Security Policy

Infrastructure & Hosting

• Akangbou is hosted on Vercel with regional edge caching; data is stored in Supabase (Postgres) with row-level security enforced.
• All traffic is encrypted via TLS 1.2+ and we use HSTS to prevent downgrade attacks.
• Secrets are managed through Vercel + Supabase encrypted stores—no credentials live in the codebase.

Application Security

• We enforce session revocation and rotate service role keys when team members depart.
• Sentry monitors runtime errors and unusual patterns in reservation or payment flows.
• Automated dependency scanning runs through GitHub Dependabot and npm audit.

Data Protection

• Customer data is segmented by organization using Supabase RLS policies. Only the owning team can read or mutate their records.
• Backups are taken daily and retained for 30 days. Restoration tests run monthly.
• PII exports (attendee CSVs, waitlist downloads) are watermarked and logged.

Incident Response

We classify incidents as P1 (active exploitation), P2 (potential exploit), or P3 (informational). P1 incidents trigger an on-call rotation and customer notification within 24 hours. All incidents receive a postmortem that documents scope, impact, remediation, and preventive actions.

Vulnerability Reporting

Report suspected vulnerabilities to security@akangbou.com with reproduction steps, impacted endpoints, and any proof-of-concept code. We aim to acknowledge reports within one business day and share remediation timelines within five business days. Public disclosure is prohibited until the fix ships.

Corporate & Employee Controls

• All staff use SSO, hardware security keys, and auto-locking laptops.
• Access to production data requires a business justification and auto-expires after seven days.
• We conduct annual security awareness training focused on phishing, data handling, and incident escalation.