Data Protection

1. Encryption & Data Protection

Encryption at Rest

• AES-256 Encryption: All sensitive data, especially account credentials, is encrypted using industry-standard AES-256 encryption
• Isolated Credential Vault: Account passwords, API tokens, and access keys are stored in a separate, encrypted vault with independent access controls
• Encrypted Backups: All backup systems use encrypted storage with separate encryption keys
• Database Encryption: Campaign metrics and account metadata are stored in encrypted databases

Encryption in Transit

• TLS 1.3: All connections to AffiDock use TLS 1.3 or higher with perfect forward secrecy
• HTTPS Everywhere: All pages and API endpoints enforce HTTPS; HTTP requests are automatically redirected
• Secure API Connections: Communication with advertising platforms uses encrypted, authenticated connections
• Certificate Pinning: Critical connections use certificate pinning to prevent man-in-the-middle attacks

Password Security

• Passwords are hashed using Argon2id with per-user salts
• We never store plaintext passwords
• Password reset tokens expire after 1 hour
• Account lockout after repeated failed login attempts

2. Access Controls & Authentication

User Authentication

• Multi-Factor Authentication (MFA): Available for all users and strongly recommended for account security
• Session Management: Secure session tokens with automatic expiration and refresh mechanisms
• OAuth Integration: Support for secure sign-in via Google with minimal permission scopes
• IP Monitoring: Suspicious login locations trigger verification emails

Role-Based Access Control (RBAC)

• Granular Permissions: Team members can be assigned specific roles (Admin, Editor, Viewer)
• Principle of Least Privilege: Users only have access to data and features necessary for their role
• Account Isolation: Each organization's data is logically isolated; no cross-customer access
• Audit Logs: All access and modifications are logged and auditable

Internal Access Controls

• Minimal Engineer Access: Engineering team has strictly limited access to production data
• Logged & Audited: All internal access is logged with justification and reviewed regularly
• Credential Separation: Production credentials are never stored in code or version control
• Background Checks: All team members handling user data undergo background checks

3. Infrastructure & Network Security

Cloud Infrastructure

• Enterprise-Grade Hosting: Hosted on AWS/Google Cloud Platform with SOC 2 Type II compliance
• UK/EU Data Centers: Primary data storage in UK/EU-based data centers for GDPR compliance
• Redundant Architecture: Multi-availability zone deployment for high availability and disaster recovery
• DDoS Protection: Advanced DDoS mitigation and rate limiting to prevent service disruption

Network Security

• Firewalls: Network-level firewalls restrict access to databases and internal services
• VPC Isolation: Application runs in isolated Virtual Private Cloud with restricted ingress/egress
• Intrusion Detection: Automated systems monitor for suspicious network activity
• API Rate Limiting: Protects against brute force attacks and abuse

Backup & Disaster Recovery

• Automated Backups: Daily encrypted backups with point-in-time recovery
• Geographic Redundancy: Backups stored in multiple geographic locations
• 90-Day Retention: Backup copies retained for 90 days for disaster recovery
• Tested Recovery: Regular disaster recovery drills to ensure backup integrity

4. Security Monitoring & Incident Response

24/7 Monitoring

• Automated alerting for suspicious activity and security anomalies
• Real-time monitoring of login attempts, API usage, and data access patterns
• System health monitoring with automated failover
• Log aggregation and analysis for security threat detection

Vulnerability Management

• Regular Security Audits: Annual third-party security audits and penetration testing
• Dependency Scanning: Automated scanning for vulnerabilities in third-party libraries
• Patch Management: Critical security patches applied within 24 hours
• Bug Bounty Program: Security researchers can responsibly disclose vulnerabilities

Incident Response Protocol

In the unlikely event of a security incident:

• Immediate Containment: Automated systems isolate affected components to prevent spread
• 72-Hour Notification: Affected users notified within 72 hours as required by GDPR
• Regulatory Compliance: Relevant supervisory authorities informed as required by law
• Transparent Communication: Clear information about what data was affected and remediation steps
• Post-Incident Analysis: Thorough investigation and implementation of preventive measures

5. Compliance & Certifications

Regulatory Compliance

• GDPR: Full compliance with EU General Data Protection Regulation
• UK DPA 2018: Compliance with UK Data Protection Act 2018
• CCPA: California Consumer Privacy Act compliance for US users
• PCI DSS: Payment card data handled by PCI DSS Level 1 compliant Stripe

Industry Standards

• SOC 2 Type II compliance (infrastructure providers)
• ISO 27001 aligned security practices
• OWASP Top 10 security guidelines
• Regular security training for all team members

6. Your Security Responsibilities

Best Practices for Account Security

• Enable MFA: Turn on multi-factor authentication in your account settings
• Strong Passwords: Use unique, complex passwords (we recommend a password manager)
• Review Team Access: Regularly audit team member permissions and remove unnecessary access
• Monitor Activity: Check your account activity log for unexpected actions
• Secure Devices: Keep your devices and browsers updated with security patches
• Report Suspicious Activity: Contact us immediately if you notice anything unusual

7. Third-Party Security

All third-party service providers undergo security vetting and are bound by strict data processing agreements:

• Stripe (Payments): PCI DSS Level 1 compliant payment processor; we never see full card numbers
• AWS/GCP (Infrastructure): SOC 2 compliant cloud infrastructure with enterprise security
• Email Providers: Encrypted email delivery with SPF, DKIM, and DMARC authentication
• Analytics: Privacy-focused, GDPR-compliant analytics without user tracking

We never share your advertising account credentials with any third party. API connections to advertising platforms are made directly from our secure servers.

8. Contact & Security Reporting

For security-related questions, concerns, or to report a vulnerability:

• Security Email: legal@shock-experts.com
• Postal Address: Shock Experts LLP, London, United Kingdom, OC457555

If you discover a security vulnerability, please report it responsibly. We appreciate security researchers helping us keep AffiDock secure and will respond to all legitimate security reports within 48 hours.