LAAMI Data Security Policy

Last Updated: March 10th, 2025

Version: v1.1

1. Purpose

This security policy ensures that customer data processed through LAAMI is secure, confidential, and compliant with SOC 2 and GDPR standards.

2. Scope

This policy applies to:

•All employees, contractors, and third-party vendors with access to customer data.
•All systems, applications, and services used in the operation of LAAMI.

3. Data Security & Access Controls

3.1 Data Classification

•Customer data is classified as Confidential.
•Only authorized personnel may access customer data.

3.2 Access Management

•Role-Based Access Control (RBAC) is enforced to limit access based on job function.
•Multi-Factor Authentication (MFA) is required for all admin and developer accounts.
•The Least Privilege Principle is followed: users are granted only the access necessary for their roles.

3.3 Password & Credential Security

•Passwords must be at least 12 characters long and stored securely using strong hashing algorithms.
•Credentials such as API keys and database passwords are stored in environment variables or a secrets manager. Hardcoded secrets are prohibited.

3.4 Offboarding & Termination

All access for employees or contractors is revoked within 24 hours of departure.

4. Logging & Monitoring

4.1 Audit Logging

•All database queries and admin actions are logged via built-in infrastructure.
•Logs are retained for a minimum of 12 months.
•Monthly reviews are conducted for suspicious activity.

4.2 Incident Detection & Alerts

•Automated alerts notify the engineering team of unusual behavior (e.g., API spikes, abnormal login patterns).
•Monthly security reviews include reviewing access logs and alert history.

5. Data Handling, Encryption & Retention

5.1 Processing Model

•LAAMI does not permanently store the contents of user files or synced documents.
•Synced files are processed in-memory and used to generate structured data representations.
•Only metadata (e.g., filename, file type, connector source, user ID, timestamp) is stored in Supabase.

5.2 Data at Rest

•All stored metadata is encrypted using AES-256 encryption.
•No customer data is stored on local devices.

5.3 Data in Transit

•All communications use HTTPS with TLS 1.2+ encryption.
•Any transfer of structured data is encrypted during transmission.

5.4 Data Retention

•Metadata is retained for the duration of the user's account.
•If a user disconnects a data source or deletes their account, metadata is deleted within 7 days.
•No file content is stored beyond the immediate processing window.

6. Incident Response Plan

6.1 Security Incident Reporting

•All employees must report security incidents within 1 hour.
•Incidents are reported to the Security Lead at security@laami.co.

6.2 Investigation & Remediation

•An investigation is initiated within 24 hours.
•Affected users are notified within 72 hours if customer data is involved.
•A root cause analysis and fix are applied immediately.

7. Backup & Disaster Recovery

7.1 Data Backups

•Metadata stored in Supabase is backed up automatically every 24 hours.
•All backups are encrypted and retained for a minimum of 30 days.

7.2 Recovery Testing

•Full data restoration tests are conducted quarterly.
•Recovery from any outage or breach is expected within 4 hours.

8. Third-Party Vendors & Integrations

8.1 Vendor Security Requirements

Vendors with access to metadata or user data must:

•Provide SOC 2, ISO 27001, or equivalent certification.
•Undergo annual security and compliance reviews.

8.2 API Usage

•All external APIs are authenticated using OAuth 2.0 or signed API keys with restricted scopes.
•No third-party has access to raw file content.

9. Employee Security Training

•Annual security training is mandatory for all team members.
•Policies are reviewed every 6 months or after major infrastructure changes.

10. Compliance & Enforcement

•Any violation of this policy may lead to disciplinary action, including termination.
•This policy is reviewed and updated annually in line with SOC 2 audit readiness.

11. Change Management

•All changes to production systems must be submitted via pull requests and reviewed by at least one other engineer.
•Deployment is handled via CI/CD pipelines with full traceability.

12. Business Continuity

•LAAMI uses redundant infrastructure with high availability for core services.
•In case of system failure, fallback mechanisms and runbooks are in place for immediate recovery.

Contact Information

Contact: security@laami.co

Review Cadence: Biannual or after any major architecture change.

Version: v1.1 (Reviewed March 10, 2025)