Security Policy
Last updated: January 27, 2025 | Effective date: January 27, 2025
1. Security Policy Overview
Patenty Inc. builds and operates enterprise-grade security systems to protect user data and personal information.
This security policy outlines our security principles and implementation measures, presenting security standards that all users and employees must follow.
2. Security Goals
Our security system aims to achieve the following core objectives:
- Confidentiality: Protecting information from unauthorized access
- Integrity: Ensuring data accuracy and completeness
- Availability: Providing continuous and stable service
- Accountability: Tracking and auditing capabilities for all activities
3. Data Security
Encryption
- Data in Transit: HTTPS communication using TLS 1.3
- Data at Rest: Database security with AES-256 encryption
- API Key Management: Secure key management through environment variables
- Cloud Security: Supabase enterprise-grade encryption services
Data Management
- Principle of data minimization
- Automated data retention management
- Regular data backup and recovery testing
- Regular review and update of access permissions
4. System Security
Cloud Infrastructure
- Vercel Platform: Automatic HTTPS, DDoS protection, global CDN
- Supabase Database: Row Level Security, automatic backups
- Web Firewall: Blocking malicious traffic and SQL injection
- Automatic Updates: Rapid application of security patches
Web Application
- CSRF token-based protection against cross-site request forgery
- Input data validation and escaping to prevent XSS
- Parameterized queries to prevent SQL injection
- Security headers to prevent clickjacking and content injection
5. Access Control
Authentication
- Supabase Auth: OAuth 2.0-based authentication system
- Session Management: JWT token-based secure sessions
- Password Policy: Strong password requirements and hashing
- Account Security: Detection and blocking of abnormal login attempts
Permission Management
- Role-based access control (RBAC)
- Permission granting based on principle of least privilege
- Granular access permissions per project
- Regular permission review and renewal
6. AI Service Security
Third-Party AI Services
- AI Infrastructure: Built on enterprise-grade cloud AI infrastructure for secure and reliable performance
- OCR Service: Secure API from Google Cloud Vision API
- API Key Security: Key management accessible only from server-side
- Data Minimization: Transmitting only minimal data required for AI processing
AI Security Principles
- Pre-validation of data sent to AI models
- Post-processing AI responses to filter sensitive information
- Security logging of AI service usage
- Security impact assessment when updating AI models
7. Security Monitoring
Basic Monitoring
- Real-time system status monitoring
- Detection of abnormal access patterns
- Service availability monitoring
- Performance anomaly alerts
Logging and Auditing
- Recording all user activity logs
- System events and error logs
- Tracking data access and modification history
- Regular log analysis and reporting
8. Security Incident Response
Response System
- Personnel: 24/7 security personnel deployment
- Response Procedures: Systematic response manual by incident type
- Cloud Support: Coordination with Vercel, Supabase technical support teams
- External Cooperation: Cooperation with security specialists when necessary
Incident Notification
- Immediate internal team notification system
- User impact assessment and announcement
- Reporting to relevant authorities (when necessary)
- Post-incident improvement plan development and implementation
9. Security Awareness and Training
- Regular security training for employees
- Sharing latest security threat information
- Security policy awareness and compliance checks
- Social engineering attack response training
- Security incident simulation and response training
10. Third-Party Service Security
Patenty.AI uses the following trusted third-party services to provide our services, each meeting strict security standards:
- Vercel (Hosting): Enterprise-grade CDN and DDoS protection, automated SSL/TLS certificate management
- Supabase (Database): PostgreSQL-based database, Row Level Security, automated backups
- Google Cloud AI: Gemini AI models, data minimization and encrypted API communication
- Mistral AI: Advanced AI analysis services, EU data protection regulation compliance
All third-party services hold international security certifications such as SOC 2 and ISO 27001.
11. Legal Compliance
We comply with the following legal requirements:
- Domestic Laws: Personal Information Protection Act, Information and Communications Network Act, Cloud Computing Act
- Cloud Security: Cloud Computing Development and User Protection Act
- Basic Security: Information and Communications Infrastructure Protection Act, Cybersecurity Framework Act
- International Standards: GDPR (EU), CCPA (California) and other global privacy regulations
12. Security Policy Management
This security policy is reviewed regularly at least once a year and updated as needed due to legal changes or technological developments.
When policies change, users are notified in advance, and explicit consent is obtained for significant changes.
For inquiries about security policies or to report security incidents, please contact:
Security Officer: Sangmin Lee (CEO)
Email: contact@patenty.ai
Address: 115 Ho, 86 Sesil-ro, Haeundae-gu, Busan, Korea