← Back to Home

Trust & legal

Security Policy

Effective Date: January 1, 2026 | Last Updated: February 23, 2026

1. Overview

This Security Policy describes the administrative, technical, and physical safeguards CreatorSense AI implements to protect user data and Platform Data.

2. Security Principles

  • Defense in Depth: Multiple layers of security controls
  • Least Privilege: Access granted only as needed
  • Data Minimization: Collect only necessary data
  • Encryption by Default: All data encrypted in transit and at rest

3. Administrative Safeguards

Access Controls

  • Role-based access control (RBAC)
  • Quarterly access reviews
  • Immediate revocation upon termination

Employee Security

  • Background checks for data access
  • Annual security training
  • Confidentiality agreements

4. Technical Safeguards

Encryption Standards

Data Type Encryption Method Standard
Data in Transit TLS 1.3 Industry standard HTTPS
Data at Rest AES-256 Database-level encryption
OAuth Tokens Fernet (AES-128-CBC + HMAC) Symmetric encryption
Passwords Argon2id OWASP recommended hashing

Authentication Security

The controls below describe how Creator Sense AI user accounts are protected. Internal Sense Lab operator accounts (used for CMS and support) follow equivalent or stricter controls but are not customer-facing surfaces.

  • Password Hashing: Argon2id (memory-hard, OWASP recommended) for all user accounts. Legacy bcrypt hashes are transparently upgraded on next login.
  • Passkeys (WebAuthn / FIDO2): Register hardware keys, biometric authenticators, or device passkeys as a passwordless login method. Passkeys are stored per-device and can be individually revoked at any time from Settings → Security.
  • Two-Factor Authentication (TOTP): Optional authenticator-app 2FA (Google Authenticator, Authy, etc.) with QR code setup and manual secret entry
  • Security Score: A live-calculated account security score is displayed on your Security page - starting at 75, increasing to 90 with 2FA enabled, and 100 with a recent password change. Helps you identify and close security gaps at a glance.
  • Session Management: HTTP-only secure cookies with SameSite policy. Active sessions can be viewed and all sessions can be revoked in bulk from Settings → Security.
  • Platform connections: Authorised integrations (including OAuth 2.0 where supported). We do not store third-party platform passwords.
  • CSRF Protection: Token-based protection on all state-changing requests
  • JWT Tokens: Short-lived access tokens (15 min) with secure refresh tokens

Application Security

  • SQL injection prevention via parameterized queries (SQLAlchemy ORM)
  • XSS prevention with output encoding and Content Security Policy
  • CSRF protection with SameSite cookies and CSRF tokens
  • Rate limiting on authentication endpoints
  • Dependency vulnerability scanning (automated)
  • Input validation on all API endpoints

Audit Logging

We retain server-side security and audit logs for compliance, incident response, and forensic investigation. These logs are operator-facing only - they are not the same as the session history shown on your Security page.

What we record server-side:

  • Authentication Events: Login attempts, logouts, failed attempts
  • Data Access: Exports, sensitive data views
  • Data Modifications: Profile updates, account deletions
  • Administrative Actions: Permission changes, account management
  • Consent Changes: Privacy preference updates

What you see in-app:

  • Your current active session and most recent login activity, surfaced on Settings → Security. A broader audit trail of every action across your account is not yet available to end-users but may be requested under GDPR Article 15 (right of access) at support@creatorsenseai.com.

5. Physical Safeguards

Hosted on Railway/AWS with SOC 2 certified data centers, physical access controls, and 24/7 monitoring.

6. Incident Response

Response Timeline

Severity Description Response Time Notification
Critical Confirmed data breach Immediate containment Users within 72 hours
High Active vulnerability exploitation 4 hours If data affected
Medium Suspicious activity detected 24 hours As needed
Low Potential vulnerability reported 72 hours No notification

Breach Response Procedure

  1. Identification (0-2 hours): Detect and confirm the incident
  2. Containment (2-4 hours): Stop the breach, secure affected systems
  3. Assessment (4-24 hours): Determine scope and impact
  4. Authority Notification (within 72 hours): Report to regulators if required (GDPR)
  5. User Notification (without undue delay): Notify affected users of high-risk breaches
  6. Remediation (ongoing): Fix vulnerabilities, improve controls
  7. Documentation (within 7 days): Complete incident report

7. Vulnerability Disclosure

Contact: support@creatorsenseai.com

We respond within 2 business days and remediate critical issues within 24-48 hours.

8. Business Continuity

  • Daily automated backups
  • RTO: 4 hours, RPO: 1 hour
  • Target uptime: 99.9%

9. Compliance

Our security practices align with:

  • GDPR: EU General Data Protection Regulation
  • CCPA: California Consumer Privacy Act
  • Australian Privacy Act: Australian Privacy Principles
  • OWASP: Open Web Application Security Project guidelines

Related Policies

11. Contact

Security, privacy, and general support: support@creatorsenseai.com