# Security Posture — aiactaudit.pl **Version:** 1.0 · **Date:** 2026-05-05 · **Owner:** Piotr Reder This document describes security measures, incident response, and reporting channels for aiactaudit.pl. --- ## Reporting security issues If you discover a security vulnerability: **Email:** piotr@pricora.eu **Subject:** "Security disclosure — aiactaudit.pl" **Response time:** within 72 hours acknowledgment, target fix within 30 days for critical issues **Please do NOT:** - Publicly disclose before coordinating with us - Test attacks against production beyond proof-of-concept - Access data of other users We follow responsible disclosure principles. Researchers acting in good faith will not face legal action. --- ## Threat model (current) aiactaudit.pl is a static landing page + email-based service workflow. Threat surface: | Asset | Threats | Mitigation | |---|---|---| | Static HTML pages | Defacement, phishing impersonation | Vercel deployment with git source of truth, SSL/TLS 1.3, HSTS | | Intake form | Spam submissions, bot attacks | Honeypot field, server-side validation, rate limiting on /api/intake | | Email infrastructure | Spoofing, phishing in our name | SPF, DKIM, DMARC configured for aiactaudit.pl + pricora.eu | | Lead data | Unauthorized access | Vercel env vars (server-side only), no client-side secrets, MFA on Resend | | Audit deliverables | Client confidentiality breach | Secure delivery via private links, Loom restricted access | | Analytics data | Tracking concerns | GA4 with `anonymize_ip: true`, no advertising features, robots.txt blocks AI scraping bots | --- ## Security controls in place ### Network / Transport - ✅ HTTPS (HTTP/2 enforced via Vercel) - ✅ TLS 1.3 (Vercel default) - ✅ HSTS preload-eligible (`max-age=63072000`) - ✅ DNS via Cloudflare (DDoS protection) - ✅ Vercel edge cache (rate limiting via platform) ### Application - ✅ Static HTML — minimal attack surface (no server-side dynamic code execution beyond `/api/intake` serverless function) - ✅ CSP headers (TODO — currently default Vercel; explicit CSP recommended Q3) - ✅ No client-side secrets (all env vars server-side) - ✅ Honeypot field on intake form (anti-bot) - ✅ Server-side validation of intake form fields ### Authentication / Access - ✅ MFA enabled on: - Vercel account (TAIKER656) - GitHub account (TAIKER656) - Resend admin - Cloudflare DNS - Google Analytics - ✅ Hardware key 2FA where supported ### Data - ✅ No special category personal data processed (Art. 9 GDPR) - ✅ Lead data minimal scope (name, email, company, headcount range, AI use case, optional phone) - ✅ Email delivery encrypted via Resend SMTP/API - ✅ GA4 IP anonymization enabled - ✅ Robots.txt blocks AI training bots (GPTBot, anthropic-ai, CCBot, PerplexityBot, etc.) ### Code - ✅ Static HTML — no runtime execution risks - ✅ No external JavaScript dependencies in critical paths (CSP-friendly) - ✅ Source code versioned in git (private repo) - ✅ Sub-processors operate under DPA agreements --- ## Vulnerability disclosure history None to date. This document established 2026-05-05. --- ## Security audits - **Self-assessment with AIR Blackbox:** 2026-05-05 (results: 6 passing / 31 warnings / 20 failing of 57 checks; 80% scope-mismatched as AIR Blackbox is designed for AI applications, not service businesses; see `audits_internal/self_scan_2026-05-05.json`) - **Pen test:** Not conducted (low priority for static landing) - **Code review:** Continuous via solo founder + Claude Code review skills --- ## Backup and recovery - **Source code:** GitHub TAIKER656 (private) + iCloud Drive sync - **Vercel deployments:** Atomic — rollback via `vercel rollback` instant - **Email:** Resend retains delivery logs 30 days; lead replies in iCloud Mail (Apple infrastructure) - **Analytics:** GA4 retains aggregates per default settings **RTO (Recovery Time Objective):** 1 hour (rollback Vercel + DNS adjustments if needed) **RPO (Recovery Point Objective):** 5 minutes (Vercel auto-deploy from main branch) --- ## Incident response In case of security incident: 1. **Triage** — assess scope, severity, ongoing exploit 2. **Contain** — disable affected service if necessary (Vercel pause deployment) 3. **Notify** — affected data subjects per GDPR Art. 34 (within 72h to AEPD if applicable) 4. **Remediate** — patch vulnerability, deploy fix 5. **Post-mortem** — document, share with relevant stakeholders, update this doc **Escalation paths:** - Privacy: Spanish AEPD (Agencia Española de Protección de Datos) - Cybersecurity: appropriate national CSIRT (depending on jurisdiction of impact) --- ## Compliance frameworks - **GDPR:** Article 32 security measures applied (see RoPA.md) - **EU AI Act:** Not applicable (see RISK_CLASSIFICATION.md — service business, not AI system) - **NIS2:** Not in scope sectors - **EAA:** Best practices (WCAG 2.1 AA aimed) - **ISO 27001:** Not certified, but practices align --- ## Sub-processor security verification Periodically verified that sub-processors maintain certifications: | Sub-processor | Cert | Last verified | |---|---|---| | Vercel | SOC 2 Type 2 | 2026-04 (auto-renewed via account dashboard) | | Resend | SOC 2 Type 1 | 2026-04 | | Cloudflare | SOC 2, ISO 27001, FedRAMP | 2026-04 | | Google (GA4) | SOC 2, ISO 27001, ISO 27017, ISO 27018 | 2026-04 | | Loom | SOC 2 Type 2, ISO 27001 | 2026-04 | --- ## Document history - 2026-05-05: v1.0 — initial document established post AIR Blackbox self-assessment - Quarterly review: next 2026-08-05 --- ## Contact For security-related questions or vulnerability reports: **piotr@pricora.eu**