Security Policy

Last updated: January 15, 2026

1. Our Commitment to Security

At Johan Guse, we take the security of our users' data seriously. We implement industry-standard security measures to protect your information from unauthorized access, disclosure, alteration, and destruction.

2. Security Measures

2.1 Data Encryption

We use industry-standard encryption protocols to protect data in transit and at rest:

  • TLS/SSL Encryption: All data transmitted between your browser and our servers is encrypted using TLS 1.3
  • Database Encryption: Sensitive data stored in our databases is encrypted at rest
  • End-to-End Encryption: Critical communications use end-to-end encryption

2.2 Access Controls

  • Multi-Factor Authentication (MFA): Available for all user accounts
  • Role-Based Access Control (RBAC): Employees have access only to data necessary for their roles
  • Least Privilege Principle: Systems and applications operate with minimal required permissions
  • Regular Access Reviews: Periodic audits of user permissions and access rights

2.3 Infrastructure Security

  • Cloud Infrastructure: Hosted on secure, compliant cloud platforms (Cloudflare, AWS, etc.)
  • DDoS Protection: Advanced protection against distributed denial-of-service attacks
  • Web Application Firewall (WAF): Filters and monitors HTTP traffic
  • Intrusion Detection: Real-time monitoring for suspicious activities
  • Regular Security Scans: Automated vulnerability scanning and penetration testing

2.4 Application Security

  • Secure Development Practices: Security-first approach in our SDLC
  • Code Reviews: All code changes undergo security review
  • Dependency Management: Regular updates and security patches for all dependencies
  • Input Validation: All user inputs are validated and sanitized
  • SQL Injection Prevention: Parameterized queries and ORM usage
  • XSS Protection: Content Security Policy (CSP) and output encoding
  • CSRF Protection: Anti-CSRF tokens for all state-changing operations

3. Data Protection

3.1 Data Storage

Your data is stored in secure, geographically distributed data centers with:

  • Physical security controls
  • 24/7 monitoring and surveillance
  • Environmental controls (fire suppression, cooling, power backup)
  • Regular backups with encryption

3.2 Data Retention and Deletion

We retain your data only as long as necessary. When you request deletion:

  • Data is securely deleted within 30 days
  • Backups are purged according to our retention schedule
  • You receive confirmation of deletion

4. Compliance and Certifications

We maintain compliance with industry standards and regulations:

  • GDPR: General Data Protection Regulation (EU)
  • CCPA: California Consumer Privacy Act
  • SOC 2 Type II: Service Organization Control (in progress)
  • ISO 27001: Information Security Management (in progress)

5. Incident Response

5.1 Security Incident Management

In the event of a security incident, we will:

  1. Detect: Identify and confirm the incident
  2. Contain: Isolate affected systems to prevent spread
  3. Investigate: Determine the scope and impact
  4. Remediate: Fix vulnerabilities and restore services
  5. Notify: Inform affected users within 72 hours
  6. Review: Conduct post-incident analysis

5.2 Data Breach Notification

If a data breach occurs that may affect your personal information, we will notify you via email and provide:

  • Description of the breach
  • Types of data affected
  • Steps we're taking to address the breach
  • Recommended actions you should take

6. Employee Security Training

All employees undergo:

  • Security awareness training during onboarding
  • Regular security refresher courses
  • Phishing simulation exercises
  • Role-specific security training

7. Third-Party Security

We carefully vet all third-party service providers:

  • Security assessments before engagement
  • Data processing agreements
  • Regular security reviews
  • Compliance with our security standards

8. Your Security Responsibilities

Help us keep your account secure by:

  • Using strong, unique passwords
  • Enabling multi-factor authentication
  • Not sharing your credentials
  • Logging out of shared devices
  • Keeping your contact information updated
  • Reporting suspicious activities immediately

9. Responsible Disclosure

9.1 Report Security Vulnerabilities

If you discover a security vulnerability, please report it responsibly:

  • Email: security@your-domain.com
  • Include detailed steps to reproduce the issue
  • Allow us reasonable time to address the issue before public disclosure
  • Do not exploit the vulnerability beyond what is necessary to demonstrate it

9.2 Bug Bounty Program

We appreciate security researchers who help us improve our security. Eligible vulnerabilities may qualify for rewards based on severity and impact.

10. Security Updates

We continuously monitor and improve our security practices. This policy is reviewed and updated regularly to reflect our current security posture and industry best practices.

11. Contact Security Team

For security-related inquiries:

  • Security Issues: security@your-domain.com
  • General Inquiries: https://your-domain.com/
  • Response Time: We aim to respond within 24 hours