: Within 7 days
  • Resolution Target: 90 days for most issues
  • Disclosure: Coordinated disclosure after fix is deployed

6.4 Out of Scope

Please do not test for:

  • Denial of Service (DoS/DDoS) attacks
  • Physical attacks against our facilities
  • Social engineering of our staff
  • Spam or phishing tests

7. User Security Best Practices

7.1 Account Security

We recommend you:

  • Use a strong, unique password
  • Enable two-factor authentication when available
  • Keep your email account secure
  • Log out when using shared devices
  • Review account activity regularly

7.2 Recognizing Phishing

We will never:

  • Ask for your password via email
  • Request sensitive information through unsecured channels
  • Include suspicious links claiming to be from us

If you receive suspicious emails:

  • Do not click links or download attachments
  • Forward to security@samalerts.app
  • Delete the email

7.3 Secure Devices

  • Keep your operating system and browser updated
  • Use antivirus software
  • Avoid public Wi-Fi for sensitive activities (or use a VPN)
  • Be cautious with browser extensions

8. Compliance and Certifications

8.1 Regulatory Compliance

We comply with:

  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • SOC 2 Type II standards (in progress/as applicable)

8.2 Regular Assessments

  • Annual security audits
  • Penetration testing (at least annually)
  • Vulnerability scanning (continuous)
  • Compliance reviews

9. Data Retention and Deletion

9.1 Secure Deletion

When you delete your account:

  • Data is flagged for deletion within 30 days
  • Backups are purged according to our retention schedule
  • Deletion is irreversible after the retention period

9.2 Backup Security

  • Backups are encrypted
  • Stored in geographically separate locations
  • Access is restricted and logged
  • Regular backup restoration testing

10. Employee Security

10.1 Training

All employees receive:

  • Security awareness training
  • Data handling guidelines
  • Incident response procedures
  • Regular security updates

10.2 Access Management

  • Background checks for employees with data access
  • Immediate access revocation upon termination
  • Regular access reviews
  • Separation of duties for sensitive operations

11. Physical Security

For any physical infrastructure:

  • Secure data centers with 24/7 monitoring
  • Biometric and badge access controls
  • Video surveillance
  • Environmental controls

12. Subprocessors and Data Locations

12.1 Data Storage

Your data may be stored in:

  • United States (primary)
  • EU (for EU customers, where applicable)

12.2 Subprocessors

Current list of major subprocessors available at: https://samalerts.app/subprocessors

We notify customers of changes to subprocessors.

13. Security Roadmap

We are continuously improving security through:

  • Implementing advanced threat detection
  • Enhancing encryption capabilities
  • Pursuing additional security certifications
  • Expanding security monitoring coverage

14. Limitations

While we implement robust security measures:

  • No system is 100% secure
  • We cannot guarantee absolute security
  • Users are responsible for their own device security
  • Third-party security is outside our direct control

15. Contact

Security Team:
Email: security@samalerts.app
PGP Key: Available on request

General Support:
Email: support@samalerts.app
Website: https://samalerts.app

For Emergencies:
Active security incidents: security@samalerts.app (24/7 monitoring)

16. Updates to This Policy

We may update this policy to reflect:

  • Changes in security practices
  • New threats or vulnerabilities
  • Regulatory requirements
  • Technological improvements

Material changes will be communicated via email and prominently displayed in our Service.