Security

1. Infrastructure Security

1.1 Hosting

• All servers are hosted in UK-based data centres
• ISO 27001 certified hosting infrastructure
• Physical access controls including biometric authentication and 24/7 CCTV
• Redundant power, cooling, and network connectivity

1.2 Network Security

• All traffic encrypted with TLS 1.2+ (HTTPS enforced)
• Web Application Firewall (WAF) for DDoS and injection protection
• Rate limiting on all API endpoints to prevent abuse
• IP-based monitoring and anomaly detection

2. Application Security

2.1 Authentication

• JWT token-based authentication with configurable expiry
• Passwords hashed using bcrypt with appropriate cost factor
• Account lockout after repeated failed login attempts
• Secure session management with automatic timeout

2.2 Data Encryption

• In transit: TLS 1.2+ for all communications
• At rest: AES-256 encryption for stored data
• API keys: Encrypted and never exposed in application logs

2.3 Code Security

• Input validation and sanitisation on all user-submitted data
• Protection against OWASP Top 10 vulnerabilities (SQL injection, XSS, CSRF, etc.)
• CSRF token protection on all state-changing requests
• Content Security Policy (CSP) headers
• Regular dependency updates and vulnerability scanning

3. Data Security

3.1 Care Documentation

3.2 Access Controls

• Principle of Least Privilege: Staff access is limited to what is necessary for their role
• Multi-factor authentication required for all infrastructure access
• Audit logging on all data access operations
• Regular access reviews and revocation procedures

3.3 Backup & Recovery

• Automated daily encrypted backups
• Backups stored in geographically separate UK data centres
• Regular recovery testing to ensure data integrity
• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour

4. Chrome Extension Security

• Manifest V3 with minimal permissions — only requests access needed for core functionality
• No data is collected from pages you visit unless you explicitly trigger an analysis
• All communication with our API is via encrypted HTTPS
• Extension source code is reviewable in the Chrome Web Store
• Authentication tokens stored securely in Chrome's extension storage

5. AI & Third-Party Security

• AI analysis providers (Google Gemini, OpenAI) are accessed via encrypted API calls
• Text sent to AI providers is processed under their data processing agreements and is not used for model training
• Payment processing via Stripe/Paddle — PCI DSS Level 1 compliant
• We do not store credit card numbers or financial details on our servers

6. Incident Response

Our incident response plan includes:

• Detection: Automated monitoring and alerting for suspicious activity
• Containment: Immediate isolation of affected systems
• Notification: ICO notification within 72 hours; user notification without undue delay
• Remediation: Root cause analysis and corrective measures
• Review: Post-incident review and policy updates

7. Compliance Standards

• UK GDPR and Data Protection Act 2018
• Cyber Essentials framework alignment
• OWASP security best practices
• ICO guidance on data security

8. Responsible Disclosure

We welcome responsible security research. If you discover a vulnerability:

• Email: security@Recordsafe.ai
• Please provide sufficient detail to reproduce the issue
• Allow reasonable time for us to address the vulnerability before public disclosure
• Do not access or modify other users' data during testing

9. Contact

For security-related questions or concerns:

• Security team: security@Recordsafe.ai
• Data Protection Officer: dpo@Recordsafe.ai