StudioDatum LogomarkStudioDatum
StudioDatum LogomarkStudioDatum

Security Policy

Effective DateDecember 11, 2025
Last UpdatedDecember 11, 2025
Version1.0.0

1. Overview

Security is fundamental to StudioDatum's mission of providing a trustworthy AI-powered construction data platform. This Security Policy outlines our security practices, your responsibilities, and how we work together to protect your data.

1.1 Our Commitment

We Are Committed To:

  • Protecting the confidentiality, integrity, and availability of your data
  • Implementing industry-standard security controls
  • Transparent communication about security incidents
  • Continuous improvement of our security posture
  • Compliance with applicable security standards and regulations

1.2 Scope

This policy applies to:

  • DatumOS web application (datumos.app)
  • StudioDatum website (studiodatum.com)
  • Mobile applications (iOS and Android)
  • API services
  • All infrastructure and data storage
  • Third-party integrations

1.3 Security Framework

Our security program is based on:

  • NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover)
  • OWASP Top 10 (Web application security)
  • CIS Controls (Critical security controls)
  • SOC 2 Type II (In progress for future certification)
  • ISO 27001 (Information security management - planned)

2. Security Measures

2.1 Infrastructure Security

Cloud Hosting (Vercel):

  • Enterprise-grade infrastructure with 99.99% uptime SLA
  • Multi-region redundancy
  • DDoS protection and mitigation
  • Edge network with 100+ global locations
  • Automated security patching
  • Vercel Security

Database (Vercel Postgres):

  • Managed PostgreSQL with automatic backups
  • Point-in-time recovery (30 days)
  • Encrypted at rest (AES-256)
  • Encrypted in transit (TLS 1.3)
  • Connection pooling with PgBouncer
  • Query logging and monitoring

File Storage (Vercel Blob):

  • Encrypted at rest (AES-256)
  • Encrypted in transit (TLS 1.3)
  • Presigned URLs with expiration
  • Access controls per file
  • Malware scanning (planned)

Network Security:

  • Web Application Firewall (WAF)
  • Rate limiting and throttling
  • IP-based access controls (enterprise feature)
  • TLS 1.3 for all connections
  • HSTS (HTTP Strict Transport Security)
  • Certificate pinning (mobile apps)

2.2 Application Security

Authentication (Clerk):

  • OAuth 2.0 / OpenID Connect
  • Multi-factor authentication (MFA) support
  • Passwordless authentication (magic links)
  • Session management with secure cookies
  • Automatic session timeout (7 days)
  • Account lockout after failed attempts
  • Clerk Security

Authorization:

  • Role-based access control (RBAC)
  • Principle of least privilege
  • Resource-level permissions
  • API key management for enterprise
  • OAuth token encryption

Code Security:

  • Automated dependency scanning (GitHub Dependabot)
  • Static Application Security Testing (SAST)
  • Secret scanning in repositories
  • Code review requirements for all changes
  • Signed commits (enforced for maintainers)

Input Validation:

  • Parameterized SQL queries (no string concatenation)
  • XSS protection via React automatic escaping
  • CSRF protection with tokens
  • Content Security Policy (CSP) headers
  • Input sanitization for all user data

API Security:

  • Rate limiting (100 requests/minute per user)
  • Authentication required for all endpoints
  • Request size limits (10MB for uploads)
  • Response size limits
  • API versioning for backward compatibility

2.3 Data Encryption

Encryption at Rest:

  • Database: AES-256 encryption
  • File storage: AES-256 encryption
  • Backups: AES-256 encryption
  • OAuth tokens: Industry-standard encryption

Encryption in Transit:

  • TLS 1.3 for all connections
  • Certificate from trusted CA (Let's Encrypt / Vercel)
  • Perfect forward secrecy (PFS)
  • HSTS enforced (max-age: 31536000)

Key Management:

  • Secrets stored in Vercel environment variables (encrypted)
  • Rotation of encryption keys annually
  • No hardcoded secrets in codebase
  • Separate keys for production and development

2.4 Access Controls

Employee Access:

  • Principle of least privilege
  • MFA required for all employees
  • SSO via Google Workspace
  • Just-in-time (JIT) access for production
  • Audit logging of all access

Production Access:

  • Limited to essential personnel
  • MFA and VPN required
  • Session recording and monitoring
  • Approval workflow for sensitive operations
  • Automatic session expiration

Third-Party Access:

  • Vendor risk assessments before integration
  • Minimum necessary access
  • Audit of third-party permissions quarterly
  • Termination of access when no longer needed

2.5 Monitoring and Logging

Application Monitoring:

  • Vercel Analytics for performance
  • Error tracking (Sentry - planned)
  • Uptime monitoring (24/7)
  • Real-time alerts for anomalies

Security Monitoring:

  • Failed login attempts
  • API rate limit violations
  • Unusual access patterns
  • Database query anomalies
  • File upload scanning (planned)

Audit Logging:

  • User authentication events
  • Account changes (email, password, MFA)
  • Data exports
  • API key creation/deletion
  • Third-party connection changes
  • Logs retained for 1 year

Incident Detection:

  • Automated alerting for security events
  • 24/7 monitoring via Vercel
  • Integration with SIEM (planned for enterprise)

3. Third-Party Security

3.1 Service Providers

We use the following third-party services with strong security practices:

Provider Purpose Security Certifications
Clerk Authentication SOC 2 Type II, ISO 27001
Vercel Hosting, storage SOC 2 Type II, ISO 27001, GDPR
OpenAI AI inference SOC 2 Type II
Anthropic AI inference SOC 2 Type II
Google Cloud AI inference, APIs ISO 27001, SOC 2, FedRAMP
Autodesk APS/ACC APIs ISO 27001, SOC 2
Microsoft Graph API ISO 27001, SOC 2, FedRAMP

3.2 Data Processing Agreements

We Have DPAs With:

  • All critical service providers
  • GDPR-compliant Standard Contractual Clauses (SCCs)
  • Regular security assessments

Our Vendors Must:

  • Maintain SOC 2 Type II or equivalent certification
  • Encrypt data at rest and in transit
  • Provide security incident notifications
  • Allow security audits upon request
  • Comply with applicable data protection laws

3.3 AI Provider Security

AI Model Security:

  • Prompts sent via Vercel AI Gateway (adds layer of abstraction)
  • AI providers do not store prompts for training (per our agreements)
  • No personally identifiable information (PII) sent to AI models when avoidable
  • Rate limiting to prevent abuse

Data Minimization:

  • Only necessary context sent to AI models
  • File contents sent only when explicitly requested
  • Third-party data (Autodesk, Microsoft, Google) minimized in prompts

4. Vulnerability Management

4.1 Vulnerability Scanning

Automated Scanning:

  • Daily dependency scans (GitHub Dependabot)
  • Weekly SAST scans (CodeQL)
  • Quarterly DAST scans (planned)
  • Infrastructure scans via Vercel

Remediation SLAs:

  • Critical: 24 hours
  • High: 7 days
  • Medium: 30 days
  • Low: 90 days

4.2 Penetration Testing

Internal Testing:

  • Quarterly manual security testing
  • Annual third-party penetration test (planned)

Bug Bounty Program (Planned):

  • Public bug bounty via HackerOne or Bugcrowd
  • Rewards for responsible disclosures
  • Launch after general availability

4.3 Responsible Disclosure

How to Report Security Vulnerabilities:

DO:

  1. Email security@studiodatum.com with details
  2. Include: description, impact, reproduction steps, proof of concept
  3. Allow us reasonable time to fix (90 days)
  4. Work with us in good faith

DO NOT:

  • Publicly disclose before we've fixed the issue
  • Access or modify other users' data
  • Perform denial-of-service attacks
  • Use automated scanning tools without permission

Our Response:

  • Acknowledge within 48 hours
  • Provide updates every 7 days
  • Credit you in security advisories (if desired)
  • Consider reward for significant findings (case-by-case)

Scope:

  • In scope: datumos.app, studiodatum.com, API endpoints
  • Out of scope: Third-party services, social engineering, physical attacks

Safe Harbor:

  • We will not pursue legal action for good-faith security research
  • Comply with all applicable laws

5. Incident Response

5.1 Incident Detection

We Monitor For:

  • Unauthorized access attempts
  • Data breaches or leaks
  • Service disruptions (DDoS, outages)
  • Malware or security exploits
  • Insider threats
  • Third-party security incidents

5.2 Incident Response Process

1. Detection and Triage (0-1 hour):

  • Identify and classify incident
  • Determine severity (Critical, High, Medium, Low)
  • Assemble incident response team
  • Begin containment

2. Containment (1-4 hours):

  • Isolate affected systems
  • Prevent further damage
  • Preserve evidence for investigation

3. Eradication (4-24 hours):

  • Remove threat (malware, unauthorized access)
  • Patch vulnerabilities
  • Reset compromised credentials

4. Recovery (24-72 hours):

  • Restore affected systems
  • Verify security controls
  • Monitor for recurrence

5. Post-Incident Review (Within 7 days):

  • Root cause analysis
  • Lessons learned
  • Update security controls
  • Implement preventive measures

5.3 Notification

We Will Notify You If:

  • Your data may have been accessed or disclosed
  • Your account may have been compromised
  • Required by law (GDPR, CCPA, state breach notification laws)

Notification Timeline:

  • Within 72 hours of discovery (GDPR requirement)
  • Via email to registered address
  • In-app notification
  • Public disclosure if widespread impact

What We Will Disclose:

  • Nature of the incident
  • Data potentially affected
  • Steps we've taken to address it
  • Steps you should take (e.g., change password)
  • Contact information for questions

6. Compliance

6.1 Regulatory Compliance

Current Compliance:

  • GDPR (General Data Protection Regulation) - EU users
  • CCPA (California Consumer Privacy Act) - California users
  • COPPA (Children's Online Privacy Protection Act) - Under 13 users prohibited
  • DMCA (Digital Millennium Copyright Act) - Copyright compliance

Planned Compliance:

  • SOC 2 Type II (Security, Availability, Confidentiality)
  • ISO 27001 (Information Security Management)
  • HIPAA (if handling protected health information - not currently applicable)

6.2 Industry Standards

We Follow:

  • OWASP Top 10 (Web application security)
  • NIST Cybersecurity Framework
  • CIS Critical Security Controls
  • AICPA Trust Services Criteria (SOC 2)

6.3 Audits and Assessments

Internal Audits:

  • Quarterly security control reviews
  • Annual comprehensive security audit

External Audits:

  • SOC 2 Type II audit (planned for 2026)
  • Third-party penetration test (annual, planned)

Vendor Audits:

  • Annual review of third-party security posture
  • Review of SOC 2 reports from critical vendors

7. Data Security

7.1 Data Classification

Public Data:

  • Marketing materials, public documentation
  • Security: Standard web security controls

Internal Data:

  • Company operations, internal tools
  • Security: Access controls, encryption in transit

Confidential Data:

  • User conversations, artifacts, uploaded files
  • Security: Encryption at rest and in transit, access controls, audit logging

Sensitive Data:

  • Passwords, OAuth tokens, API keys, payment info (future)
  • Security: Encryption, key management, strict access controls

7.2 Data Retention

User Data:

  • Conversations: 90 days (see Privacy Policy)
  • Artifacts: Until user deletion
  • Uploaded files: Until user deletion
  • Account data: Until account deletion

Backups:

  • Encrypted backups retained for 30 days
  • Deleted data purged from backups within 30 days

Logs:

  • Security logs: 1 year
  • Audit logs: 1 year
  • Application logs: 30 days

7.3 Data Deletion

User-Initiated Deletion:

  • Individual conversations and artifacts: Immediate
  • Account deletion: Permanent deletion within 30 days
  • Backup purge: Within 30 days

Secure Deletion:

  • Cryptographic erasure (destroy encryption keys)
  • Database record deletion
  • File storage deletion
  • Backup purge

8. User Security Responsibilities

8.1 Account Security

You Are Responsible For:

  • Keeping your password confidential
  • Enabling MFA (strongly recommended)
  • Using a strong, unique password
  • Logging out on shared devices
  • Not sharing your account
  • Reporting suspicious activity immediately

Password Requirements:

  • Minimum 8 characters (enforced by Clerk)
  • Recommended: 16+ characters, mix of letters/numbers/symbols
  • No reuse of passwords from other sites
  • Password manager recommended (1Password, Bitwarden, etc.)

8.2 Data Protection

You Should:

  • Not upload sensitive data you don't want AI to process
  • Not share confidential information in conversations
  • Review AI-generated content for sensitive data before sharing
  • Understand that AI providers may see your prompts (anonymized)
  • Export important data regularly (we retain for 90 days)

Remember:

  • AI conversations are processed by third-party AI providers
  • We implement security controls but cannot guarantee 100% security
  • You are responsible for compliance with your own policies (e.g., NDA, client confidentiality)

8.3 Third-Party Integrations

When Connecting Autodesk, Microsoft, or Google:

  • Review OAuth permissions carefully
  • Only grant minimum necessary access
  • Disconnect when no longer needed
  • Monitor for unauthorized access in third-party logs
  • Comply with third-party security policies

9. Security Updates

9.1 How We Communicate Security Issues

Security Advisories:

  • Posted at: studiodatum.com/security/advisories (planned)
  • Published for all significant vulnerabilities
  • Include: description, impact, affected versions, remediation

User Notifications:

  • Email for critical security issues
  • In-app banner for important updates
  • Blog posts for major incidents (planned)

Security Changelog:

  • Quarterly security update summaries
  • Published in legal changelog

9.2 Patching and Updates

Application Updates:

  • Continuous deployment (multiple times per day)
  • Security patches deployed immediately upon availability
  • No user action required (SaaS model)

Dependency Updates:

  • Automated daily scans
  • Critical updates within 24 hours
  • Regular updates weekly

Infrastructure Updates:

  • Managed by Vercel (automatic)
  • Zero-downtime deployments
  • Rollback capability

10. Privacy and Security

10.1 Relationship to Privacy Policy

This Security Policy complements our Privacy Policy.

Privacy Policy Covers:

  • What data we collect
  • How we use data
  • Your privacy rights (GDPR, CCPA)

Security Policy Covers:

  • How we protect data
  • Security measures and controls
  • Incident response

10.2 Data Minimization

We Collect Only:

  • Data necessary to provide services
  • Data you explicitly provide
  • Data from integrations when you use them

We Do NOT:

  • Collect unnecessary personal information
  • Retain data longer than necessary
  • Share data beyond what's disclosed in Privacy Policy

10.3 Employee Access to Data

Strict Access Controls:

  • Only authorized personnel can access production data
  • Access granted on need-to-know basis
  • All access logged and audited
  • MFA and VPN required

Employee Training:

  • Security awareness training (quarterly)
  • Privacy and data protection training (annual)
  • Incident response training
  • Signed confidentiality agreements

11. Business Continuity

11.1 Backup and Recovery

Automated Backups:

  • Database backups every 6 hours
  • File storage backups continuous
  • Backup retention: 30 days
  • Encrypted backups (AES-256)

Disaster Recovery:

  • Recovery Time Objective (RTO): 4 hours
  • Recovery Point Objective (RPO): 6 hours
  • Multi-region failover capability
  • Tested quarterly

11.2 Service Availability

Uptime Target:

  • 99.9% uptime goal (beta status, no SLA)
  • Future: 99.99% SLA for paid tiers

Redundancy:

  • Multi-region deployment
  • Load balancing
  • Auto-scaling
  • Database replication

11.3 Communication During Incidents

Status Page (Planned):

  • status.studiodatum.com
  • Real-time incident updates
  • Historical uptime data

Notifications:

  • Email for major outages
  • In-app status banner
  • Social media updates (@StudioDatum)

12. Contact Information

12.1 Security Team

Security Issues and Vulnerability Reports:

  • Email: security@studiodatum.com
  • PGP Key: [Key fingerprint] (planned)
  • Response Time: 48 hours

Include in Reports:

  • Description of vulnerability
  • Steps to reproduce
  • Potential impact
  • Your contact information (for follow-up)

12.2 General Inquiries

Security Policy Questions:

  • Email: security@studiodatum.com

Privacy Questions:

  • Email: privacy@studiodatum.com

Legal Questions:

  • Email: legal@studiodatum.com

Revision History

Version Date Changes Commit Diff
1.0.0 2025-12-11 Initial publication [Pending] -

How to view changes:

  1. Click commit link to see specific change
  2. Click "View diff" to compare versions
  3. All changes tracked in GitHub repository

Summary

Our Security Commitment:

  • Industry-standard encryption (AES-256, TLS 1.3)
  • SOC 2-certified vendors (Clerk, Vercel)
  • 24/7 monitoring and incident response
  • Regular security audits and updates
  • Transparent communication

Your Security Responsibilities:

  • Use strong passwords and enable MFA
  • Protect your account credentials
  • Report suspicious activity
  • Understand data flows to AI providers
  • Comply with third-party security policies

Together We:

  • Protect confidential construction data
  • Maintain secure AI-powered services
  • Respond quickly to security incidents
  • Continuously improve security posture

Questions? Contact security@studiodatum.com

Last Updated: December 11, 2025 Effective Date: December 11, 2025 Version: 1.0.0

This Security Policy was drafted with care, but is not a substitute for professional security consultation. StudioDatum recommends having this reviewed by a qualified security professional before publication.