Security Policy

1) Overview

Masi.am protects the confidentiality, integrity, and availability of customer data across our services and digital products using layered administrative, technical, and physical controls aligned with small-studio best practices.

2) Scope & Responsibilities

• Scope: Websites, e-commerce setups, AI automations, documents/templates, and related support systems we manage.
• Customer: Protect account access, ensure lawful use, and keep contact/payment info current.
• Internal Roles: Security oversight, data handling, and incident response are assigned with least-privilege access.

3) Data Classification

• Public: Marketing pages, blog content, portfolio samples.
• Internal: Non-sensitive operational docs, templates, non-customer notes.
• Confidential: Client materials (logos, product data), project docs, limited PII (name, email, phone, billing info).
• Sensitive: Tokens, API keys, credentials (never stored in plain text).

4) Encryption & Key Management

• HTTPS/TLS transport security for sites, admin portals, and third-party platforms.
• At-rest encryption on reputable cloud providers where available.
• Secrets stored in encrypted vaults or environment variables; rotate upon suspicion of exposure.

5) Access Control & Authentication

• Least-privilege, role-based access for staff/contractors.
• Unique accounts; 2FA where supported.
• Strong passwords (≥12 chars, mixed sets); no reuse across systems.
• Prompt deprovisioning on role change/contract end.

6) Secure Development & Change Management

• Version control for code/config; reviews for major changes.
• Maintain dependencies; prioritize critical patches.
• Track content/config changes with rollback paths where feasible.

7) Logging, Monitoring & Alerting

• Provider logs reviewed to investigate anomalies.
• Admin sign-ins/actions monitored in dashboards.
• Incident logs retained as required.

8) Backups & Recovery

• Regular backups via host or trusted tools; test restores for critical projects.
• Encrypted at rest where supported.
• RPO/RTO targets per engagement and plan (e.g., Care Plan).

9) Incident Response

• Identify & triage; contain (revoke tokens, patch, isolate).
• Eradicate & recover (clean restores, rotate secrets).
• Notify affected clients without undue delay where required.
• Post-incident review and control improvements.

10) Third-Party Vendors & Hosting

• Reputable vendors for hosting, payments, analytics, and file delivery.
• Your use of vendor services is subject to their terms and privacy.
• 2FA and least-privilege on vendor systems where available.

11) Data Retention & Deletion

• Project files retained for support and legal obligations.
• Verified deletion/anonymization on request unless prohibited by law.
• Backups age out per lifecycle.

12) Business Continuity & Disaster Recovery

• Critical assets identified (production sites, DNS, payment links, docs).
• Leverage provider availability (CDN, multi-AZ, SLAs where applicable).
• Documented steps to restore essential services and communications.