1. Security program
We maintain technical and organizational measures designed to protect data against unauthorized access, loss, misuse and disclosure. Security controls evolve as the product, infrastructure and risk profile mature. Formal certifications, audit reports and enterprise security documents are TBD.
2. Core controls
- tenant separation for workspace data and settings;
- encryption in transit and encryption at rest where supported by production providers;
- role-based access controls and least privilege for internal access;
- logging for authentication, API usage, errors, security events and operational events;
- backup and recovery processes with retention cycles TBD;
- provider review for hosting, database, AI, billing, email, analytics and support vendors.
3. Internal access
Internal access to customer data is limited to personnel or contractors with a business need, such as support, debugging, security, compliance or operations. Access may be logged and reviewed where systems support it.
4. Security incidents
If we confirm a personal data breach or material security incident affecting customer data, we will notify affected customers as required by law and contract. We may delay public details to protect investigations, users, systems or law enforcement cooperation.
5. Customer security responsibilities
Customers are responsible for strong credentials, authorized users, workspace roles, connected account permissions, API key protection, secure devices, accurate configuration, customer notices and prompt reporting of suspected compromise.
6. Responsible disclosure
Report suspected vulnerabilities to security@instareplai.com with enough detail to reproduce the issue. Do not access, modify, delete, exfiltrate or disrupt data or systems. A formal bug bounty program is TBD.