Security Policy

We treat security as a product requirement and describe only controls that are implemented or operationally required by the current service.

• ›Security-sensitive routes run server-side in the Next.js application
• ›Protected dashboard and admin routes require authenticated sessions
• ›Administrative functionality is restricted to configured admin email addresses

Current codebase controls include:

• ›NextAuth Google OAuth with JWT sessions and an 8-hour session lifetime
• ›Minimal session claims; OAuth access tokens are not exposed to the browser session
• ›Zod validation for contact, dashboard, quote, status, and AI payloads
• ›Upstash-backed rate limiting for public and authenticated write routes
• ›Host validation, CSP, frame blocking, content-type protection, referrer policy, and permissions policy headers
• ›Prisma query APIs rather than ad hoc SQL string construction

We protect data through access control, provider security controls, encrypted transport, and restricted operational access.

• ›Production database credentials are kept in environment variables
• ›SMTP, AI, Redis, and OAuth secrets are server-side only
• ›Public bank details are separated from secrets and can be configured by environment

The dashboard includes an account deletion route for signed-in users. It deletes app-owned project, quote, and privacy request records associated with the authenticated email address.

• ›Deletion requires an active authenticated session
• ›The UI requires typed confirmation before deletion
• ›After deletion the user is signed out

External OAuth accounts remain managed by the OAuth provider.

If we identify a personal-data breach or security incident, we investigate, contain, document, and notify affected parties or authorities where required by applicable law.

• ›GDPR authority notification is assessed under the 72-hour requirement where applicable
• ›User notification depends on risk, legal requirements, and available contact details

Report suspected vulnerabilities to info@swarpfoundation.com with enough detail to reproduce and validate the issue.

• ›Do not access, modify, destroy, or exfiltrate data that is not yours
• ›Do not perform denial-of-service, spam, social engineering, or physical attacks
• ›Give us reasonable time to investigate before public disclosure

We do not claim ISO 27001 certification, completed third-party audits, or formal penetration-test certification unless separately published. Security claims should remain tied to implemented controls and documented provider guarantees.