Security - Enterprise-Grade Data Protection at Renoz

Our Commitment to Security

At Renoz, we take the security of your data seriously. This page outlines the technical and organizational measures we implement to protect your personal information and business data. While no system can guarantee absolute security, we continuously work to maintain industry-standard security practices.

1. Data Encryption

Encryption in Transit

All data transmitted between your device and our servers is encrypted using TLS/SSL (Transport Layer Security) with a minimum of TLS 1.2. This protects your data from interception during transmission.

Encryption at Rest

Sensitive data stored in our databases is encrypted at rest using AES-256 encryption. This includes passwords, payment information, and other sensitive personal information.

Password Security

User passwords are never stored in plain text. We use industry-standard bcrypt hashing with salt to protect your password. Even our administrators cannot access your password.

2. Infrastructure Security

Cloud Infrastructure

Our services are hosted on enterprise-grade cloud infrastructure:

Supabase: Enterprise PostgreSQL hosting with automatic backups and high availability
Vercel: Global edge network with DDoS protection and automatic scaling
AWS (via Supabase): Data centers with physical security, redundant power, and network connectivity

Network Security

Firewalls to control traffic and prevent unauthorized access
DDoS protection to maintain service availability
Intrusion detection and prevention systems
Regular security patches and updates
Network segmentation to isolate sensitive systems

Data Backups

Automated daily backups of all user data
Geographic redundancy across multiple data centers
Point-in-time recovery capabilities
Regular backup testing and verification
Encrypted backup storage

3. Application Security

Authentication & Authorization

Multi-factor authentication support (OAuth with Google)
Session management with automatic timeout
Role-based access control (RBAC)
Secure password requirements (minimum 6 characters)
Account lockout after multiple failed login attempts

Security Best Practices

Protection against SQL injection attacks
Cross-Site Scripting (XSS) prevention
Cross-Site Request Forgery (CSRF) protection
Input validation and sanitization
Secure API endpoints with rate limiting
Content Security Policy (CSP) headers

Code Security

Regular dependency updates and vulnerability scanning
Code review process for all changes
Automated security testing in CI/CD pipeline
Error tracking and monitoring (Sentry)
Secure development lifecycle practices

4. Third-Party Security

We carefully select and vet all third-party services:

Stripe (Payment Processing)

PCI DSS Level 1 certified. We do not store complete credit card information on our servers. All payment data is handled securely by Stripe.

Supabase (Database & Authentication)

Enterprise-grade PostgreSQL with built-in security features, automatic backups, and SOC 2 Type II compliance.

Google (Analytics & reCAPTCHA)

Industry-leading security practices with ISO 27001, SOC 2/3, and other certifications.

Sentry (Error Monitoring)

Error tracking with data scrubbing to prevent sensitive information exposure. SOC 2 Type II certified.

5. Access Controls

Internal Access

Principle of least privilege - employees have minimum necessary access
Multi-factor authentication required for all internal staff
Regular access reviews and audits
Immediate revocation of access upon employee departure
Logging and monitoring of administrative actions

Data Access Policies

Your data is only accessed by our team when necessary for support requests, troubleshooting, or legal compliance. All access is logged and monitored.

6. Monitoring and Response

Security Monitoring

24/7 automated monitoring of systems and networks
Real-time alerting for suspicious activities
Regular security audits and penetration testing
Continuous vulnerability scanning
Log aggregation and analysis

Incident Response

We have a documented incident response plan that includes:

Immediate containment of security incidents
Investigation and root cause analysis
Remediation and system restoration
User notification when required by law
Post-incident review and improvements

7. Data Breach Notification

In the event of a data breach that affects your personal information, we will:

Investigate the incident promptly and thoroughly
Take immediate steps to contain and remediate the breach
Notify affected users within 72 hours (or as required by law)
Provide information about the nature of the breach and steps taken
Offer guidance on protective measures you can take
Report to relevant authorities as required by law

8. Your Security Responsibilities

Important: Your Role in Security

Security is a shared responsibility. Please help protect your account by following these best practices.

Account Security Best Practices

Use a strong, unique password (at least 12 characters recommended)
Never share your password with anyone
Enable two-factor authentication when available
Log out when using shared or public computers
Keep your contact information up to date
Review your account activity regularly
Report suspicious activity immediately
Be cautious of phishing attempts

9. Data Retention and Deletion

We retain your data only as long as necessary for business purposes and legal requirements:

Active account data is retained for the duration of your subscription
Deleted account data is permanently removed within 30 days
Backups are retained for 90 days for disaster recovery
Financial records are retained as required by tax and accounting laws
You can request data deletion at any time through your account settings

10. Compliance and Certifications

We are committed to maintaining compliance with:

California Consumer Privacy Act (CCPA)
General Data Protection Regulation (GDPR) principles
Industry security best practices and standards
Payment Card Industry Data Security Standard (PCI DSS) via Stripe

We continuously work to improve our security posture and pursue additional certifications as our service grows.

11. Security Questions or Concerns

If you have questions about our security practices or wish to report a security vulnerability, please contact us:

Email: hello@renoz.app

Subject Line: Security Inquiry or Security Vulnerability Report

Website: renoz.app

12. Responsible Disclosure

We appreciate security researchers who help us maintain a secure platform. If you discover a security vulnerability:

Report it to us privately before public disclosure
Provide detailed information to help us reproduce and fix the issue
Give us reasonable time to address the vulnerability
Do not exploit the vulnerability beyond what is necessary to demonstrate it
Do not access, modify, or delete user data

We commit to acknowledging your report promptly and keeping you informed of our progress toward a fix.

13. Updates to This Page

We may update this Data Security page from time to time to reflect changes in our security practices or infrastructure. Material changes will be communicated by updating the "Last Updated" date at the top of this page.

Related Policies

For more information about how we handle your data, please see our Privacy Policy, Terms of Service, and California Privacy Rights page.