Encryption
Data in Transit
All data transmitted between your browser and our servers is encrypted using TLS 1.3 (Transport Layer Security), the latest and most secure version of the protocol. We enforce HTTPS across all endpoints and do not support older, deprecated protocols such as TLS 1.0 or TLS 1.1. HSTS (HTTP Strict Transport Security) headers are set with a minimum max-age of one year to prevent protocol downgrade attacks.
Data at Rest
All stored data — including account information, subscription records, and billing details — is encrypted at rest using AES-256 (Advanced Encryption Standard with 256-bit keys). Database backups are also encrypted using the same standard. Encryption keys are managed through a dedicated key management service with automatic key rotation.
Encryption Summary
| Layer | Standard | Details |
|---|---|---|
| In Transit | TLS 1.3 | HTTPS enforced, HSTS enabled, forward secrecy |
| At Rest | AES-256 | All databases and backups, automatic key rotation |
| Key Management | KMS | Centralized key management with access auditing |
Authentication
User authentication is designed with security as the top priority:
- Password Hashing: All passwords are hashed using bcrypt with a work factor calibrated for current hardware, making brute-force attacks computationally infeasible. We never store plaintext passwords.
- Two-Factor Authentication (2FA): Optional 2FA is available for all accounts using time-based one-time passwords (TOTP). We strongly recommend enabling 2FA for an additional layer of protection.
- Session Management: Sessions are bound to individual devices and expire after a configurable period of inactivity. Session tokens are cryptographically random and stored securely.
- Brute-Force Protection: Rate limiting and progressive lockout mechanisms prevent automated credential-stuffing and brute-force attacks against login endpoints.
- Secure Password Reset: Password reset tokens are single-use, time-limited, and delivered only to verified email addresses.
Access Control
We enforce strict access controls following the principle of least privilege:
- Role-Based Access Control (RBAC): Team members and systems are assigned specific roles with the minimum permissions required to perform their functions. No one has access beyond what their role requires.
- Least Privilege: All service accounts and internal tools operate with the narrowest scope of permissions possible. Elevated access is granted on a per-task basis and revoked immediately after.
- Access Reviews: Regular audits of access permissions are conducted to ensure they remain appropriate. Former employees and unused service accounts are promptly deactivated.
- Segregation of Duties: Critical operations (such as deployments, data access, and key management) require approval from multiple authorized individuals.
Infrastructure
Cloud Hosting
Our platform is hosted on enterprise-grade cloud infrastructure from leading providers. Data centers maintain SOC 2 Type II and ISO 27001 certifications. Infrastructure is distributed across multiple availability zones for redundancy and high availability.
DDoS Protection
We use Cloudflare for distributed denial-of-service (DDoS) mitigation. Traffic is inspected and filtered at the network edge before reaching our servers, absorbing volumetric, protocol, and application-layer attacks automatically.
Network Security
Internal networks are segmented with strict firewall rules. Web application firewalls (WAF) inspect and block malicious requests. All inter-service communication uses mutual TLS authentication.
Backups & Recovery
Automated daily backups are encrypted and stored in geographically separate locations. We regularly test backup restoration procedures to ensure data can be recovered within our published recovery time objectives.
Monitoring & Logging
- 24/7 Logging: All system events, access attempts, configuration changes, and API calls are logged and retained for a minimum of 90 days. Logs are stored in append-only, tamper-evident storage.
- Anomaly Detection: Automated monitoring systems analyze traffic patterns and system behavior in real time to detect anomalies, unusual access patterns, and potential security incidents.
- Alerting: Security events trigger immediate alerts to our operations team. Critical alerts are escalated within minutes and investigated around the clock.
- Audit Trail: A complete audit trail is maintained for all administrative actions, data access events, and configuration changes, supporting forensic analysis when needed.
Vulnerability Disclosure
Responsible Disclosure Program
We value the security research community and welcome reports of potential vulnerabilities in our systems. If you discover a security issue, please report it responsibly:
- Contact: security@my-subscription-services.com
- Encryption: If you need to send sensitive details, request our PGP public key via the same email address.
- Response: We will acknowledge your report within 48 hours and provide an initial assessment within 5 business days.
- Safe Harbor: We will not pursue legal action against researchers who report vulnerabilities in good faith and follow responsible disclosure practices.
Responsible Disclosure Guidelines
- Do not access, modify, or delete data belonging to other users
- Do not perform denial-of-service testing against production systems
- Do not use social engineering against our employees or users
- Allow a reasonable timeframe for us to address the vulnerability before public disclosure
- Provide sufficient detail for us to reproduce and verify the issue
Compliance
Our security practices are designed to meet or exceed the requirements of major data protection regulations:
| Framework | Status | Details |
|---|---|---|
| GDPR | Compliant | Full compliance with EU General Data Protection Regulation. See our GDPR Rights page. |
| CCPA | Aligned | Practices aligned with California Consumer Privacy Act requirements for applicable users. |
| PCI DSS | Delegated | Payment processing is handled by PCI DSS Level 1 certified processors. We do not store full card numbers on our servers. |
Incident Response
We maintain a documented incident response plan that is reviewed and tested regularly:
Incident Response Process
- Detection: Automated monitoring systems and manual review identify potential incidents.
- Triage: The security team assesses severity, scope, and potential impact within the first hour.
- Containment: Immediate steps are taken to limit the scope of the incident and prevent further damage.
- Investigation: Root cause analysis is performed using forensic evidence from our logging infrastructure.
- Recovery: Affected systems are restored to a known-good state and monitored for recurrence.
- Notification: Affected users and relevant authorities are notified as required.
Email Security
Our transactional email infrastructure implements multiple layers of authentication and encryption to prevent spoofing, phishing, and interception:
| Protocol | Purpose | Implementation |
|---|---|---|
| SPF | Sender Policy Framework | DNS TXT record authorizing only our designated mail servers to send email on behalf of our domain. Receivers can reject unauthorized senders. |
| DKIM | DomainKeys Identified Mail | Cryptographic signatures applied to all outgoing emails, allowing receivers to verify messages have not been tampered with in transit. |
| DMARC | Domain-based Message Authentication | Published DMARC policy instructs receiving servers how to handle emails that fail SPF or DKIM checks. Our policy is set to p=quarantine or stricter. |
| TLS-Encrypted SMTP | Transport Encryption | All outgoing emails are sent over TLS-encrypted SMTP connections. We enforce opportunistic TLS and prefer TLS 1.2+ for all email transmissions. |
Security Contact
For security-related inquiries, vulnerability reports, or incident notifications:
- Security Team: security@my-subscription-services.com
- Privacy/DPO: privacy@my-subscription-services.com
- Abuse Reports: abuse@my-subscription-services.com
Related Policies
- Privacy Policy — How we collect, use, and protect your data
- GDPR & Data Rights — Your rights under the GDPR
- Acceptable Use Policy — Rules for using our services
- Terms of Service — Your agreement with Subscription Services