Security Policy

1. Our Commitment

At innnov8, security is a core part of how we build and operate. We take the protection of client data seriously and apply industry-standard practices across our infrastructure, codebase, and internal processes. This policy outlines the measures we take and our expectations when working with clients.

2. Infrastructure Security

• All services are hosted on reputable cloud providers (AWS, Vercel, or equivalent) with SOC 2 or equivalent certifications.
• Data in transit is encrypted using TLS 1.2 or higher. Data at rest is encrypted using AES-256.
• Production environments are isolated from development and staging environments.
• Access to infrastructure is restricted to authorised personnel using strong authentication (MFA required).

3. Application Security

• We follow OWASP Top 10 guidelines when building web applications.
• Dependencies are monitored for known vulnerabilities and updated on a regular cadence.
• Code reviews are required before any code is merged to production branches.
• Secrets and credentials are never stored in version control — we use environment variables and secrets managers.

4. Client Data Handling

• Client data is accessed only by team members with a legitimate need for that project.
• We do not retain client data beyond the duration of the engagement unless explicitly agreed.
• Upon project completion, we follow a structured offboarding process to transfer and/or delete client data as requested.
• We do not use client data for any purpose other than delivering the agreed services.

5. Access Controls

We enforce the principle of least privilege. Access to project environments, repositories, and tools is provisioned on a need-to-know basis and revoked promptly when a team member's role changes or they leave the organisation.

6. Incident Response

In the event of a security incident affecting client data, we commit to:

• Notifying affected clients within 72 hours of becoming aware of the incident.
• Providing a clear description of what happened, what data was affected, and what steps we are taking.
• Conducting a post-incident review and sharing relevant findings with clients.

7. Responsible Disclosure

If you believe you have found a security vulnerability in any innnov8-operated service, please report it responsibly. Email us at security@innnov8.com with a description of the issue and steps to reproduce it. We commit to acknowledging your report within 2 business days and resolving valid issues promptly. We will not take legal action against individuals who report issues in good faith.

8. Third-Party Services

We carefully evaluate third-party tools and services before integrating them. We review their security practices, data handling policies, and compliance certifications. A list of current sub-processors is available upon request.

9. Questions

For any security-related questions or concerns, please contact us at security@innnov8.com. For general enquiries, use hello@innnov8.com.