Our Security Principles

Privacy First: We do not sell your data to third parties. Ever.
Defense in Depth: Multiple layers of protection across infrastructure, application, and data.
Least Privilege: Access to data is tightly controlled and audited.
Transparency: Clear communication and responsible disclosure.

Data Protection

All data in transit is protected with TLS 1.2+ using modern ciphers.
Data at rest is encrypted using AES-256.
Secrets are stored in a dedicated secret manager and rotated regularly.
Backups are encrypted and tested regularly for restorability.

Application Security

Automated dependency scanning and patching.
Static analysis and linting integrated into CI.
Secure coding practices and peer review for all changes.
Content Security Policy (CSP) and other browser protections enabled.

Infrastructure Security

Isolated environments for production and non-production workloads.
Network-level protections including firewalls and WAF.
24/7 monitoring, logging, and anomaly detection.
Hardened container images with minimal attack surface.

Compliance Posture

We align our practices with leading industry standards (SOC 2, ISO 27001) and continuously improve our controls.

Incident Response

We maintain a formal incident response plan with clear ownership, rapid triage, and communication procedures.

24/7 on-call rotation and predefined runbooks
Root-cause analysis and corrective actions for every incident
Responsible disclosure: security@overscribe.io

Data Retention & Deletion

We retain personal data only for as long as necessary to provide the service. Users can request data export or deletion at any time via account settings or by contacting privacy@overscribe.io.

Contact Security

If you believe you've discovered a vulnerability or security issue, please email us at security@overscribe.io. We aim to acknowledge reports within 24 hours.

Security at OverScribe