Security Policy

Last Updated: 2025-11-11

Our Commitment to Security

Alyssa Howard Enterprises, LLC is committed to protecting the security and integrity of your personal information and our platform. We implement industry-standard security measures to prevent unauthorized access, disclosure, modification, or destruction of data.

Technical Security Measures

1. Encryption

  • Data in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (HTTPS)
  • Data at Rest: Sensitive data is encrypted in our database using AES-256 encryption
  • Password Storage: Passwords are hashed using bcrypt with salted hashes (we never store plain-text passwords)

2. Access Controls

  • Role-Based Access Control (RBAC): Users are assigned roles (customer, editor, admin) with specific permissions
  • Principle of Least Privilege: Team members only have access to data necessary for their role
  • Multi-Factor Authentication (MFA): Available for admin accounts (coming soon for all users)

3. Infrastructure Security

  • Database Hosting: Supabase (SOC 2 Type II certified, ISO 27001 compliant)
  • Application Hosting: Vercel (enterprise-grade security, DDoS protection)
  • Payment Processing: Stripe (PCI-DSS Level 1 certified)
  • Regular Backups: Automated daily backups with 30-day retention

4. Application Security

  • Input Validation: All user inputs are validated and sanitized to prevent injection attacks
  • CSRF Protection: Cross-Site Request Forgery tokens on all forms
  • XSS Prevention: Content Security Policy (CSP) headers and output encoding
  • Rate Limiting: API rate limits to prevent brute-force and DoS attacks
  • reCAPTCHA v3: Spam and bot protection on forms

Monitoring and Incident Response

1. Security Monitoring

  • Error Monitoring: Sentry tracks application errors and security events in real-time
  • Activity Logging: User activity logs maintained for 365 days
  • Suspicious Activity Detection: Automated alerts for unusual login patterns or failed authentication attempts

2. Incident Response Plan

In the event of a security breach, we will:

  1. Immediate Containment: Isolate affected systems to prevent further damage
  2. Investigation: Determine the scope and cause of the breach
  3. Notification: Notify affected users within 72 hours (GDPR requirement)
  4. Remediation: Fix vulnerabilities and implement additional safeguards
  5. Post-Incident Review: Analyze the breach and update security measures

Third-Party Security

We carefully vet all third-party service providers to ensure they meet our security standards:

  • Supabase: SOC 2 Type II, ISO 27001, HIPAA-compliant infrastructure
  • Stripe: PCI-DSS Level 1 certified payment processor
  • Google Cloud: SOC 2/3, ISO 27001, GDPR-compliant (for Analytics, YouTube API)
  • Vercel: Enterprise-grade hosting with DDoS protection and edge security

All service providers sign Data Processing Addendums (DPAs) and comply with GDPR requirements.

Your Security Responsibilities

While we implement strong security measures, protecting your account also requires your cooperation:

  • Strong Passwords: Use a unique, complex password (at least 12 characters with mixed case, numbers, and symbols)
  • Password Manager: Consider using a password manager to generate and store strong passwords
  • Don't Share Credentials: Never share your account password or authentication tokens
  • Log Out on Shared Devices: Always log out when using public or shared computers
  • Phishing Awareness: Be cautious of emails asking for your password or personal information
  • Report Suspicious Activity: Notify us immediately if you notice unauthorized access to your account

Vulnerability Disclosure

Found a security vulnerability? We appreciate responsible disclosure.

If you discover a security issue with our platform, please report it to us responsibly:

  1. Email: legal@alyssaahoward.com with subject "Security Vulnerability Report"
  2. Details: Provide a clear description of the vulnerability and steps to reproduce
  3. Do Not: Publicly disclose the vulnerability before we've had a chance to address it

We will acknowledge your report within 48 hours and provide updates on remediation progress.

Compliance and Certifications

Our security practices align with industry standards and regulations:

  • GDPR: General Data Protection Regulation (EU data protection)
  • CCPA/CPRA: California Consumer Privacy Act (California data protection)
  • PCI-DSS: Payment Card Industry Data Security Standard (via Stripe)
  • OWASP Top 10: Protect against the most critical web application security risks

Security Updates

We continuously improve our security posture:

  • Regular software updates and security patches
  • Periodic security audits and penetration testing
  • Ongoing security training for team members
  • Monitoring of emerging threats and vulnerabilities

Limitations

No system is 100% secure. While we implement industry-best security practices, we cannot guarantee absolute security.

By using our platform, you acknowledge that:

  • Internet transmission is never completely private or secure
  • Any data you transmit is at your own risk
  • We are not responsible for circumvention of security measures by unauthorized parties

Contact Us

For security-related questions or to report a security incident, contact us:

Alyssa Howard Enterprises, LLC

Security Team: legal@alyssaahoward.com
General Support: support@alyssaahoward.com

This Security Policy is part of our commitment to protecting your data. For information about how we collect and use your data, see our Privacy Policy.