Security Policy

1. Our Security Commitment

Grow8 is committed to maintaining the highest standards of security to protect your business data. As a platform that integrates with sensitive marketplace data (including Amazon SP-API), we adhere to strict security protocols and data protection policies required by our integration partners and international regulations.

2. Infrastructure Security

2.1 Cloud Infrastructure

Our platform is hosted on enterprise-grade cloud infrastructure with:

• AWS & Google Cloud: SOC 1, SOC 2, and ISO 27001 certified data centers
• Geographic Redundancy: Multi-region deployment for high availability
• 99.99% Uptime SLA: Enterprise-level service availability
• Auto-scaling: Dynamic resource allocation to handle demand
• DDoS Protection: Advanced threat mitigation at network edge

2.2 Network Security

3. Data Encryption

3.1 Encryption in Transit

• TLS 1.3: All data transmitted between your browser and our servers is encrypted using the latest TLS protocol
• Certificate Pinning: Additional protection against man-in-the-middle attacks
• HSTS Enabled: HTTP Strict Transport Security enforced across all domains
• Perfect Forward Secrecy: Unique session keys protect past communications

3.2 Encryption at Rest

• AES-256 Encryption: Industry-standard encryption for all stored data
• Key Management: AWS KMS / Google Cloud KMS with automatic key rotation
• Database Encryption: Full disk encryption on all database instances
• Backup Encryption: All backups are encrypted with separate keys

4. Access Control

4.1 Authentication

• Multi-Factor Authentication (MFA): Required for all user accounts
• SSO Support: Integration with enterprise identity providers (SAML 2.0, OAuth 2.0)
• Password Requirements: Strong password policies with bcrypt hashing
• Session Management: Automatic timeout and secure session handling

4.2 Authorization

• Role-Based Access Control (RBAC): Granular permissions based on user roles
• Principle of Least Privilege: Users only access what they need
• API Key Security: Scoped API keys with rate limiting
• Audit Trails: Complete logging of all access and changes

4.3 Employee Access

• Background checks for all employees with data access
• Security awareness training required for all staff
• Strict need-to-know basis for customer data access
• Regular access reviews and immediate revocation upon termination

5. Application Security

5.1 Secure Development

• Secure SDLC: Security integrated at every development stage
• Code Reviews: Mandatory peer reviews for all code changes
• Static Analysis: Automated security scanning in CI/CD pipeline
• Dependency Scanning: Continuous monitoring for vulnerable packages

5.2 Security Testing

• Penetration Testing: Annual third-party penetration tests
• Vulnerability Assessments: Quarterly security assessments
• Bug Bounty Program: Responsible disclosure program for security researchers
• OWASP Compliance: Protection against OWASP Top 10 vulnerabilities

6. Data Protection

6.1 Data Classification

We classify data based on sensitivity and apply appropriate protection measures:

• Confidential: Customer business data, API credentials, PII
• Internal: System logs, configuration data, internal documentation
• Public: Marketing materials, public documentation

6.2 Data Handling

• Data Minimization: We only collect data necessary for our services
• Purpose Limitation: Data used only for stated purposes
• Retention Policies: Data deleted when no longer needed
• Secure Deletion: Cryptographic erasure for sensitive data

7. Compliance & Certifications

8. Incident Response

8.1 Incident Response Plan

We maintain a comprehensive incident response plan that includes:

• Detection: 24/7 monitoring and automated alerting
• Containment: Rapid isolation of affected systems
• Eradication: Complete removal of threats
• Recovery: Restoration of services with verified integrity
• Post-Incident: Root cause analysis and preventive measures

8.2 Breach Notification

In the event of a data breach affecting your information:

• We will notify you within 72 hours of discovery (as required by GDPR)
• We will provide details of the breach and affected data
• We will outline steps taken to mitigate the impact
• We will report to relevant regulatory authorities as required

9. Business Continuity

9.1 Disaster Recovery

• RTO (Recovery Time Objective): Less than 4 hours
• RPO (Recovery Point Objective): Less than 1 hour
• Geographic Redundancy: Multi-region data replication
• Regular Testing: Quarterly disaster recovery drills

9.2 Backup Strategy

• Continuous incremental backups
• Daily full backups retained for 30 days
• Weekly backups retained for 1 year
• Backup integrity verification and restoration testing

10. Vendor Security

We carefully vet all third-party vendors and require:

• SOC 2 or equivalent security certifications
• Data Processing Agreements (DPAs)
• Regular security assessments
• Compliance with our security requirements

11. Security Best Practices for Users

We recommend the following security practices:

• Enable Multi-Factor Authentication on your account
• Use strong, unique passwords
• Regularly review account activity and connected integrations
• Keep your browser and devices updated
• Be cautious of phishing attempts
• Report suspicious activity immediately

12. Reporting Security Issues

If you discover a security vulnerability, please report it responsibly:

13. Updates to This Policy

We regularly review and update our security practices. Any material changes to this Security Policy will be communicated through our platform and email notifications.