Security

Your security and privacy are our top priorities. Learn how we protect your data.

Our Security Commitment

At Citaspace, we implement industry-leading security practices to protect your data. We continuously monitor, update, and improve our security measures to defend against evolving threats.

Data Encryption

Encryption in Transit

  • TLS 1.3: All data transmitted between your browser and our servers uses the latest TLS 1.3 protocol
  • HTTPS Everywhere: All pages and API endpoints require secure HTTPS connections
  • Perfect Forward Secrecy: Session keys are unique and cannot be compromised even if long-term keys are
  • HSTS: HTTP Strict Transport Security prevents downgrade attacks

Encryption at Rest

  • AES-256: All stored data is encrypted using AES-256 encryption
  • Database Encryption: PostgreSQL data is encrypted at the disk level
  • File Storage: Uploaded images and documents are encrypted in AWS S3/R2
  • Backup Encryption: All database backups are encrypted before storage

Authentication & Access Control

Password Security

  • Bcrypt Hashing: Passwords are hashed using industry-standard bcrypt with appropriate cost factors
  • Salted Hashes: Each password has a unique salt to prevent rainbow table attacks
  • Password Requirements: Minimum 8 characters required
  • No Plain Text Storage: Passwords are never stored in plain text or reversible encryption

Session Management

  • Secure Tokens: Industry-standard token-based authentication
  • Short-lived Sessions: Access tokens expire regularly to minimize exposure
  • Secure Storage: Session data stored securely with encryption
  • Automatic Expiration: Sessions expire to reduce unauthorized access risk
  • Secure Cookies: HttpOnly and Secure flags enabled on authentication cookies

Role-Based Access Control (RBAC)

  • Least Privilege: Users only have access to resources they need
  • User Roles: Admin, Tech (service provider), and Client roles with specific permissions
  • Multi-Tenancy: Strict data isolation between accounts
  • API Authorization: Every API request validates user permissions

Infrastructure Security

Cloud Infrastructure

  • AWS/Vercel: Hosted on enterprise-grade cloud infrastructure
  • DDoS Protection: Cloudflare protection against distributed denial-of-service attacks
  • Network Isolation: Private VPCs and security groups restrict access
  • WAF (Web Application Firewall): Filters malicious traffic before it reaches our servers
  • Auto-Scaling: Infrastructure scales automatically to handle traffic spikes

Database Security

  • PostgreSQL: Production-grade relational database
  • Connection Pooling: Secure connection pooling prevents exhaustion attacks
  • SQL Injection Prevention: Parameterized queries via Prisma ORM
  • Database Credentials: Rotated regularly and stored in secure vaults
  • Automated Backups: Daily encrypted backups with 30-day retention

Application Security

  • Security Headers: CSP, X-Frame-Options, X-Content-Type-Options implemented
  • CSRF Protection: Cross-Site Request Forgery tokens on all forms
  • XSS Prevention: Input sanitization and output encoding
  • Rate Limiting: API rate limits prevent brute force attacks
  • Dependency Scanning: Automated vulnerability scanning of npm packages

Monitoring & Detection

  • Continuous Monitoring: Automated monitoring of system health and security events
  • Intrusion Detection: Detection systems identify suspicious activities
  • Audit Logging: Logging of user actions and system events for security review
  • Pattern Recognition: Automated systems identify unusual access patterns
  • Incident Response: Security team responds promptly to identified threats
  • Automated Alerts: Critical security events trigger immediate notifications

Payment Security

PCI DSS Compliance

We never store credit card numbers. Payment processing is handled by PCI DSS Level 1 certified providers:

  • Stripe: Industry-leading payment processor with advanced fraud detection
  • PayPal: Trusted global payment platform
  • Tokenization: Card data is tokenized and never touches our servers
  • 3D Secure: Optional two-factor authentication for card payments
  • Fraud Detection: Advanced machine learning models detect fraudulent transactions

Compliance & Standards

GDPR Compliant

EU General Data Protection Regulation compliance

CCPA Compliant

California Consumer Privacy Act compliance

PCI DSS Level 1

Payment security via certified processors

Industry Standards

Following OWASP and NIST security guidelines

Employee Security

  • Background Checks: All employees undergo background verification
  • Security Training: Mandatory security awareness training for all staff
  • Least Privilege Access: Employees only access systems necessary for their role
  • 2FA Required: Two-factor authentication mandatory for all internal systems
  • NDAs: Non-disclosure agreements signed by all team members
  • Device Security: Company devices encrypted and monitored

Third-Party Security

We carefully vet all third-party services:

  • Vendor Assessment: Security review before integration
  • SOC 2 Vendors: Priority given to SOC 2 certified providers
  • Data Processing Agreements: GDPR-compliant DPAs with all processors
  • Limited Data Sharing: Only necessary data shared with third parties
  • Regular Audits: Ongoing security reviews of vendor practices

Incident Response

Breach Notification

In the event of a data breach, we will:

  • Notify affected users promptly as required by applicable law
  • Provide details about what data was compromised
  • Explain remediation steps being taken
  • Offer guidance on protecting accounts
  • Report to regulatory authorities as required by law

Security Incident Process

  1. Detection: Automated systems and manual reporting identify incidents
  2. Containment: Affected systems isolated promptly
  3. Investigation: Forensic analysis determines scope and cause
  4. Remediation: Vulnerabilities addressed and services restored
  5. Review: Lessons learned documented and improvements implemented

User Security Best Practices

You can help protect your account:

✅ Do:

  • Use a strong, unique password (12+ characters with letters, numbers, symbols)
  • Enable two-factor authentication when available
  • Keep your email account secure
  • Review account activity regularly
  • Log out on shared/public computers
  • Report suspicious activity immediately
  • Keep your browser and OS updated

❌ Don't:

  • Share your password with anyone
  • Use the same password across multiple sites
  • Click suspicious links in emails
  • Access your account on public WiFi without VPN
  • Ignore security warnings from browsers
  • Save passwords in unsecured locations

Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please:

  1. Email [email protected] with details (do NOT post publicly)
  2. Include steps to reproduce the vulnerability
  3. Allow reasonable time to address the issue before public disclosure
  4. Avoid accessing or modifying user data

We will acknowledge your report promptly and provide updates as we work on a resolution. Responsible researchers may be eligible for recognition.

Continuous Improvement

Security is an ongoing process. We continuously:

  • Conduct regular security audits and penetration testing
  • Update dependencies and patch vulnerabilities promptly
  • Train staff on emerging threats
  • Review and improve our security policies
  • Stay informed about industry best practices
  • Engage third-party security experts for assessments

Contact Security Team

Security Issues: [email protected]

Privacy Questions: [email protected]

General Support: [email protected]

This security page was last updated on January 8, 2026. We regularly review and update our security practices.