ZineZine

Security Policy

Last updated: July 12, 2025

1. Security Commitment

At Unstruk Data, Inc., the operator of Zine, we take the security of your data and our platform seriously. This Security Policy outlines our comprehensive approach to protecting your information and maintaining the integrity of our services.

2. Data Protection

2.1 Encryption

  • Data in Transit: All data transmitted between your device and our servers is encrypted using TLS 1.3
  • Data at Rest: All stored data is encrypted using AES-256 encryption
  • Database Encryption: Our databases use encryption at rest with managed encryption keys
  • File Storage: Uploaded files are encrypted before storage in secure cloud infrastructure

2.2 Access Controls

  • Multi-factor authentication (MFA) required for all administrative access
  • Role-based access control (RBAC) for internal systems
  • Principle of least privilege for all system access
  • Regular access reviews and deprovisioning procedures

3. Infrastructure Security

3.1 Cloud Security

Our platform is built on enterprise-grade cloud infrastructure:

  • SOC 2 Type II compliant hosting providers
  • ISO 27001 certified data centers
  • Redundant infrastructure across multiple availability zones
  • Regular infrastructure security assessments

3.2 Network Security

  • Web Application Firewall (WAF) protection
  • DDoS protection and mitigation
  • Network segmentation and isolation
  • Intrusion detection and prevention systems
  • Regular vulnerability scanning and penetration testing

4. Application Security

4.1 Secure Development

  • Security by design principles in all development
  • Regular security code reviews
  • Automated security testing in CI/CD pipelines
  • Dependency scanning for known vulnerabilities
  • Static and dynamic application security testing (SAST/DAST)

4.2 Authentication & Authorization

  • OAuth 2.0 and OpenID Connect protocols
  • JWT token-based authentication with secure signing
  • Session management with secure cookies
  • Rate limiting and brute force protection
  • Account lockout policies for suspicious activity

5. AI Model Security

5.1 Data Handling

  • Secure transmission of prompts to AI model providers
  • No permanent storage of sensitive data by model providers
  • Content filtering and safety measures
  • Isolation of user data across different model requests

5.2 Model Provider Security

We partner only with reputable AI providers who maintain:

  • SOC 2 Type II compliance
  • Data processing agreements (DPAs)
  • Enterprise-grade security certifications
  • Regular security audits and assessments

6. Monitoring and Incident Response

6.1 Security Monitoring

  • 24/7 security monitoring and alerting
  • Real-time threat detection and analysis
  • Monitoring for suspicious activities and unauthorized access attempts
  • Comprehensive logging and audit trails
  • Anomaly detection for unusual access patterns

6.2 Incident Response

Our incident response process includes:

  • Immediate containment and assessment procedures
  • Rapid response team activation
  • Stakeholder communication protocols
  • Post-incident analysis and improvement
  • Regulatory notification when required

7. Compliance and Certifications

We maintain compliance with industry standards and regulations:

  • GDPR: General Data Protection Regulation compliance
  • CCPA: California Consumer Privacy Act compliance
  • SOC 2 Type II: Security, availability, and confidentiality controls
  • OWASP: Following OWASP Top 10 security guidelines
  • Industry Standards: Adherence to NIST Cybersecurity Framework

8. Employee Security

8.1 Training and Awareness

  • Regular security training for all employees
  • Phishing simulation and awareness programs
  • Security policy acknowledgment and updates
  • Incident reporting procedures

8.2 Access Management

  • Background checks for security-sensitive roles
  • Mandatory MFA for all corporate accounts
  • Regular access reviews and certifications
  • Secure offboarding procedures

9. Third-Party Security

We carefully vet all third-party providers and require:

  • Security assessments and due diligence
  • Data processing agreements (DPAs)
  • Regular security certifications
  • Incident notification requirements
  • Right to audit security controls

10. Business Continuity

10.1 Backup and Recovery

  • Automated daily backups with encryption
  • Multi-region backup storage
  • Regular backup restoration testing
  • Recovery time objectives (RTO) and recovery point objectives (RPO)

10.2 Disaster Recovery

  • Comprehensive disaster recovery plan
  • Failover procedures and testing
  • Communication plans for service disruptions
  • Regular DR drills and plan updates

11. Vulnerability Management

Our vulnerability management program includes:

  • Regular vulnerability scanning and assessment
  • Patch management and update procedures
  • Third-party security audits and penetration testing
  • Bug bounty program for responsible disclosure
  • Rapid response to critical vulnerabilities

12. Responsible Disclosure Program

We welcome security researchers, ethical hackers, and technology enthusiasts to participate in our responsible disclosure program. We provide safe harbor for security testing conducted in good faith and offer recognition for vulnerability discoveries.

Reporting Security Issues

If you discover a security vulnerability, please report it immediately to our security team:

Security Email: security@zine.ai

PGP Key: Available upon request

Response Time: We acknowledge reports within 24 hours

What to Include in Your Report

  • A detailed description of the vulnerability
  • Clear steps to reproduce the issue
  • Any relevant screenshots, logs, or proof-of-concept code
  • Potential impact assessment
  • Your contact information for follow-up

Our Commitment

We commit to:

  • Acknowledging receipt within 24 hours
  • Working with you to validate and resolve the issue
  • Providing regular updates on remediation progress
  • Giving appropriate credit if desired
  • Treating all legitimate reports with appropriate urgency

We value the security community's contributions in keeping Zine secure. All legitimate reports will be thoroughly investigated and addressed with appropriate urgency.

13. User Security Responsibilities

To help maintain the security of your account and our platform:

  • Use secure authentication providers you trust
  • Keep your OAuth provider account secure with strong passwords and two-factor authentication
  • Never share access to your authorized Zine sessions
  • Use strong, unique passwords for your accounts
  • Keep your devices and browsers updated with the latest security patches
  • Log out of shared or public devices after use
  • Report suspicious activities immediately to our security team
  • Be cautious when uploading sensitive information

14. Security Updates

This Security Policy is reviewed and updated regularly to reflect our evolving security practices and industry best practices. Material changes will be communicated to users through our platform and website.

15. Contact Information

For questions about our security practices or this Security Policy, please contact:

Unstruk Data, Inc.
Email: security@zine.ai
Subject: Security Policy Inquiry
Website: https://www.zine.ai

Security Policy