Security Policy

• In transit: all data transmitted between your browser and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS on all endpoints.
• At rest: all data stored in our databases and file systems is encrypted at rest.
• Certificates: TLS certificates are provisioned via Let's Encrypt with automatic renewal.

• Password hashing: passwords are hashed using bcrypt with appropriate cost factors. We never store plaintext passwords.
• JWT tokens: authentication uses RS256 (RSA 4096-bit) signed JSON Web Tokens. Access tokens expire after 15 minutes; refresh tokens after 30 days.
• Two-factor authentication (2FA): optional TOTP-based two-factor authentication is available for all accounts.
• Rate limiting: all authentication endpoints are rate-limited to prevent brute-force attacks.
• Session management: tokens are stored in HTTP-only, Secure cookies to prevent XSS-based token theft.

• Container isolation: project containers run in isolated Docker environments with restricted capabilities.
• CORS policy: Cross-Origin Resource Sharing is configured to allow only trusted origins.
• Content Security Policy (CSP): HTTP headers restrict script execution to prevent cross-site scripting attacks.
• Rate limiting: API rate limits are enforced globally and per-endpoint to prevent abuse.
• Input validation: all user inputs are validated and sanitized at the API boundary using schema validation.
• SQL injection prevention: parameterized queries are used for all database operations via an ORM layer.

• Project data is isolated per user. Users can only access their own projects.
• API authentication is required for all data access.
• Admin access is restricted to authorized personnel with separate role-based permissions.

In the event of a security incident:

1. Detection: we monitor logs and system metrics for anomalous activity.
2. Containment: affected systems are isolated immediately to prevent further impact.
3. Notification: affected users are notified within 72 hours of confirmed data breaches, as required by GDPR Article 33.
4. Remediation: root cause analysis is performed and fixes are deployed promptly.
5. Post-incident review: lessons learned are documented and security measures are strengthened.

We encourage responsible disclosure of security vulnerabilities. If you discover a vulnerability in the Codilla platform:

• Email admin@codilla.ai with details of the vulnerability.
• Include steps to reproduce, impact assessment, and any supporting evidence.
• Do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.
• Do not exploit the vulnerability to access data beyond what is necessary to demonstrate the issue.
• We will acknowledge receipt within 48 hours and aim to resolve critical issues within 7 days.

• Active accounts: data is retained as long as your account is active.
• Deleted accounts: 30-day recovery window, then permanent deletion.
• Billing records: retained for 7 years as required by tax and financial regulations.
• Audit logs: security audit logs are retained for 90 days.
• Backups: encrypted backups are purged on a rolling 30-day schedule.

We use the following third-party services, each with their own security practices:

• Anthropic (Claude API): AI processing — data sent for processing is governed by our agreement with Anthropic.
• Razorpay: payment processing — PCI DSS compliant. We do not store payment card data.
• GitHub: optional code repository integration — access is controlled by your GitHub OAuth permissions.

While we implement industry-standard security measures, no system can guarantee absolute security. We continuously monitor, audit, and improve our security posture, but we cannot warrant that our security measures will prevent all unauthorized access, use, or disclosure. Use the Service at your own risk and take appropriate precautions to protect your own data.

For security concerns, vulnerability reports, or questions about this policy, contact us at admin@codilla.ai or call/WhatsApp +91 7907191184.