Security

1. Our Security Commitment

At LPGenius, security is a core priority. We implement industry-standard security measures to protect your data, content, and account. This page outlines our security practices and what we do to keep your information safe.

2. Infrastructure Security

2.1 Cloud Infrastructure

LPGenius is hosted on enterprise-grade cloud infrastructure with:

• Vercel/AWS: Our application runs on Vercel's edge network, backed by Amazon Web Services (AWS)
• Supabase: Our database is hosted on Supabase with PostgreSQL, featuring automatic backups and encryption
• Global CDN: Content is served through a global content delivery network for performance and DDoS protection
• Automatic Scaling: Infrastructure scales automatically to handle traffic spikes

2.2 Network Security

• TLS/SSL Encryption: All data in transit is encrypted using TLS 1.2 or higher
• HTTPS Only: All connections are forced to use HTTPS
• DDoS Protection: Multiple layers of DDoS mitigation through our CDN providers
• Firewall Protection: Web Application Firewall (WAF) rules protect against common attacks

2.3 Data Encryption

• Encryption at Rest: All data stored in our databases is encrypted using AES-256
• Encryption in Transit: All API communications use TLS encryption
• Key Management: Encryption keys are managed securely and rotated regularly

3. Application Security

3.1 Authentication & Access Control

• Secure Authentication: Password hashing using bcrypt with appropriate cost factors
• OAuth 2.0: Secure third-party authentication via Google and other providers
• Session Management: Secure session tokens with automatic expiration
• Rate Limiting: Protection against brute force and credential stuffing attacks

3.2 Input Validation & Sanitization

• Input Validation: All user inputs are validated and sanitized
• SQL Injection Prevention: Parameterized queries prevent SQL injection attacks
• XSS Protection: Content Security Policy (CSP) headers and output encoding prevent cross-site scripting
• CSRF Protection: Anti-CSRF tokens protect against cross-site request forgery

3.3 AI Content Moderation

Our platform includes automated content moderation to:

• Detect and block malicious or prohibited content prompts
• Prevent generation of phishing pages, malware distribution sites, or illegal content
• Flag suspicious patterns for review
• Protect against prompt injection attacks

3.4 Code Security

• Dependency Scanning: Regular scanning for vulnerable dependencies
• Code Reviews: All code changes undergo review before deployment
• Security Headers: Strict security headers including CSP, HSTS, X-Frame-Options

4. Data Protection

4.1 Data Handling

• Minimal Data Collection: We only collect data necessary to provide the service
• Data Isolation: Customer data is logically isolated between accounts
• Access Controls: Strict access controls limit who can access customer data
• Audit Logging: All data access is logged for security monitoring

4.2 Backup & Recovery

• Automated Backups: Daily automated backups of all data
• Point-in-Time Recovery: Ability to restore data to any point within retention period
• Geographic Redundancy: Backups stored in multiple geographic locations
• Recovery Testing: Regular testing of backup restoration procedures

4.3 Data Retention

• Active Accounts: Data retained while your account is active
• Deleted Accounts: Data deleted within 30 days of account termination
• Logs: Security and access logs retained for up to 90 days
• Backups: Backup data retained for up to 90 days

5. Third-Party Security

5.1 Payment Security

All payment processing is handled by Paddle, our Merchant of Record:

• PCI DSS Level 1 compliant payment processing
• We never store your full credit card details
• All payment data is handled entirely by Paddle's secure systems

5.2 AI Service Providers

We use trusted AI providers including OpenAI and Anthropic:

• All API communications are encrypted
• No customer data is used for AI model training without explicit consent
• Providers maintain SOC 2 Type 2 compliance

5.3 Third-Party Integrations

When you connect third-party services:

• We use OAuth 2.0 for secure authorization
• We request only necessary permissions (minimal scopes)
• Access tokens are stored encrypted
• You can revoke access at any time

6. Operational Security

6.1 Monitoring & Alerting

• 24/7 Monitoring: Continuous monitoring of infrastructure and application health
• Security Alerts: Automated alerts for suspicious activities
• Incident Response: Defined procedures for security incident response
• Log Analysis: Regular analysis of security logs for anomalies

6.2 Access Management

• Principle of Least Privilege: Team members only have access to systems they need
• Multi-Factor Authentication: Required for all internal systems access
• Regular Access Reviews: Periodic review and revocation of unnecessary access

6.3 Secure Development

• Secure SDLC: Security is integrated into our development lifecycle
• Environment Separation: Development, staging, and production environments are isolated
• Secret Management: API keys and secrets are stored securely, never in code

7. Your Security Responsibilities

7.1 Account Security Best Practices

• Use a strong, unique password for your LPGenius account
• Enable two-factor authentication when available
• Never share your login credentials with others
• Log out from shared or public computers
• Keep your email account secure (used for password recovery)

7.2 Content Security

• Review AI-generated content before publishing
• Don't include sensitive personal data in landing pages unnecessarily
• Use secure forms for collecting user data
• Ensure your custom domains use HTTPS

7.3 Integration Security

• Only connect trusted third-party services
• Regularly review connected applications
• Revoke access for services you no longer use
• Keep API keys confidential

8. Vulnerability Reporting

We take security vulnerabilities seriously and appreciate responsible disclosure. If you discover a security vulnerability in LPGenius, please report it to us.

8.1 How to Report

8.2 What to Include

• Description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any proof-of-concept code (if applicable)
• Your contact information for follow-up

8.3 Our Commitment

• We will acknowledge receipt within 48 hours
• We will investigate and assess the vulnerability
• We will keep you informed of our progress
• We will credit researchers who help improve our security (with permission)

9. Security Incident Response

9.1 In Case of a Security Incident

If we experience a security incident that affects your data, we will:

• Investigate and contain the incident promptly
• Notify affected users within 72 hours as required by law
• Provide information about what data was affected
• Take steps to prevent similar incidents
• Report to relevant authorities as required

9.2 If You Suspect Unauthorized Access

If you believe your account has been compromised:

1. Change your password immediately
2. Review recent account activity
3. Revoke any suspicious sessions
4. Contact us at dimahasin2@gmail.com

10. Compliance & Standards

10.1 Privacy Regulations

• GDPR: Compliant with EU General Data Protection Regulation
• CCPA: Compliant with California Consumer Privacy Act
• Israeli Privacy Law: Compliant with Israeli Privacy Protection Law

10.2 Security Standards

We follow industry best practices and security frameworks including:

• OWASP Top 10 web application security risks
• CIS Controls for security best practices
• NIST Cybersecurity Framework principles

10.3 Continuous Improvement

Security is an ongoing process. We continuously:

• Monitor for new threats and vulnerabilities
• Update our security measures
• Train our team on security best practices
• Review and improve our security policies