Patenty logo
Beta v3.0

Security Policy

Last Modified: June 23, 2025 | Effective Date: June 23, 2025

1. Security Policy Overview

Patenty Co., Ltd. (hereinafter referred to as "Company") adopts a cloud-first security strategy to protect users' personal information and important data in the process of providing AI-based patent practice platform services.

This security policy complies with relevant laws such as the Personal Information Protection Act and the Information and Communications Network Act, and applies additional security measures based on the security infrastructure of trusted cloud service providers.

2. Security Goals

The company strives to achieve the following security goals:

  • Confidentiality: Prevent unauthorized individuals or systems from accessing information
  • Integrity: Prevent information from being altered or destroyed in unauthorized ways
  • Availability: Ensure that authorized users can access information and systems when needed
  • Accountability: Track and record system user activities

3. Data Security

A. Data Encryption

  • Encryption in Transit: All data transmission is encrypted through HTTPS/TLS
  • Encryption at Rest: Database encryption through Supabase's standard encryption
  • API Key Management: Secure API key management through environment variables
  • Cloud Security: Utilizing enterprise-grade security infrastructure from cloud providers

B. Data Management

  • Separate management of user data and system data
  • Data retention and deletion in accordance with the Personal Information Protection Act
  • Utilizing cloud provider's backup and recovery systems
  • Data access control based on the principle of least privilege

4. System Security

A. Cloud Infrastructure Security

  • Vercel Platform: Automatic HTTPS, DDoS protection, global CDN security
  • Supabase: PostgreSQL-based security, Row Level Security (RLS)
  • Cloud Firewall: Utilizing cloud provider's network security
  • Automatic Updates: Automatic application of platform-level security patches

B. Web Application Security

  • Utilizing Next.js framework's basic security features
  • Security HTTP header settings (X-Frame-Options, X-Content-Type-Options, etc.)
  • Input data validation and SQL injection prevention
  • Secure API authentication and authorization through Supabase

5. Access Control

A. User Authentication

  • Supabase Auth: Secure authentication based on email/password
  • Session Management: JWT token-based session management and automatic expiration
  • Password Policy: Recommending secure passwords of at least 8 characters
  • Account Security: Account verification through email authentication

B. Permission Management

  • Project-based access permission management
  • User-specific data isolation (Row Level Security)
  • Authentication required for each API endpoint
  • Data access based on the principle of least privilege

6. AI Service Security

A. Third-Party AI Service Security

  • Patent-Specialized AI Models: Compliance with patent-specialized AI models' security policies and data processing practices
  • Document Analysis AI Service: Secure utilization of document analysis and OCR services
  • API Key Management: Secure API key storage through environment variables
  • Data Minimization: Transmitting only the minimum necessary data when calling AI services

B. AI Service Usage Principles

  • Basic validation and filtering of user input data
  • Providing disclaimers and user precautions for AI-generated results
  • Minimizing transmission of personal information to AI services
  • Compliance with third-party AI service data retention policies

7. Security Monitoring

A. Basic Monitoring

  • Utilizing Vercel Analytics and Supabase monitoring dashboards
  • Tracking application errors and abnormal access attempts
  • Monitoring API call patterns and usage
  • Notifying responsible personnel when system errors occur

B. Logging and Inspection

  • Basic system access and user activity logging
  • Compliance with cloud provider's log retention policies
  • Regular system updates and security patch application
  • Security vulnerability inspection and improvement when necessary

8. Security Incident Response

A. Incident Response System

  • Personnel Assignment: Designation of security incident response personnel and establishment of contact system
  • Response Procedures: Basic procedures for incident detection, rapid response, recovery, and follow-up measures
  • Cloud Support: Utilizing cloud provider's technical support and recovery services
  • External Cooperation: Requesting assistance and consultation from specialized institutions when necessary

B. Incident Notification and Recovery

  • Reporting and notification in accordance with the Personal Information Protection Act in case of personal information breach
  • Rapid recovery and user notification in case of service interruption
  • Basic improvement measures for cause identification and prevention of recurrence
  • Recording incident response process and strengthening future response capabilities

9. Security Awareness and Education

  • Basic information security awareness for team members
  • Understanding of the Personal Information Protection Act and related regulations
  • Basic response methods to phishing and social engineering attacks
  • Compliance with basic rules for security incident prevention
  • Security precautions when using cloud services

10. Third-Party Service Security

The company uses the following trusted third-party services to provide services:

  • Vercel: Web hosting and deployment platform (SOC 2 Type II certified)
  • Supabase: Database and authentication service (SOC 2 Type II certified)
  • Google LLC: AI services and cloud infrastructure
  • Security.sections.thirdPartyServices.services.mistral.title: Security.sections.thirdPartyServices.services.mistral.description

We verify and comply with the security certifications and data processing policies of each third-party service provider.

11. Legal Compliance

The company complies with the following laws and standards:

  • Domestic Laws: Personal Information Protection Act, Act on Promotion of Information and Communications Network Utilization and Information Protection
  • Cloud Security: Relying on third-party service providers' security certifications (SOC 2 Type II, etc.)
  • Basic Security Principles: Referring to basic web security guidelines such as OWASP
  • International Standards: Compliance with international personal information protection regulations such as GDPR when necessary

12. Security Policy Management

① This security policy is reviewed at least once a year and revised when necessary.

② When changing the security policy, we provide advance notice and obtain user consent for important changes.

③ For security-related inquiries, please contact the following:

Security Manager: Sangmin Lee (CEO)

Contact: admin@patenty.ai

Address: 115, 86 Cecil-ro, Haeundae-gu, Busan, Republic of Korea