Skip to main content

Security Policy

AI-Powered PDF Analysis Platform

Copyright © 2025 AZ1.AI Inc. / Coditect.AI - All Rights Reserved

🔒 Security Overview

The AI-Powered PDF Analysis Platform is designed with security as a top priority. This document outlines our security policies, reporting procedures, and best practices.

Supported Versions

VersionSupported
1.0.x
< 1.0

🚨 Reporting a Vulnerability

Please do NOT report security vulnerabilities through public GitHub issues.

How to Report

Send a detailed email to: 1@az1.ai

Include the following information:

  1. Type of vulnerability (e.g., SQL injection, XSS, authentication bypass)
  2. Location (file path, URL, or specific component)
  3. Step-by-step reproduction instructions
  4. Proof of concept (if applicable)
  5. Impact assessment (what can an attacker do?)
  6. Suggested mitigation (if you have recommendations)
  7. Your contact information

What to Expect

  • Acknowledgment: Within 48 hours
  • Initial Assessment: Within 5 business days
  • Status Updates: Weekly until resolved
  • Resolution Timeline: Varies by severity
    • Critical: 1-3 days
    • High: 1-2 weeks
    • Medium: 2-4 weeks
    • Low: 4-8 weeks

Disclosure Policy

  • We follow coordinated disclosure
  • Allow us 90 days to fix the issue before public disclosure
  • We will credit you in our security advisories (if desired)
  • We may offer a bounty for significant vulnerabilities

🛡️ Security Features

Authentication & Authorization

JWT-Based Authentication

  • Access tokens expire in 30 minutes
  • Refresh tokens expire in 7 days
  • Secure token storage in HTTP-only cookies
  • Automatic token refresh on 401 errors

OAuth 2.0 Support

  • Google OAuth integration
  • GitHub OAuth integration
  • Secure callback handling
  • State parameter validation

Role-Based Access Control (RBAC)

  • Admin, User, and Viewer roles
  • Granular permission system
  • Organization-level isolation
  • API key management per user

Rate Limiting

Sliding Window Algorithm

  • Per-user rate limits based on tier
  • Distributed via Redis
  • Response headers indicate limits
  • 429 status code with retry-after

Rate Limits by Tier:

  • Free: 10 req/min, 100 req/hour
  • Pro: 100 req/min, 5000 req/hour
  • Enterprise: 1000 req/min, 50000 req/hour

Input Validation

File Upload Security

  • PDF file type validation (magic bytes)
  • Maximum file size: 50MB
  • Virus scanning (planned)
  • Sanitized filenames
  • Secure temporary storage

API Input Validation

  • Pydantic models for type safety
  • SQL injection prevention (SQLAlchemy ORM)
  • XSS prevention (React auto-escaping)
  • CSRF protection
  • Request size limits

Data Protection

Encryption at Rest

  • PostgreSQL encryption enabled
  • GCS bucket encryption
  • Secret Manager for API keys
  • Encrypted database backups

Encryption in Transit

  • TLS 1.3 for all connections
  • HTTPS only (HSTS enabled)
  • Secure WebSocket (WSS)
  • Certificate pinning (production)

Data Retention

  • Soft delete for documents (90-day retention)
  • Audit logs kept for 7 years
  • Automatic cleanup of expired data
  • GDPR-compliant data deletion

Secret Management

Google Secret Manager

  • Centralized secret storage
  • Automatic rotation support
  • Version control
  • Audit trail
  • IAM-based access control

Secrets Never Committed

  • .gitignore for .env files
  • Pre-commit hooks check for secrets
  • GitHub secret scanning enabled
  • No hardcoded credentials

Network Security

Kubernetes Network Policies

  • Pod-to-pod traffic restrictions
  • Ingress/egress rules
  • Namespace isolation
  • Service mesh integration (planned)

Firewall Rules

  • Cloud Armor WAF protection
  • DDoS mitigation
  • IP allowlisting for admin endpoints
  • Geographic restrictions (configurable)

Dependency Management

Automated Scanning

  • Snyk for vulnerability detection
  • Trivy for container scanning
  • Dependabot for updates
  • GitHub Security Advisories

Update Policy

  • Critical vulnerabilities: Immediate
  • High vulnerabilities: Within 7 days
  • Medium vulnerabilities: Within 30 days
  • Low vulnerabilities: Next release

🔐 Security Best Practices

For Developers

Code Security

# ✅ Good: Parameterized queries
user = db.query(User).filter(User.id == user_id).first()

# ❌ Bad: SQL injection risk
user = db.execute(f"SELECT * FROM users WHERE id = {user_id}")

Environment Variables

# ✅ Good: Use environment variables
api_key = os.getenv("ANTHROPIC_API_KEY")

# ❌ Bad: Hardcoded secrets
api_key = "sk-ant-api03-xxxxx"

Error Handling

# ✅ Good: Generic error message
except Exception as e:
    logger.error(f"Database error: {e}")
    raise HTTPException(500, "Internal server error")

# ❌ Bad: Exposing internals
except Exception as e:
    raise HTTPException(500, str(e))

For Users

API Key Security

  1. Never share your API keys
  2. Rotate keys every 90 days
  3. Use different keys per environment
  4. Revoke compromised keys immediately
  5. Monitor usage for anomalies

Account Security

  1. Use strong passwords (min 8 chars, mixed case, numbers, symbols)
  2. Enable 2FA (when available)
  3. Don't reuse passwords
  4. Review audit logs regularly
  5. Report suspicious activity

For Administrators

Infrastructure Security

  1. Keep Kubernetes cluster updated
  2. Enable audit logging
  3. Use Workload Identity (GKE)
  4. Implement network policies
  5. Regular security audits
  6. Backup encryption keys
  7. Monitor security dashboards

Access Control

  1. Principle of least privilege
  2. Regular access reviews
  3. MFA for all admin accounts
  4. Separate dev/prod environments
  5. Audit trail for all changes

🔍 Security Monitoring

Logging & Auditing

Audit Log Events

  • User login/logout
  • API key creation/deletion
  • Permission changes
  • Data access/modification
  • Configuration updates
  • Failed authentication attempts

Log Retention

  • Application logs: 30 days
  • Audit logs: 7 years
  • Access logs: 90 days
  • Security events: Indefinite

Alerting

Security Alerts

  • Multiple failed login attempts
  • Unusual API usage patterns
  • Permission escalation attempts
  • Data exfiltration indicators
  • Anomalous network traffic

Response Times

  • Critical alerts: Immediate (24/7)
  • High alerts: Within 1 hour
  • Medium alerts: Within 4 hours
  • Low alerts: Next business day

📋 Compliance

Standards & Frameworks

  • OWASP Top 10: Mitigations implemented
  • CWE Top 25: Addressed in design
  • GDPR: Data privacy compliance
  • SOC 2: In progress (planned)
  • ISO 27001: Aligned practices

Data Privacy

GDPR Rights

  • Right to access (export your data)
  • Right to rectification (update your data)
  • Right to erasure (delete your account)
  • Right to restrict processing
  • Right to data portability

Contact for Privacy Requests Email: 1@az1.ai with subject "Privacy Request"

🛠️ Incident Response

Process

  1. Detection: Automated or manual identification
  2. Assessment: Determine severity and scope
  3. Containment: Isolate affected systems
  4. Eradication: Remove threat
  5. Recovery: Restore normal operations
  6. Post-Mortem: Document and improve

Communication

During an Incident:

  • Status page updates (if available)
  • Email notifications to affected users
  • GitHub Security Advisory (for vulnerabilities)

After Resolution:

  • Post-mortem report
  • Mitigation steps taken
  • Preventive measures implemented

📞 Contact

Security Team

  • Email: 1@az1.ai
  • Subject: "Security - [Brief Description]"
  • PGP Key: Available on request

Bug Bounty Program Coming soon - watch this space!

📚 Additional Resources

Last Updated: November 1, 2025 Version: 1.0

Copyright © 2025 AZ1.AI Inc. / Coditect.AI - All Rights Reserved

Security is everyone's responsibility. Thank you for helping keep our platform secure!