Security Policy

1. Security Approach

Pommy applies modern security standards and industry best practices to protect customer service data. Security is a priority component at every layer of our platform, from design to operations.

Our platform is developed according to "security by design" and "defense in depth" principles.

2. Infrastructure Security

• Cloudflare Edge Network: The Platform operates on Cloudflare's global edge network spanning 300+ locations
• DDoS Protection: Enterprise-grade DDoS mitigation system by Cloudflare
• WAF (Web Application Firewall): Application layer protection with OWASP Top 10 and custom rule sets
• TLS 1.3: All data traffic is encrypted end-to-end; TLS 1.2 and below are disabled
• Automatic certificate management: SSL/TLS certificates are automatically renewed
• Network isolation: Service components run in isolation; inter-service communication requires authentication

3. Data Encryption

In Transit

• All HTTP and WebSocket traffic encrypted with TLS 1.3
• HSTS (HTTP Strict Transport Security) is enforced
• Certificate pinning is applied

At Rest

• Databases protected with AES-256 encryption
• Backups stored in encrypted form
• Sensitive data (API keys, tokens) protected with additional encryption layers

4. Access Controls

• Role-based access control (RBAC): Granular access control with owner, admin, and agent roles
• Secure session management: HTTP-only, Secure, SameSite cookie policies
• Automatic session timeout: Sessions automatically terminate after a defined period
• Least-privilege principle: Users are granted only the minimum access required for their tasks
• Multi-session management: View active sessions and terminate remotely
• API access control: Authentication via API keys with rate limiting

5. Application Security

• Input validation: All user inputs are validated and sanitized server-side
• XSS protection: Content Security Policy (CSP) headers and output encoding are applied
• CSRF protection: SameSite cookie policy and origin verification
• SQL Injection protection: Parameterized queries and ORM usage
• Rate limiting: Brute-force and abuse protection on API endpoints
• Security headers: Referrer-Policy, X-Content-Type-Options, X-Frame-Options headers are applied

6. Audit and Monitoring

• Comprehensive audit log: All critical operations (logins, data access, setting changes) are logged
• Real-time monitoring: Anomalous activities and security events are automatically detected
• Error and performance monitoring: System health is continuously tracked
• Log retention: Security logs are retained for a minimum of 90 days

7. Operational Security

• Regular security assessments and code reviews
• Dependency security scanning and automated updates
• Security patches are applied with priority
• Development, testing, and production environments are isolated from each other
• All code changes are tracked through version control

8. Incident Response Plan

In the event of a security breach or data leak, the following procedure is applied:

1. Detection and Containment: The incident is immediately detected and the impact area is contained
2. Assessment: The scope, affected data, and impacted users are determined
3. Notification: Affected users and, where required, authorities are notified within 72 hours (GDPR Article 33)
4. Remediation: The security vulnerability is resolved and additional protective measures are implemented
5. Review: A post-incident analysis is conducted and processes are updated to prevent recurrence

9. Multi-Tenant Isolation

Pommy uses a multi-tenant architecture. Each organization's data is logically isolated:

• Cross-tenant data access is not possible
• Each organization's data is protected with separate identifiers
• Tenant isolation is enforced at both the API and database layers

10. Vulnerability Disclosure

If you discover a security vulnerability in our platform, please report it via responsible disclosure to security@dev.pommy.ai. Valid security reports are evaluated and resolved as quickly as possible.

11. Contact