Security Policy

2.1 Supabase (AWS Sydney Region)

Our primary database and backend platform is Supabase, hosted on Amazon Web Services (AWS) in the ap-southeast-2 (Sydney) region. This ensures data residency within Australia and New Zealand’s geographic region. Supabase maintains SOC 2 Type II certification and ISO 27001 compliance.

2.2 Microsoft Azure

For AI workloads and certain enterprise deployments, we utilise Microsoft Azure. Azure holds ISO 27001, ISO 27017, ISO 27018, SOC 1, SOC 2, and SOC 3 certifications, along with GDPR compliance frameworks.

3.1 What Is RLS?

Row Level Security (RLS) is a database-level access control mechanism that restricts which rows of data a user or application role can read or modify. RLS policies are enforced at the database engine level — not at the application layer — making them significantly more robust than application-level filtering alone.

3.2 How We Implement RLS

For all multi-tenant SaaS applications and any system handling sensitive client data, Longcloud AI implements RLS as a default architectural pattern. Each user or tenant can only access rows of data that belong to them, enforced by the database regardless of how the query is constructed at the application level.

• All tables containing user or tenant data have RLS policies enabled by default
• Policies are tested during development and as part of our QA process
• Administrative access is restricted to authorised roles with auditable access logs
• RLS policies are documented and reviewed as part of security sign-off on each release

4.1 Secure Deployment Packages

We provide containerised deployment packages (Docker / Kubernetes) with hardened configurations, documented network requirements, and step-by-step deployment guides for your infrastructure team.

4.2 Secure Integration Plugins

Where our software integrates with third-party systems, we build integration connectors that follow least-privilege principles, use short-lived tokens where possible, and avoid storing credentials in plaintext.

4.3 Air-Gapped Environments

For high-security environments with no external network access, we can deliver software that operates fully offline, with update mechanisms that support manual, verified patch delivery.

4.4 Client Responsibilities

For self-hosted deployments, the client is responsible for securing the underlying server infrastructure, operating system patching, network perimeter controls, and physical security. Longcloud AI will provide security guidance but cannot be responsible for the client-managed infrastructure layer.

5.1 Secure Development Practices

• OWASP Top 10 compliance as a baseline for all applications
• Threat modelling during architecture and design phases
• Peer code review with security considerations as part of the checklist
• Automated static analysis (SAST) integrated into CI/CD pipelines
• Dependency vulnerability scanning (SCA) on all third-party packages
• Secrets management — no credentials, API keys, or tokens in source code

5.2 Authentication and Access Control

• Multi-factor authentication (MFA) enforced for all administrative and privileged accounts
• Role-based access control (RBAC) with least-privilege defaults
• Short-lived JWT tokens with secure refresh mechanisms
• OAuth 2.0 / OpenID Connect for third-party authentication where applicable
• Session management with automatic timeout and secure cookie flags

5.3 Encryption

• All data in transit encrypted via TLS 1.2 or higher
• All data at rest encrypted using AES-256 or equivalent
• Database backups encrypted before storage
• Encryption keys managed through dedicated key management services

5.4 API Security

• All API endpoints require authentication unless explicitly public
• Rate limiting and throttling applied to prevent abuse
• Input validation and output encoding to prevent injection attacks
• API versioning and deprecation policies to manage change safely

7.1 Detection and Response

We maintain monitoring and alerting across our managed infrastructure. Security events are logged, correlated, and escalated according to severity. Our incident response process follows the NIST framework: Prepare → Detect → Contain → Eradicate → Recover → Learn.

7.2 Client Notification

In the event of a confirmed security incident that affects client data, Longcloud AI will notify affected clients within 72 hours of discovery. Notifications will include: the nature of the incident, data potentially affected, actions taken to contain and remediate, and recommended steps for the client.

7.3 Post-Incident Review

Following every significant security incident, we conduct a blameless post-incident review. Findings are documented and used to improve our controls, processes, and monitoring. A summary can be provided to affected clients on request.

8.1 How to Report

Please send vulnerability reports to:

8.2 Our Commitments to Researchers

• We will acknowledge receipt of your report within 2 business days
• We will investigate and keep you informed of our progress
• We will not pursue legal action against researchers acting in good faith
• We will credit researchers publicly (with their consent) upon resolution
• We aim to resolve critical vulnerabilities within 30 days of confirmed disclosure

8.3 Guidelines

• Do not access, modify, or delete data beyond what is necessary to demonstrate the vulnerability
• Do not perform denial-of-service attacks or any action that degrades our services
• Do not disclose the vulnerability publicly until we have had a reasonable opportunity to remediate
• Provide sufficient detail for us to reproduce and verify the issue