Security

2. Data Encryption

2.1 Data in Transit: All data transmitted between your browser and our servers is encrypted using TLS 1.3 (or TLS 1.2 minimum). We enforce HTTPS for all connections and use HSTS (HTTP Strict Transport Security) to prevent downgrade attacks.

2.2 Data at Rest: Data stored in our databases and file systems is encrypted using AES-256 encryption. Encryption keys are managed through secure key management systems with automatic rotation.

2.3 API Communications: All API communications between our systems and Third-Party Providers are encrypted and authenticated using secure tokens and certificates.

3. Authentication and Access Control

3.1 User Authentication:

• Secure password hashing using bcrypt with appropriate work factors
• Optional two-factor authentication (2FA) for enhanced account security
• Rate limiting on authentication attempts to prevent brute force attacks
• Secure session management with automatic timeout

3.2 Password Requirements:

• Minimum 8 characters with complexity requirements
• Password strength indicators during registration
• Password reset through secure, time-limited email links
• Protection against common and compromised passwords

3.3 Internal Access Control:

• Role-based access control (RBAC) for all internal systems
• Principle of least privilege for employee access
• Multi-factor authentication required for all administrative access
• Regular access reviews and immediate revocation upon role changes

4. Application Security

4.1 Secure Development:

• Secure coding practices following OWASP guidelines
• Code review requirements for all changes
• Automated security scanning in CI/CD pipeline
• Regular dependency updates and vulnerability scanning

4.2 Input Validation:

• Server-side validation for all user inputs
• Protection against SQL injection, XSS, and CSRF attacks
• Content Security Policy (CSP) headers
• Input sanitization and output encoding

4.3 Security Testing:

• Regular vulnerability assessments
• Penetration testing by qualified third parties
• Responsible disclosure policy for security researchers
• Automated security testing in development workflow

5. Monitoring and Incident Response

5.1 Security Monitoring:

• 24/7 infrastructure and application monitoring
• Real-time alerting for security events
• Comprehensive logging of security-relevant activities
• Anomaly detection for unusual access patterns

5.2 Incident Response:

• Documented incident response procedures
• Designated security response team
• Post-incident analysis and remediation
• Communication protocols for security notifications

5.3 Breach Notification: In the event of a data breach affecting your personal information within ecomVance's systems, we will notify you and relevant authorities within 72 hours after becoming aware of the breach, as required by applicable laws (including GDPR and UK GDPR). For breaches occurring at Third-Party Provider systems (such as Fal AI), notification will be provided promptly after we are notified by the relevant provider.

6. Physical Security

6.1 Data Center Security: Our cloud providers maintain physical security controls including:

• 24/7 on-site security personnel
• Biometric access controls
• Video surveillance
• Environmental controls (fire suppression, climate control)
• Secure equipment disposal

7. Employee Security

7.1 Personnel Security:

• Background checks for employees with access to sensitive systems
• Security awareness training for all employees
• Regular security updates and phishing awareness campaigns
• Confidentiality agreements and acceptable use policies

8. Compliance and Certifications

8.1 Regulatory Compliance: We are committed to complying with applicable data protection regulations, including:

• UK General Data Protection Regulation (UK GDPR)
• EU General Data Protection Regulation (EU GDPR)
• California Consumer Privacy Act (CCPA)
• Turkish Personal Data Protection Law (KVKK)

8.2 Security Standards: Our security practices align with industry standards and best practices, including OWASP security guidelines and Cloud Security Alliance (CSA) best practices.

9. User Security Responsibilities

9.1 Account Security: While we implement robust security measures, you also play a critical role in protecting your account:

• Use a strong, unique password for your ecomVance account
• Enable two-factor authentication (2FA) when available
• Do not share your login credentials with others
• Log out of your account on shared devices
• Report any suspicious activity immediately

9.2 Content Security:

• Do not upload sensitive personal data that is not necessary for the service
• Be cautious about including identifiable information in images
• Ensure you have rights to upload any content you submit

10. Security Updates and Communication

10.1 Policy Updates: We regularly review and update our security practices. When we make significant changes to this Security Policy, we will notify you by updating the "Last Updated" date and providing notice through our website.

10.2 Security Advisories: For significant security issues affecting users, we will communicate through email notifications, in-app notifications, and our status page.

11. Contact Information

For security-related inquiries, to report a security vulnerability, or if you believe your account has been compromised:

Security Team:
Email: hello@ecomvance.ai

General Support:
Email: hello@ecomvance.ai

BEY AGENCY LTD (Parent Company):
Email: hi@bey.agency
Website: https://bey.agency/
Address: Suite 90415 Brayford Square, London, United Kingdom, E1 0SG
Company Number: 16435596