Security Policy

Introduction

At HeadShotlyAI ("we," "us," or "our"), the security of your personal data is our top priority. We are committed to protecting your information and ensuring the confidentiality, integrity, and availability of our services. This Security Policy outlines the technical and organizational measures we implement to safeguard your data when you use our website www.headshotly.ai and related services (collectively, the "Service"). This policy is designed to comply with both the European General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA)/California Privacy Rights Act (CPRA).

1. Compliance with Laws and Standards

1.1. GDPR Compliance

• We comply with the General Data Protection Regulation (GDPR) and relevant Polish data protection laws.
• Data Protection Impact Assessments (DPIAs) are conducted where necessary.
• We have appointed a Data Protection Officer (DPO) who oversees compliance efforts.
• Personal data is processed lawfully, fairly, and transparently.
• We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.

1.2. CCPA/CPRA Compliance

• We comply with the California Consumer Privacy Act (CCPA) and the California Privacy Rights Act (CPRA).
• We implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information.
• California residents are provided with specific rights regarding their personal information, including the right to know, delete, and correct their personal information.
• We do not sell or share personal information of California residents.
• We provide notice of our data collection practices and the purposes for which personal information is used.

1.3. Industry Standards

• Our security practices align with industry standards such as ISO 27001 and OWASP guidelines.
• We ensure that our service providers also comply with relevant security and privacy standards.

2. Infrastructure Security

2.1. Hosting Environment

• Our services are hosted on Amazon Web Services (AWS), utilizing their secure and scalable infrastructure.
• AWS data centers provide robust physical security measures, including biometric access controls and surveillance.

2.2. Data Center Location

• All data is stored within AWS facilities located in the European Union (EU) to ensure data residency compliance.

2.3. Network Security

• Firewalls and Virtual Private Clouds (VPCs) are configured to segment and protect our network.
• Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) monitor network traffic for suspicious activities.

2.4. Access Controls

• Strict access controls are enforced using the principle of least privilege.
• Multi-factor authentication (MFA) is required for administrative access to critical systems.
• Access to production environments is limited to authorized personnel only.

3. Data Encryption

3.1. Encryption in Transit

• All data transmitted between your device and our servers is encrypted using Transport Layer Security (TLS) 1.2 or higher.
• Secure protocols such as HTTPS are enforced across all user interactions.

3.2. Encryption at Rest

• Data stored on our servers, including your uploaded images and personal data, is encrypted at rest using Advanced Encryption Standard (AES) 256-bit encryption.
• Encryption keys are managed securely using AWS Key Management Service (KMS).

4. Application Security

4.1. Secure Development Lifecycle

• We follow a Secure Software Development Lifecycle (SSDLC) incorporating security at every development stage.
• Developers receive regular training on secure coding practices and emerging threats.

4.2. Code Reviews and Testing

• Regular code reviews are conducted to identify and remediate security vulnerabilities.
• Static Application Security Testing (SAST) and Dynamic Application Security Testing (DAST) tools are used.

4.3. Penetration Testing

• Third-party penetration tests are conducted periodically to assess the security of our applications and infrastructure.
• Findings are prioritized and remediated promptly.

5. Data Access and Confidentiality

5.1. Employee Access

• Employee access to personal data is limited and granted on a need-to-know basis.
• All employees and contractors are required to sign confidentiality agreements.

5.2. Background Checks

• Pre-employment background checks are performed on all personnel with access to sensitive data.

5.3. Access Monitoring

• All access to personal data is logged and monitored.
• Anomalies and unauthorized access attempts are investigated immediately.

6. Data Backup and Recovery

6.1. Regular Backups

• Critical data is backed up regularly using secure, encrypted storage solutions.
• Backups are stored in geographically separate locations within the EU to ensure data availability.

6.2. Disaster Recovery Plan

• A comprehensive Disaster Recovery Plan (DRP) is in place to restore services in the event of a catastrophic incident.
• Regular drills and tests are conducted to validate the effectiveness of the DRP.

7. Payment Processing Security

7.1. Secure Payment Processing

• All payment transactions are processed securely through Stripe, a PCI DSS Level 1 certified payment processor.
• Payment data is transmitted directly to Stripe over encrypted channels; we do not store or process full payment card details on our servers.

8. Incident Response and Notification

8.1. Incident Response Plan

• A formal Incident Response Plan (IRP) is established to address security incidents promptly and effectively.
• The IRP outlines roles, responsibilities, and procedures for detection, containment, eradication, recovery, and communication.

8.2. Monitoring and Detection

• Continuous security monitoring tools are deployed to detect and alert on potential security incidents.
• Security Information and Event Management (SIEM) systems aggregate logs and provide real-time analysis.

8.3. Breach Notification

• GDPR Compliance: In the event of a personal data breach, we will notify the relevant supervisory authority without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. If the breach is likely to result in a high risk, we will also notify the affected individuals without undue delay.
• CCPA/CPRA Compliance: For California residents, in the event of a data breach involving unencrypted personal information as defined under California law, we will provide timely notification to affected individuals in accordance with CCPA/CPRA and applicable California data breach notification laws.

9. Third-Party Service Providers

9.1. Vendor Management

• We conduct due diligence on all third-party service providers to ensure they meet our security and privacy standards.
• Data Processing Agreements (DPAs) are in place with all vendors who process personal data on our behalf.
• We ensure that our service providers comply with GDPR and CCPA/CPRA requirements, including implementing appropriate security measures.

9.2. Regular Assessments

• Ongoing assessments and audits are performed to verify the security posture of critical service providers.

10. Customer Responsibilities

10.1. Account Security

• You are responsible for maintaining the confidentiality of your account credentials.
• We recommend using strong, unique passwords and updating them regularly.

10.2. Two-Factor Authentication

• Where available, we encourage you to enable two-factor authentication (2FA) for additional account security.

10.3. Reporting Vulnerabilities

• If you discover any security vulnerabilities or incidents, please report them immediately to security@headshotly.ai.
• We appreciate your assistance in keeping our platform secure.

11. Updates to This Security Policy

We may update this Security Policy periodically to reflect changes in our practices or regulatory requirements. We will notify you of any significant changes by:

• Posting the updated policy on this page
• Updating the "Effective Date" at the top of this policy
• Sending an email notification if you have provided your email address

12. Contact Us

If you have any questions, concerns, or suggestions regarding our Security Policy or security practices, please contact us:

Email: security@headshotly.ai

Postal Address:

For California residents seeking information about their rights under CCPA/CPRA, please refer to our Privacy Policy or contact us at privacy@headshotly.ai.

Thank you for trusting HeadShotlyAI with your personal data. We are committed to maintaining the highest levels of security to protect your information.