Security

Last Updated: December 30, 2025

Security Overview

Security is fundamental to Policy Change Radar. We implement industry-standard security practices to protect your data and maintain the integrity and availability of our Service.

This page describes our security measures and practices. For information about data privacy, see our Privacy Policy.

Data Encryption

Encryption in Transit

  • All data transmitted to and from our Service uses TLS 1.3 encryption
  • HTTPS enforced for all connections (HSTS enabled)
  • Secure cipher suites with forward secrecy
  • Regular SSL/TLS certificate rotation

Encryption at Rest

  • Database encryption using AES-256
  • Document storage encrypted with AES-256
  • Backup encryption with separate keys
  • Encrypted storage volumes for all data

Password Security

  • Passwords hashed using bcrypt with individual salts
  • Password strength requirements enforced
  • Secure password reset process with time-limited tokens
  • Two-factor authentication (2FA) available for all accounts

Infrastructure Security

Hosting and Data Centers

  • Cloud infrastructure hosted in SOC 2 Type II certified data centers
  • Data stored in secure facilities with physical access controls
  • Redundant systems for high availability
  • Geographic redundancy for disaster recovery

Network Security

  • Firewalls and network segmentation
  • DDoS protection and mitigation
  • Intrusion detection and prevention systems
  • Regular network security assessments

Application Security

  • Secure coding practices and code reviews
  • Input validation and output encoding
  • CSRF protection on all state-changing operations
  • SQL injection prevention through parameterized queries
  • XSS prevention through content security policies
  • Regular security updates and patches

Access Control

User Authentication

  • Secure session management with automatic timeout
  • Account lockout after failed login attempts
  • Two-factor authentication (2FA) support
  • Single sign-on (SSO) available for Business plans

Internal Access Controls

  • Principle of least privilege for all system access
  • Multi-factor authentication required for all staff
  • Role-based access control (RBAC)
  • Audit logging of all administrative actions
  • Regular access reviews and revocation

Data Access

  • Strict segregation of customer data
  • Access to production data limited to authorized personnel
  • All data access logged and monitored
  • Confidentiality agreements for all employees and contractors

Security Monitoring

Continuous Monitoring

  • 24/7 automated security monitoring
  • Real-time alerts for suspicious activity
  • Log aggregation and analysis
  • Automated threat detection

Security Logging

  • Comprehensive logging of authentication events
  • Access logs for sensitive operations
  • Audit trails for data modifications
  • Log retention for forensic analysis

Vulnerability Management

  • Regular automated vulnerability scanning
  • Dependency scanning for known vulnerabilities
  • Penetration testing (annual or as needed)
  • Timely patching of identified vulnerabilities

Incident Response

Incident Response Plan

We maintain a documented incident response plan that includes:

  • Detection and identification procedures
  • Containment and eradication steps
  • Recovery and restoration processes
  • Post-incident analysis and improvement

Security Incident Notification

In the event of a security incident that affects your data, we will:

  • Investigate and contain the incident promptly
  • Notify affected users within 72 hours of discovery
  • Provide details about the incident and its impact
  • Outline steps we're taking to prevent recurrence
  • Comply with applicable data breach notification laws

Business Continuity

  • Documented business continuity and disaster recovery plans
  • Regular backups with tested restoration procedures
  • Redundant systems and failover capabilities
  • Regular disaster recovery testing

Vulnerability Disclosure

We value the security research community and welcome responsible disclosure of security vulnerabilities.

Reporting a Vulnerability

If you discover a security vulnerability, please report it to:

What to Include

Please provide:

  • Description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Proof of concept (if applicable)
  • Your contact information for follow-up

Our Commitment

  • Acknowledge your report within 48 hours
  • Provide regular updates on our investigation and remediation
  • Credit researchers who report valid vulnerabilities (with permission)
  • Not pursue legal action against researchers who follow responsible disclosure practices

Responsible Disclosure Guidelines

We ask that you:

  • Do not access, modify, or delete data belonging to others
  • Do not perform testing that degrades service performance
  • Do not publicly disclose the vulnerability before we've addressed it
  • Give us reasonable time to remediate the issue

Compliance and Certifications

Current Compliance

  • GDPR: General Data Protection Regulation compliance
  • CCPA: California Consumer Privacy Act compliance
  • SOC 2 Type II: In progress (expected completion: [DATE])

Security Practices

  • OWASP Top 10 security controls
  • NIST Cybersecurity Framework alignment
  • CIS Controls implementation

Third-Party Assessments

We engage independent third parties to assess our security posture, including:

  • Annual penetration testing
  • Quarterly vulnerability assessments
  • Code security reviews

Employee Security

Background Checks

All employees with access to customer data undergo background checks as permitted by local law.

Security Training

  • Security awareness training for all employees
  • Specialized training for engineering and operations staff
  • Regular security updates and refresher training
  • Phishing awareness and testing

Confidentiality

  • Confidentiality agreements signed by all employees and contractors
  • Clear data handling policies and procedures
  • Secure offboarding process when employees leave

Third-Party Security

We carefully vet third-party service providers that process customer data:

  • Security assessments before engagement
  • Data processing agreements with all subprocessors
  • Regular reviews of third-party security practices
  • Monitoring of third-party security incidents

See our Subprocessors page for a list of third-party services.

Security Contact

For security-related inquiries: