Security

Security & PrivacyFirst

Enterprise-grade security built into every layer of our infrastructure. Your data, your control.

Security Practices

Data Encryption

End-to-end AES-256 encryption for data at rest and TLS 1.3 for data in transit. All sensitive data is encrypted before storage.

Access Controls

Role-based access control (RBAC) with multi-factor authentication (MFA) and OAuth 2.0. Principle of least privilege enforced across all systems.

Incident Response

24/7 security monitoring with automated threat detection. Dedicated incident response team with <1 hour response time for critical issues.

Vulnerability Management

Continuous security scanning, quarterly penetration testing, and automated dependency updates. Bug bounty program with responsible disclosure.

Compliance & Certifications

SOC 2 Type II

In Progress

Undergoing SOC 2 Type II audit. Expected completion: Q4 2024

GDPR Compliant

Certified

Full compliance with EU General Data Protection Regulation

ISO 27001

Planned

ISO 27001 certification planned for 2025

Responsible Disclosure Policy

We believe in working with security researchers to keep our systems secure. If you discover a security vulnerability, we appreciate your help in disclosing it to us responsibly.

Do: Report vulnerabilities privately via email to security@ndcreations.com

Do: Provide detailed reproduction steps and impact assessment

Do: Allow us reasonable time (90 days) to address the issue before public disclosure

Don't: Access or modify user data without explicit permission

Don't: Perform testing that degrades service quality or disrupts users

View security.txt

Bug Bounty Program

We reward security researchers who help us identify and fix vulnerabilities. Bounties are awarded based on severity and impact.

Critical

$500 - $2,000

Remote Code Execution
SQL Injection
Authentication Bypass
Data Breach

High

$200 - $500

Cross-Site Scripting (XSS)
CSRF
Server-Side Request Forgery
Privilege Escalation

Medium

$50 - $200

Information Disclosure
Open Redirects
Subdomain Takeover
Rate Limiting Issues

Low

$10 - $50

Missing Security Headers
Minor Configuration Issues
Non-exploitable Bugs

Out of Scope: Social engineering, physical attacks, denial of service, spam, and issues in third-party services we don't control.

Contact: Report vulnerabilities to security@ndcreations.com

Security Audits

Latest Security Audit

Date: March 2024

Our infrastructure underwent comprehensive security assessment by an independent third-party firm. All critical and high-severity findings have been addressed.

Critical

High

Medium

Security Best Practices

Follow these guidelines to keep your account and data secure:

Use strong, unique passwords for your account (minimum 12 characters)

Enable multi-factor authentication (MFA) for enhanced security

Regularly review account activity and connected applications

Keep API keys secure and rotate them regularly (every 90 days recommended)

Use environment variables for sensitive configuration, never commit secrets

Implement IP allowlisting for production API access when possible

Monitor API usage and set up alerts for unusual patterns

Follow the principle of least privilege when assigning roles

Questions About Security?

Our security team is here to help. Contact us anytime.

Security Practices

Data Encryption

End-to-end AES-256 encryption for data at rest and TLS 1.3 for data in transit. All sensitive data is encrypted before storage.

Access Controls

Role-based access control (RBAC) with multi-factor authentication (MFA) and OAuth 2.0. Principle of least privilege enforced across all systems.

Incident Response

24/7 security monitoring with automated threat detection. Dedicated incident response team with <1 hour response time for critical issues.

Vulnerability Management

Continuous security scanning, quarterly penetration testing, and automated dependency updates. Bug bounty program with responsible disclosure.

Responsible Disclosure Policy

We believe in working with security researchers to keep our systems secure. If you discover a security vulnerability, we appreciate your help in disclosing it to us responsibly.

Do: Report vulnerabilities privately via email to security@ndcreations.com

Do: Provide detailed reproduction steps and impact assessment

Do: Allow us reasonable time (90 days) to address the issue before public disclosure

Don't: Access or modify user data without explicit permission

Don't: Perform testing that degrades service quality or disrupts users

View security.txt

Bug Bounty Program

We reward security researchers who help us identify and fix vulnerabilities. Bounties are awarded based on severity and impact.

Critical

$500 - $2,000

Remote Code Execution
SQL Injection
Authentication Bypass
Data Breach

High

$200 - $500

Cross-Site Scripting (XSS)
CSRF
Server-Side Request Forgery
Privilege Escalation

Medium

$50 - $200

Information Disclosure
Open Redirects
Subdomain Takeover
Rate Limiting Issues

Low

$10 - $50

Missing Security Headers
Minor Configuration Issues
Non-exploitable Bugs

Out of Scope: Social engineering, physical attacks, denial of service, spam, and issues in third-party services we don't control.

Contact: Report vulnerabilities to security@ndcreations.com

Security Best Practices

Follow these guidelines to keep your account and data secure:

Use strong, unique passwords for your account (minimum 12 characters)

Enable multi-factor authentication (MFA) for enhanced security

Regularly review account activity and connected applications

Keep API keys secure and rotate them regularly (every 90 days recommended)

Use environment variables for sensitive configuration, never commit secrets

Implement IP allowlisting for production API access when possible

Monitor API usage and set up alerts for unusual patterns

Follow the principle of least privilege when assigning roles