ISMS Policy Generator has implemented a varity of controls to protect confidentiality of user data. These controls largely align with the principles outlined by OWASP, ISO 27001 standard, and best practices for the third-party services involved in ISMS Policy Generator’s workflow.

1. User Authentication & Access Control: Implement strong user authentication methods (like multi-factor authentication) and role-based access control (RBAC) to prevent unauthorized access to data.
2. Secure Data Transmission: Ensure that data is securely transmitted between the application, the user, and other integrated applications (OpenAI API, Zapier, Google Docs, Stripe) using HTTPS or SSL/TLS.
3. Data Encryption: Protect data at rest by encrypting user data stored within your application’s database.
4. API Security: Protect usage of APIs (e.g. OpenAI, Stripe) with measures such as rate limiting, usage quotas, secure keys, and secure error handling. API keys and secrets are kept out of code and in secure storage.
5. Input Validation and Sanitization: we apply strong server-side input validation and sanitization to protect against threats such as SQL injection, Cross-site Scripting (XSS), and Command Injection.
6. Security Awareness and Training: our team is trained about the latest security threats and the best practices to prevent them.
7. Backup and Recovery: Regularly backup data and test recovery procedures to ensure we can recover from a data loss incident.
8. Secure Configurations: Default settings of our application and integrated services (Bubble.io, OpenAI API, Zapier, Google Docs) have been modified to be as secure as possible. All Google Drive files are by default restricted.
9. Third-Party Security: For third-party services like Stripe, Zapier, Google Docs, and OpenAI, we understand their security practices and integrate them securely. For example, Stripe is integrated in a manner that no card data touches our server.
10. Security Policies and Procedures: we have a written set of security policies and procedures and make sure to follow them. They should be updated as new threats emerge or when we make significant changes to your application.

Data Encrypted At-Rest #

Yes, our organization is committed to ensuring the security of data at rest. We utilize various third-party services, all of which employ industry-standard encryption methods for data storage:

Bubble: Data stored within Bubble’s database, including user inputs for policy generation, is encrypted using robust encryption practices. Bubble is known to implement measures such as SSL/TLS for data in transit and AES encryption for data at rest.

OpenAI: While handling policy generation, OpenAI applies strong encryption methods to safeguard information. This includes secure handling of API calls and data processing.

Google Drive: The generated policies stored in Google Drive benefit from Google’s comprehensive encryption algorithms. Google encrypts data at rest using various layers of encryption, including Advanced Encryption Standard (AES) with 256-bit keys.

Zapier: Zapier, the tool used for sending generated policies via email, follows industry standards for encryption, protecting both data at rest and in transit. AES 256-bit encryption is used at rest.

By relying on these trusted platforms, we ensure that data is encrypted and secured according to modern best practices.

For more detailed information on each third-party service’s security protocols, please refer to their respective security documentation.

Data Encrypted In-Transit #

Yes, our organization is committed to the security of data in transit. We achieve this by using several third-party services known for strong encryption practices:

Bubble: Bubble employs Secure Sockets Layer (SSL) and Transport Layer Security (TLS) to encrypt data during transmission between the client and server.

OpenAI: OpenAI, utilized for policy generation, leverages Transport Layer Security (TLS) to encrypt data exchanges and API calls, ensuring a secure connection.

Zapier: Zapier, used for sending generated policies via email, also utilizes SSL/TLS encryption to protect data during transit.

Google Drive: Google Drive employs SSL/TLS for encrypting data as it travels to and from its storage, adding another layer of security for the generated policies.

By relying on these trusted platforms with strong encryption protocols, we ensure that data in transit remains secure, adhering to current industry best practices. Our commitment to security includes continuous monitoring of advancements in technology to implement necessary updates and improvements.

Passwords Encrypted #

At the moment, our application is designed to operate without user authentication, meaning there are no user passwords to store or encrypt. All generated documents are securely delivered directly to the user’s email, ensuring accessibility only to the intended recipient.