← Back to Home

Security Policy

Effective Date: January 1, 2026 | Last Updated: February 23, 2026

1. Overview

This Security Policy describes the administrative, technical, and physical safeguards CreatorSense AI implements to protect user data and Platform Data.

2. Security Principles

  • Defense in Depth: Multiple layers of security controls
  • Least Privilege: Access granted only as needed
  • Data Minimization: Collect only necessary data
  • Encryption by Default: All data encrypted in transit and at rest

3. Administrative Safeguards

Access Controls

  • Role-based access control (RBAC)
  • Quarterly access reviews
  • Immediate revocation upon termination

Employee Security

  • Background checks for data access
  • Annual security training
  • Confidentiality agreements

4. Technical Safeguards

Encryption Standards

Data Type Encryption Method Standard
Data in Transit TLS 1.3 Industry standard HTTPS
Data at Rest AES-256 Database-level encryption
OAuth Tokens Fernet (AES-128-CBC + HMAC) Symmetric encryption
Passwords Argon2id OWASP recommended hashing

Authentication Security

  • Password Hashing: Argon2id (memory-hard, OWASP recommended)
  • Passkeys (WebAuthn / FIDO2): Register hardware keys, biometric authenticators, or device passkeys as a passwordless login method. Passkeys are stored per-device and can be individually revoked at any time from Settings → Security.
  • Two-Factor Authentication (TOTP): Optional authenticator-app 2FA (Google Authenticator, Authy, etc.) with QR code setup and manual secret entry
  • Security Score: A live-calculated account security score is displayed on your Security page — starting at 75, increasing to 90 with 2FA enabled, and 100 with a recent password change. Helps you identify and close security gaps at a glance.
  • Session Management: HTTP-only secure cookies with SameSite policy. Active sessions can be viewed and all sessions can be revoked in bulk from Settings → Security.
  • OAuth 2.0: Platform connections via OAuth (we never receive platform passwords)
  • CSRF Protection: Token-based protection on all state-changing requests
  • JWT Tokens: Short-lived access tokens (15 min) with secure refresh tokens

Application Security

  • SQL injection prevention via parameterized queries (SQLAlchemy ORM)
  • XSS prevention with output encoding and Content Security Policy
  • CSRF protection with SameSite cookies and CSRF tokens
  • Rate limiting on authentication endpoints
  • Dependency vulnerability scanning (automated)
  • Input validation on all API endpoints

Audit Logging

We maintain server-side security logs for compliance and incident response:

  • Authentication Events: Login attempts, logouts, failed attempts
  • Data Access: Exports, sensitive data views
  • Data Modifications: Profile updates, account deletions
  • Administrative Actions: Permission changes, account management
  • Consent Changes: Privacy preference updates

Server-side security logs are retained for compliance requirements. User-visible session history shows your current active session and recent login activity from the Security page.

5. Physical Safeguards

Hosted on Railway/AWS with SOC 2 certified data centers, physical access controls, and 24/7 monitoring.

6. Incident Response

Response Timeline

Severity Description Response Time Notification
Critical Confirmed data breach Immediate containment Users within 72 hours
High Active vulnerability exploitation 4 hours If data affected
Medium Suspicious activity detected 24 hours As needed
Low Potential vulnerability reported 72 hours No notification

Breach Response Procedure

  1. Identification (0-2 hours): Detect and confirm the incident
  2. Containment (2-4 hours): Stop the breach, secure affected systems
  3. Assessment (4-24 hours): Determine scope and impact
  4. Authority Notification (within 72 hours): Report to regulators if required (GDPR)
  5. User Notification (without undue delay): Notify affected users of high-risk breaches
  6. Remediation (ongoing): Fix vulnerabilities, improve controls
  7. Documentation (within 7 days): Complete incident report

7. Vulnerability Disclosure

Contact: security@creatorsenseai.com

We respond within 2 business days and remediate critical issues within 24-48 hours.

8. Business Continuity

  • Daily automated backups
  • RTO: 4 hours, RPO: 1 hour
  • Target uptime: 99.9%

9. Compliance

Our security practices align with:

  • GDPR: EU General Data Protection Regulation
  • CCPA: California Consumer Privacy Act
  • Australian Privacy Act: Australian Privacy Principles
  • OWASP: Open Web Application Security Project guidelines

Related Policies

11. Contact

Security Issues: security@creatorsenseai.com

Privacy Questions: privacy@creatorsenseai.com

General Support: support@creatorsenseai.com