Security Policy

    Last updated: December 2024

    Introduction

    At Carapis Tax, we take security seriously. This Security Policy outlines our commitment to protecting your data and maintaining the highest security standards for our AI-powered customs duty calculator.

    Security Principles

    Data Protection

    • Encryption: All data is encrypted in transit and at rest
    • Access Control: Strict access controls and authentication
    • Monitoring: Continuous security monitoring and threat detection
    • Compliance: Adherence to industry security standards

    Infrastructure Security

    • Cloud Security: Secure cloud infrastructure with regular audits
    • Network Protection: Firewalls, DDoS protection, and intrusion detection
    • Physical Security: Secure data centers with 24/7 monitoring
    • Backup Systems: Regular backups with disaster recovery plans

    Security Measures

    Data Encryption

    In Transit

    • HTTPS/TLS: All communications use TLS 1.3 encryption
    • API Security: Secure API endpoints with authentication
    • WebSocket Protection: Encrypted real-time connections

    At Rest

    • Database Encryption: All databases are encrypted at rest
    • File Storage: Encrypted file storage systems
    • Backup Encryption: Encrypted backup storage

    Access Control

    Authentication

    • Multi-Factor Authentication: Required for all accounts
    • Strong Passwords: Enforced password policies
    • Session Management: Secure session handling
    • API Keys: Secure API key management

    Authorization

    • Role-Based Access: Granular permission systems
    • Principle of Least Privilege: Minimal required access
    • Regular Reviews: Periodic access reviews
    • Immediate Revocation: Quick access termination

    Network Security

    Perimeter Protection

    • Firewalls: Multi-layer firewall protection
    • DDoS Protection: Advanced DDoS mitigation
    • Intrusion Detection: Real-time threat monitoring
    • Vulnerability Scanning: Regular security assessments

    Internal Security

    • Network Segmentation: Isolated network segments
    • VPN Access: Secure remote access
    • Monitoring: 24/7 network monitoring
    • Incident Response: Rapid security incident response

    Security Standards

    Compliance

    We maintain compliance with industry standards:

    • SOC 2 Type II: Annual security audits
    • ISO 27001: Information security management
    • GDPR: Data protection compliance
    • CCPA: California privacy compliance

    Certifications

    • Cloud Security: AWS/GCP security certifications
    • Data Protection: Privacy shield certifications
    • Penetration Testing: Regular third-party security assessments

    Incident Response

    Security Monitoring

    • 24/7 Monitoring: Continuous security monitoring
    • Threat Intelligence: Real-time threat detection
    • Automated Alerts: Immediate security notifications
    • Security Operations: Dedicated security team

    Incident Response Plan

    1. Detection: Automated and manual threat detection
    2. Assessment: Rapid incident assessment and classification
    3. Containment: Immediate threat containment
    4. Investigation: Thorough incident investigation
    5. Remediation: Complete threat remediation
    6. Recovery: Service restoration and monitoring
    7. Post-Incident: Lessons learned and improvements

    Communication

    • Customer Notification: Prompt notification of security incidents
    • Transparency: Clear communication about security events
    • Status Updates: Regular updates during incident resolution
    • Post-Incident Reports: Detailed incident reports

    Data Security

    Data Classification

    • Public Data: Information available to all users
    • Internal Data: Company internal information
    • Confidential Data: Sensitive business information
    • Restricted Data: Highly sensitive information

    Data Handling

    • Data Minimization: Collect only necessary data
    • Purpose Limitation: Use data only for intended purposes
    • Retention Policies: Clear data retention schedules
    • Secure Disposal: Secure data deletion processes

    Third-Party Security

    • Vendor Assessment: Security evaluation of third-party vendors
    • Contractual Requirements: Security requirements in contracts
    • Regular Audits: Periodic vendor security reviews
    • Incident Coordination: Coordinated incident response

    Security Training

    Employee Security

    • Security Awareness: Regular security training
    • Phishing Simulations: Regular phishing awareness tests
    • Policy Training: Security policy education
    • Incident Response: Security incident training

    Development Security

    • Secure Coding: Secure development practices
    • Code Reviews: Security-focused code reviews
    • Vulnerability Testing: Regular security testing
    • Dependency Management: Secure dependency management

    Vulnerability Management

    Vulnerability Assessment

    • Regular Scanning: Automated vulnerability scanning
    • Penetration Testing: Regular security assessments
    • Code Analysis: Static and dynamic code analysis
    • Dependency Scanning: Third-party dependency scanning

    Patch Management

    • Security Updates: Prompt security patch deployment
    • Vulnerability Tracking: Comprehensive vulnerability tracking
    • Risk Assessment: Regular risk assessments
    • Remediation Planning: Structured remediation processes

    Business Continuity

    Disaster Recovery

    • Backup Systems: Comprehensive backup systems
    • Recovery Testing: Regular disaster recovery testing
    • Geographic Redundancy: Multi-region infrastructure
    • Service Continuity: Minimal service disruption

    Incident Recovery

    • Service Restoration: Rapid service restoration
    • Data Recovery: Secure data recovery processes
    • Communication: Clear recovery status updates
    • Post-Recovery: Recovery validation and monitoring

    Security Reporting

    Vulnerability Disclosure

    We welcome security researchers to report vulnerabilities:

    • Responsible Disclosure: Coordinated vulnerability disclosure
    • Bug Bounty: Security researcher recognition
    • Clear Process: Structured vulnerability reporting
    • Timely Response: Prompt vulnerability assessment

    Security Contact

    For security-related inquiries:

    • Security Email: security@carapis.com
    • PGP Key: Available for encrypted communications
    • Response Time: 24-hour initial response
    • Escalation: Clear escalation procedures

    Security Updates

    Policy Updates

    • Regular Reviews: Annual security policy reviews
    • Industry Updates: Alignment with industry best practices
    • Customer Feedback: Incorporation of customer feedback
    • Continuous Improvement: Ongoing security enhancements

    Communication

    • Customer Notification: Notification of significant changes
    • Transparency: Clear communication about security updates
    • Documentation: Updated security documentation
    • Training: Updated security training materials

    Compliance and Auditing

    Regular Audits

    • Internal Audits: Regular internal security audits
    • External Audits: Third-party security assessments
    • Compliance Reviews: Regular compliance reviews
    • Risk Assessments: Periodic risk assessments

    Certifications

    • Security Certifications: Industry security certifications
    • Privacy Certifications: Privacy protection certifications
    • Cloud Certifications: Cloud security certifications
    • Compliance Certifications: Regulatory compliance certifications

    This Security Policy is effective as of the date listed above and applies to all Carapis Tax services and infrastructure.