Security Policy
Last Updated: January 11, 2025
1. Our Commitment to Security
At STR Agent HUB, we are committed to maintaining the highest standards of data security and privacy. We implement comprehensive security controls aligned with industry best practices and compliance frameworks including SOC 2 Type II and ISO 27001.
2. Security Controls
2.1 Infrastructure Security
- Cloud Infrastructure: Hosted on Google Cloud Platform (Firebase) with SOC 2 Type II certification
- Data Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
- Network Security: Web Application Firewall (WAF), DDoS protection, and intrusion detection
- Access Control: Role-based access control (RBAC) with principle of least privilege
2.2 Application Security
- Secure Development: Security-focused SDLC with code reviews and static analysis
- Input Validation: Server-side validation and sanitization of all user inputs
- Authentication: Multi-factor authentication for administrative access
- Session Management: Secure session handling with automatic timeout
- Bot Protection: Google reCAPTCHA v3 for form protection
2.3 Security Headers
We implement comprehensive HTTP security headers:
- Strict-Transport-Security (HSTS) with preload
- Content-Security-Policy (CSP)
- X-Content-Type-Options
- X-Frame-Options
- X-XSS-Protection
- Referrer-Policy
- Permissions-Policy
- Cross-Origin-Opener-Policy
- Cross-Origin-Resource-Policy
3. Data Protection
3.1 Data Classification
We classify data based on sensitivity and apply appropriate controls:
- Confidential: Personal contact information, lead data
- Internal: Business analytics, aggregated metrics
- Public: Marketing content, public web pages
3.2 Data Retention
| Data Type | Retention Period | Justification |
|---|---|---|
| Lead contact information | 3 years | Business relationship management |
| Form submissions | 3 years | Service fulfillment and legal compliance |
| Analytics data | 26 months | Google Analytics default retention |
| Server logs | 90 days | Security monitoring and debugging |
| Cookie consent records | 3 years | GDPR compliance documentation |
3.3 Data Deletion
Upon request or at the end of retention periods, personal data is securely deleted using industry-standard methods. Backups are purged according to our backup retention policy.
4. Subprocessors
We use the following third-party service providers who may process personal data:
| Provider | Purpose | Location |
|---|---|---|
| Google Cloud Platform / Firebase | Hosting, database, cloud functions | United States |
| Google Analytics | Website analytics | United States |
| Google reCAPTCHA | Bot and spam protection | United States |
All subprocessors maintain appropriate security certifications and data processing agreements.
5. Incident Response
We maintain a documented incident response plan that includes:
- 24/7 monitoring and alerting
- Defined escalation procedures
- Communication protocols for affected parties
- Post-incident review and remediation
- Regulatory notification within required timeframes (72 hours for GDPR)
6. Vulnerability Disclosure
We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please report it to:
- Email: security@stragenthub.com
- Security.txt: /.well-known/security.txt
We commit to:
- Acknowledging receipt within 48 hours
- Providing regular updates on remediation progress
- Not pursuing legal action for good-faith security research
- Crediting researchers who wish to be acknowledged
7. Compliance
Our security program is designed to meet or exceed the requirements of:
- SOC 2 Type II: Service Organization Control standards for security, availability, and confidentiality
- ISO 27001: International information security management standard
- GDPR: General Data Protection Regulation
- CCPA: California Consumer Privacy Act
8. Business Continuity
We maintain business continuity and disaster recovery capabilities including:
- Automated backups with geographic redundancy
- Defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)
- Regular testing of recovery procedures
- High-availability infrastructure with automatic failover
9. Contact
For security-related inquiries, please contact:
- Security Team: security@stragenthub.com
- Privacy Team: privacy@stragenthub.com