Security Policy

1. Security commitment

SentraFlow is committed to protecting your data and source code with the highest security standards. This policy details our protection measures.

2. Secure architecture

2.1 Principle of least privilege

• GitHub access: read-only access to authorized repositories only
• Minimal permissions: our application requests only necessary rights
• Isolation: each analysis is processed in isolation

2.2 Secure infrastructure

• Hosting: Vercel (underlying AWS infrastructure)
• Database: Supabase with native encryption
• API: GitHub and GroqCloud with secure authentication
• Network: encrypted HTTPS/TLS 1.3 communications

3. Data protection

3.1 Encryption

• In transit: All communications use HTTPS/TLS
• At rest: Data encrypted in Supabase database
• Authentication: OAuth 2.0 with GitHub (industry standard)
• API Keys: securely stored with regular rotation

3.2 Data access

• Strong authentication: OAuth GitHub required
• Secure sessions: temporary tokens with expiration
• Monitoring: real-time access surveillance

4. Source code security

4.1 Secure processing

• Read-only: no modification possible to your code
• Temporary processing: code is not permanently stored
• Isolation: each analysis is isolated from other users

4.2 Secure AI analysis

• GroqCloud: secure API with end-to-end encryption
• No learning: your code is not used to train models
• Ephemeral processing: data deleted after analysis
• Private results: only you have access to your analyses

5. Application security

5.1 Secure development

• Code review: systematic code review
• Security testing: automated and manual tests
• Dependencies: regular audit of third-party libraries
• Updates: rapid application of security patches

5.2 Threat protection

• Injection: protection against SQL/NoSQL injection
• XSS: escaping and validation of user data
• CSRF: anti-forgery tokens
• Rate limiting: protection against abuse and denial of service

6. Incident management

6.1 Detection

• 24/7 monitoring: continuous platform surveillance
• Automatic alerts: immediate notification of anomalies
• Secure logs: complete logging for investigation
• Regular tests: periodic security audit

6.2 Incident response

• Dedicated team: defined escalation procedures
• Containment: immediate isolation in case of problem
• Communication: transparent notification if necessary
• Post-mortem: analysis and continuous improvement

7. Compliance and audits

7.1 Standards followed

• GDPR: full compliance with European regulation
• OWASP: application of web security best practices
• OAuth 2.0: authentication according to standards
• TLS 1.3: encryption to current standards

7.2 Regular controls

• Internal audit: quarterly review of measures
• Penetration testing: external security evaluation
• Security watch: monitoring vulnerabilities and patches
• Team training: updating security knowledge

8. Shared responsibilities

8.1 Our responsibilities

• Infrastructure and application security
• Protection of stored data
• Security system updates
• Security incident response

8.2 Your responsibilities

• Security of your GitHub account
• Choice of repositories to analyze
• Reporting security issues
• Compliant use with ToU

9. Third-party services and security

9.1 Secure partners

• GitHub: global leader in source code, SOC 2 certified
• Supabase: secure database, native encryption
• GroqCloud: secure AI API, temporary processing
• Vercel: secure hosting, AWS infrastructure

9.2 Continuous evaluation

• Regular audit of our suppliers
• Verification of security certifications
• Contractualization of security requirements
• Continuity plan in case of failure

10. Vulnerability reporting

If you discover a security vulnerability:

10.1 Responsible disclosure

• Secure email: contact@sentraflow.com
• Detailed description: reproduction steps
• Confidentiality: we commit to handling discreetly
• Acknowledgment: public recognition if desired

10.2 Correction process

• Acknowledgment: within 24 business hours
• Evaluation: impact analysis and priority
• Fix: secure development and deployment
• Follow-up: verification of fix effectiveness

11. Service continuity

11.1 Availability

• Backup: replicated and backed up data
• Redundancy: high availability infrastructure
• Monitoring: continuous performance surveillance
• Recovery: tested restoration procedures

11.2 Recovery plan

• RTO (Recovery Time Objective): maximum 4 hours
• RPO (Recovery Point Objective): maximum 1 hour
• Communication: real-time status information
• Escalation: clear procedures for major issues

12. Security evolution

This security policy evolves with:

• New identified threats
• Technological developments
• Feedback and incidents
• Regulatory changes

Important updates will be communicated to you.

13. Security contact

For any security questions:

General email: contact@sentraflow.com

Security is an ongoing effort. This policy will be updated regularly.