Security Policy

1. Introduction

At StatsPing, security is our top priority. This Security Policy outlines the measures we take to protect your data and maintain the security and integrity of our API monitoring platform.

2. Data Security

2.1 Encryption in Transit

All data transmitted to and from StatsPing is encrypted:

• ✅ TLS 1.3 - Latest transport layer security protocol
• ✅ HTTPS Only - All web traffic uses HTTPS
• ✅ WebSocket Secure (WSS) - Real-time connections encrypted
• ✅ Strong Cipher Suites - Modern, secure cipher suites only
• ✅ Perfect Forward Secrecy - Session keys cannot be compromised
• ✅ Certificate Pinning - In mobile applications

2.2 Encryption at Rest

Sensitive data is encrypted when stored:

• Database Encryption - PostgreSQL Transparent Data Encryption (TDE)
• Credential Encryption - API keys, tokens, passwords encrypted with AES-256
• Backup Encryption - All backups encrypted with AES-256
• Key Management - Encryption keys managed securely using AWS KMS or HashiCorp Vault
• Key Rotation - Regular rotation of encryption keys

2.3 Password Security

Password Requirements:

• Minimum 8 characters (12+ recommended)
• Mix of uppercase, lowercase, numbers, and special characters
• Cannot be common passwords (checked against breach databases)
• Cannot be previously used passwords

Password Storage:

• Hashed using bcrypt with cost factor 12
• Salted (unique salt per password)
• Never stored in plain text
• Never logged or exposed in errors
• Cannot be recovered (only reset)

2.4 Multi-Factor Authentication (MFA)

Available MFA Methods:

• 📱 TOTP - Time-based One-Time Passwords (Google Authenticator, Authy, 1Password)
• 📧 Email OTP - One-time codes via email
• 📞 SMS OTP - One-time codes via SMS (Pro/Enterprise)
• 🔑 Hardware Security Keys - FIDO2/WebAuthn support (Enterprise)

3. Application Security

3.1 Protection Against Common Attacks

3.2 Vulnerability Management

Our Process:

1. Detection - Automated scanning, manual testing, responsible disclosure
2. Assessment - Severity rating using CVSS
3. Prioritization - Critical vulnerabilities addressed within 24 hours
4. Remediation - Patches developed, tested, and deployed
5. Verification - Confirm vulnerability is resolved
6. Disclosure - Transparent communication

4. Authentication and Authorization

4.1 Authentication Methods

• Email/Password with optional MFA
• OAuth 2.0 (Google, GitHub)
• API Keys for programmatic access
• JWT Tokens for API authentication
• Refresh Tokens for long-lived sessions

4.2 Role-Based Access Control (RBAC)

5. Infrastructure Security

5.1 Cloud Infrastructure (AWS)

• VPC Isolation - Isolated virtual private cloud
• Security Groups - Firewall rules restricting access
• Private Subnets - Database and backend in private subnets
• Bastion Hosts - Secure administrative access
• AWS Shield - DDoS protection
• AWS WAF - Web application firewall

5.2 Database Security

PostgreSQL Hardening:

• ✅ Encrypted connections (SSL/TLS required)
• ✅ Strong authentication (password + IAM)
• ✅ Principle of least privilege
• ✅ Regular security updates
• ✅ Audit logging enabled
• ✅ Automated backups
• ✅ Point-in-time recovery capability
• ✅ Row-level security for multi-tenancy

6. Monitoring and Incident Response

6.1 Security Monitoring

24/7 Monitoring:

• Real-time security event monitoring
• Automated threat detection
• Anomaly detection using machine learning
• Failed login attempt monitoring
• Unusual API usage pattern detection
• Centralized logging (1 year retention)

6.2 Incident Response

Response Times:

• Critical Incidents: Response within 1 hour
• High Severity: Response within 4 hours
• Medium Severity: Response within 24 hours
• Low Severity: Response within 1 week

Customer Communication:

• Notify affected customers within 72 hours of confirmed breach
• Provide details about what happened
• Explain what data was affected
• Outline steps we're taking
• Advise customers on protective measures

7. Data Protection and Privacy

7.1 Compliance

Standards and Regulations:

• 🇪🇺 GDPR - EU General Data Protection Regulation ✅
• 🇺🇸 CCPA/CPRA - California privacy laws ✅
• 🔒 SOC 2 Type II - In progress (target: Q3 2026)
• 💳 PCI-DSS - For payment processing (via Stripe) ✅
• 🏥 HIPAA - Available for Enterprise customers

7.2 Data Retention

8. Business Continuity

8.1 Backups

• Frequency: Daily automated backups
• Retention: 30 days
• Encryption: AES-256 encrypted
• Storage: Geographically distributed (multiple AWS regions)
• Testing: Monthly backup restoration tests

8.2 High Availability

• Multi-availability zone deployment
• Database replication (read replicas)
• Load balancing across multiple servers
• Auto-scaling to handle traffic
• Failover mechanisms

8.3 Disaster Recovery

• Recovery Time Objective (RTO): 4 hours
• Recovery Point Objective (RPO): 1 hour
• Documented disaster recovery procedures
• Quarterly disaster recovery drills

9. Penetration Testing and Audits

• Penetration Testing: Annual third-party penetration tests
• Security Audits: Internal security audits quarterly
• Bug Bounty Program: Coming soon (planned for 2026) with rewards $50 - $5,000

10. Your Security Responsibilities

To keep your account secure, you should:

• ✅ Use strong, unique passwords
• ✅ Enable multi-factor authentication
• ✅ Keep your credentials confidential
• ✅ Use API keys with appropriate scopes
• ✅ Regularly review account activity
• ✅ Report suspicious activity immediately
• ✅ Keep your software and devices updated
• ✅ Secure your integration credentials (Slack, Discord, etc.)

11. Report a Security Vulnerability

What to Include:

• Description of the vulnerability
• Steps to reproduce
• Potential impact
• Any proof-of-concept code
• Your contact information