Security Principles
- Confidentiality – Only authorized parties can access user data.
- Integrity – Data cannot be altered without authorization.
- Availability – Platform is reliable and recoverable.
- Accountability – All access and changes are logged and traceable.
- Privacy by Design – Privacy integrated into every development stage.
- Zero-Trust – Continuous verification of identities and devices.
Infrastructure Security
- Hosted on AWS Cloud with IAM-based access control.
- Environment separation: development, staging, production.
- Network isolation with VPCs and security groups.
- Admin access: IAM roles + MFA.
- Planned: migration to microservices via AWS Lambda and API Gateway.
Data Protection
- In transit: HTTPS/TLS 1.2+ with HSTS and CORS.
- At rest: AWS RDS (AES-256) and S3 SSE-KMS (planned rollout).
- Secrets: AWS Secrets Manager.
- Access controls: RBAC, least-privilege enforced.
Data Retention & Deletion
- Account, payment metadata, and analytics are retained for one (1) year.
- Deletion requests are manually validated and processed; automation for GDPR Right to Erasure is on the roadmap.
Application Security
- Sign-in via Google (Gmail), Apple, and verified email with OTP.
- JWT + refresh tokens for sessions (rotation on roadmap).
- Rate limiting and API Gateway protections planned.
- Payments: tokenized via Stripe; no card data stored by Fox Scope.
- Mobile hardening (post-launch): code obfuscation, certificate pinning, tamper detection.
Monitoring & Incident Management
- Sentry for app monitoring; AWS CloudWatch/CloudTrail for infra (planned).
- Email alerts notify the CTO on suspicious activity/failed transactions.
- SIEM (AWS Security Hub or Datadog) post-launch.
Incident Response Steps
- Detection – Alert received.
- Assessment – Scope severity and affected systems.
- Containment – Restrict access/isolate systems.
- Notification – Inform affected users and regulators within 72 hours if required by GDPR/PDPL.
- Remediation – Patch, recover, and conduct a post-incident review.
Backup & Disaster Recovery
- Automated RDS snapshots and incremental backups (encrypted).
- Cross-region S3 backup (planned).
- RTO: 4 hours · RPO: 1 hour.
Privacy by Design & Data Minimization
- We collect only essential data.
- Analytics are linked to Scope IDs, not directly to personal data.
- Privacy & security reviews are integrated into development and UAT.
Vendor & Third-Party Management
- Vendors are vetted for security credibility and certifications.
- Core partners: AWS (hosting), Stripe (payments), Google Maps (location).
- Vendor Risk Assessment framework will evaluate data handling, certifications, and breach history.
Compliance & Certifications
- Aligns with GDPR (EU), CCPA (California), UAE PDPL.
- Roadmap toward ISO 27001 and SOC 2 Type II.
Continuous Improvement
- Annual penetration testing before/after major releases.
- Regular patching, dependency management, and access reviews.
- Security training for all employees twice per year.
Security Roadmap
- Phase 1 (Pre-Launch): S3 migration, TLS verification, IAM hardening, Sentry alerts.
- Phase 2 (Post-Launch): Microservices, API Gateway, SIEM setup, refresh-token rotation.
- Phase 3 (Maturity): ISO 27001 audit prep, automated retention, Zero-Trust rollout.
User-Facing Summary
We use encryption, tokenized payments, and strict access control to protect your data. Your location data is never shared without your control, and you can request deletion at any time. We continuously monitor and improve to stay compliant with global standards.
