Security Policy

Our Security Commitment

At UCTS, security is a core principle. We are committed to protecting your data and maintaining the integrity of our systems. This policy outlines our security practices and provides guidance for reporting security vulnerabilities.

1. Data Security

1.1 Local-First Architecture

UCTS is designed with a local-first architecture. By default, all processing occurs on your local machine:

• Conversation files are processed locally
• Generated code never leaves your machine
• No telemetry is sent without explicit opt-in
• CLI usage requires no network connectivity

1.2 Encryption

• In Transit: All network communications use TLS 1.3 with strong cipher suites
• At Rest: Stored data is encrypted using AES-256-GCM
• Passwords: Hashed using bcrypt with appropriate work factors
• API Keys: Stored using industry-standard encryption

1.3 Access Controls

• Role-based access control (RBAC) for all systems
• Principle of least privilege enforced
• Multi-factor authentication required for administrative access
• Regular access reviews and audits

2. Infrastructure Security

2.1 Hosting

• Hosted on SOC 2 Type II certified infrastructure
• ISO 27001 compliant data centers
• Geographic redundancy for high availability
• Regular security assessments of hosting providers

2.2 Network Security

• Web Application Firewall (WAF) protection
• DDoS mitigation services
• Network segmentation and isolation
• Intrusion detection and prevention systems

2.3 Monitoring

• 24/7 security monitoring and alerting
• Centralized log aggregation and analysis
• Anomaly detection for suspicious activity
• Automated security scanning

3. Application Security

3.1 Secure Development

• Secure coding guidelines and training
• Code review requirements for all changes
• Static Application Security Testing (SAST)
• Dynamic Application Security Testing (DAST)
• Dependency vulnerability scanning

3.2 Authentication

• OAuth 2.0 / OpenID Connect via Authentik
• Support for SSO/SAML (Enterprise tier)
• Session management with secure tokens
• Automatic session timeout

3.3 API Security

• API key authentication with scoped permissions
• Rate limiting to prevent abuse
• Input validation and sanitization
• CORS policy enforcement

4. Compliance

UCTS is designed to help you meet your compliance requirements:

• GDPR: Data processing compliant with EU regulations
• CCPA: California Consumer Privacy Act compliance
• Privacy Act 1988: Australian privacy law compliance
• SOC 2: Infrastructure hosted on SOC 2 certified providers

5. Incident Response

5.1 Incident Response Plan

We maintain a comprehensive incident response plan that includes:

• Defined incident classification and severity levels
• Clear escalation procedures
• Communication protocols
• Post-incident review and remediation

5.2 Breach Notification

In the event of a security breach affecting your data, we will notify you within 72 hours of discovery, as required by applicable laws including GDPR and the Australian Notifiable Data Breaches scheme.

7. Business Continuity

• Regular automated backups with point-in-time recovery
• Disaster recovery procedures tested quarterly
• Redundant infrastructure across availability zones
• 99.9% uptime SLA for Enterprise tier

8. Employee Security

• Background checks for all employees
• Security awareness training
• Secure workstation policies
• Access revocation upon termination