Security Policy

1. Security Commitment

At Unstruk Data, Inc., the operator of Zine, we take the security of your data and our platform seriously. This Security Policy outlines our comprehensive approach to protecting your information and maintaining the integrity of our services.

2. Data Protection

2.1 Encryption

• Data in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3
• Data at Rest: All stored data is encrypted using AES-256 encryption
• Database Encryption: Our databases use encryption at rest with managed encryption keys
• File Storage: Uploaded files are encrypted before storage in secure cloud infrastructure

2.2 Access Controls

• Multi-factor authentication (MFA) required for all administrative access
• Role-based access control (RBAC) for internal systems
• Principle of least privilege for all system access
• Regular access reviews and deprovisioning procedures

3. Infrastructure Security

3.1 Microsoft Azure Platform

Our platform is built on Microsoft Azure, inheriting enterprise-grade security features:

• Azure Cosmos DB: Globally distributed database with automatic encryption at rest and in transit
• Azure Blob Storage: Secure object storage with built-in encryption and access controls
• Azure AI Search: Managed search service with enterprise security features
• Multiple Azure availability zones for redundancy and reliability

3.2 Azure Security Benefits

Through Azure, we inherit:

• SOC 1, 2, and 3 compliance
• ISO 27001, 27017, and 27018 certifications
• HIPAA and HITRUST compliance capabilities
• FedRAMP authorization
• 99.99% availability SLA

3.3 Network Security

• Azure DDoS Protection
• Azure Firewall and network security groups
• Private endpoints for Azure services
• Network isolation and segmentation
• Azure Security Center monitoring

4. Application Security

4.1 Secure Development

• Security by design principles in all development
• Regular security code reviews
• Automated security testing in CI/CD pipelines
• Dependency scanning for known vulnerabilities
• Static and dynamic application security testing (SAST/DAST)

4.2 Authentication & Authorization

• OAuth 2.0 and OpenID Connect protocols
• JWT token-based authentication with secure signing
• Session management with secure cookies
• Rate limiting and brute force protection
• Account lockout policies for suspicious activity

5. AI Model Security

5.1 Data Handling

• Secure transmission of prompts to AI model providers
• No permanent storage of sensitive data by model providers
• Content filtering and safety measures
• Isolation of user data across different model requests

5.2 Model Provider Security

We partner only with reputable AI providers who maintain:

• SOC 2 Type II compliance
• Data processing agreements (DPAs)
• Enterprise-grade security certifications
• Regular security audits and assessments

6. Monitoring and Incident Response

6.1 Security Monitoring

• 24/7 security monitoring and alerting
• Real-time threat detection and analysis
• Monitoring for suspicious activities and unauthorized access attempts
• Comprehensive logging and audit trails
• Anomaly detection for unusual access patterns

6.2 Incident Response

Our incident response process includes:

• Immediate containment and assessment procedures
• Rapid response team activation
• Stakeholder communication protocols
• Post-incident analysis and improvement
• Regulatory notification when required

7. Data Privacy and Compliance

7.1 Data Minimization

We follow data minimization principles. We do not store consumer personal data beyond:

• Content and files you explicitly upload to our service
• Basic account information managed by our authentication provider (Clerk)
• Payment information securely managed by Stripe

7.2 Privacy Rights

We support user privacy rights including:

• The right to access your data
• The right to delete your account and associated content
• The right to export your data
• The right to opt-out of non-essential communications

7.3 Certifications In Progress

We are actively working toward the following certifications to formalize our security practices:

• SOC 2 Type II: Formalizing our security, availability, and confidentiality controls
• HIPAA Compliance: Implementing safeguards for healthcare-related data protection

8. Employee Security

8.1 Training and Awareness

• Regular security training for all employees
• Phishing simulation and awareness programs
• Security policy acknowledgment and updates
• Incident reporting procedures

8.2 Access Management

• Background checks for security-sensitive roles
• Mandatory MFA for all corporate accounts
• Regular access reviews and certifications
• Secure offboarding procedures

9. Third-Party Security

We carefully vet all third-party providers and require:

• Security assessments and due diligence
• Data processing agreements (DPAs)
• Regular security certifications
• Incident notification requirements
• Right to audit security controls

10. Business Continuity

10.1 Backup and Recovery

• Automated daily backups with encryption
• Multi-region backup storage
• Regular backup restoration testing
• Recovery time objectives (RTO) and recovery point objectives (RPO)

10.2 Disaster Recovery

• Comprehensive disaster recovery plan
• Failover procedures and testing
• Communication plans for service disruptions
• Regular DR drills and plan updates

11. Vulnerability Management

Our vulnerability management program includes:

• Regular vulnerability scanning and assessment
• Patch management and update procedures
• Third-party security audits and penetration testing
• Bug bounty program for responsible disclosure
• Rapid response to critical vulnerabilities

12. Responsible Disclosure Program

We welcome security researchers, ethical hackers, and technology enthusiasts to participate in our responsible disclosure program. We provide safe harbor for security testing conducted in good faith and offer recognition for vulnerability discoveries.

Reporting Security Issues

If you discover a security vulnerability, please report it immediately to our security team:

What to Include in Your Report

• A detailed description of the vulnerability
• Clear steps to reproduce the issue
• Any relevant screenshots, logs, or proof-of-concept code
• Potential impact assessment
• Your contact information for follow-up

Our Commitment

We commit to:

• Acknowledging receipt within 24 hours
• Working with you to validate and resolve the issue
• Providing regular updates on remediation progress
• Giving appropriate credit if desired
• Treating all legitimate reports with appropriate urgency

We value the security community's contributions in keeping Zine secure. All legitimate reports will be thoroughly investigated and addressed with appropriate urgency.

13. User Security Responsibilities

To help maintain the security of your account and our platform:

• Use secure authentication providers you trust
• Keep your OAuth provider account secure with strong passwords and two-factor authentication
• Never share access to your authorized Zine sessions
• Use strong, unique passwords for your accounts
• Keep your devices and browsers updated with the latest security patches
• Log out of shared or public devices after use
• Report suspicious activities immediately to our security team
• Be cautious when uploading sensitive information

14. Security Updates

This Security Policy is reviewed and updated regularly to reflect our evolving security practices and industry best practices. Material changes will be communicated to users through our platform and website.

15. Contact Information

For questions about our security practices or this Security Policy, please contact:

Unstruk Data, Inc.
Email: security@zine.ai
Subject: Security Policy Inquiry
Website: https://www.zine.ai