Security Policy | Patenty.AI - AI-powered Patent Practice Platform | Patenty
Patenty logo

Security Policy

Last updated: January 27, 2025 | Effective date: January 27, 2025

1. Security Policy Overview

Patenty Inc. builds and operates enterprise-grade security systems to protect user data and personal information.

This security policy outlines our security principles and implementation measures, presenting security standards that all users and employees must follow.

2. Security Goals

Our security system aims to achieve the following core objectives:

  • Confidentiality: Protecting information from unauthorized access
  • Integrity: Ensuring data accuracy and completeness
  • Availability: Providing continuous and stable service
  • Accountability: Tracking and auditing capabilities for all activities

3. Data Security

Encryption

  • Data in Transit: HTTPS communication using TLS 1.3
  • Data at Rest: Database security with AES-256 encryption
  • API Key Management: Secure key management through environment variables
  • Cloud Security: Supabase enterprise-grade encryption services

Data Management

  • Principle of data minimization
  • Automated data retention management
  • Regular data backup and recovery testing
  • Regular review and update of access permissions

4. System Security

Cloud Infrastructure

  • Vercel Platform: Automatic HTTPS, DDoS protection, global CDN
  • Supabase Database: Row Level Security, automatic backups
  • Web Firewall: Blocking malicious traffic and SQL injection
  • Automatic Updates: Rapid application of security patches

Web Application

  • CSRF token-based protection against cross-site request forgery
  • Input data validation and escaping to prevent XSS
  • Parameterized queries to prevent SQL injection
  • Security headers to prevent clickjacking and content injection

5. Access Control

Authentication

  • Supabase Auth: OAuth 2.0-based authentication system
  • Session Management: JWT token-based secure sessions
  • Password Policy: Strong password requirements and hashing
  • Account Security: Detection and blocking of abnormal login attempts

Permission Management

  • Role-based access control (RBAC)
  • Permission granting based on principle of least privilege
  • Granular access permissions per project
  • Regular permission review and renewal

6. AI Service Security

Third-Party AI Services

  • AI Models: Enterprise-grade models from Google Gemini, Mistral AI
  • OCR Service: Secure API from Google Cloud Vision API
  • API Key Security: Key management accessible only from server-side
  • Data Minimization: Transmitting only minimal data required for AI processing

AI Security Principles

  • Pre-validation of data sent to AI models
  • Post-processing AI responses to filter sensitive information
  • Security logging of AI service usage
  • Security impact assessment when updating AI models

7. Security Monitoring

Basic Monitoring

  • Real-time system status monitoring
  • Detection of abnormal access patterns
  • Service availability monitoring
  • Performance anomaly alerts

Logging and Auditing

  • Recording all user activity logs
  • System events and error logs
  • Tracking data access and modification history
  • Regular log analysis and reporting

8. Security Incident Response

Response System

  • Personnel: 24/7 security personnel deployment
  • Response Procedures: Systematic response manual by incident type
  • Cloud Support: Coordination with Vercel, Supabase technical support teams
  • External Cooperation: Cooperation with security specialists when necessary

Incident Notification

  • Immediate internal team notification system
  • User impact assessment and announcement
  • Reporting to relevant authorities (when necessary)
  • Post-incident improvement plan development and implementation

9. Security Awareness and Training

  • Regular security training for employees
  • Sharing latest security threat information
  • Security policy awareness and compliance checks
  • Social engineering attack response training
  • Security incident simulation and response training

10. Third-Party Service Security

Patenty.AI uses the following trusted third-party services to provide our services, each meeting strict security standards:

  • Vercel (Hosting): Enterprise-grade CDN and DDoS protection, automated SSL/TLS certificate management
  • Supabase (Database): PostgreSQL-based database, Row Level Security, automated backups
  • Google Cloud AI: Gemini AI models, data minimization and encrypted API communication
  • Mistral AI: Advanced AI analysis services, EU data protection regulation compliance

All third-party services hold international security certifications such as SOC 2 and ISO 27001.

11. Legal Compliance

We comply with the following legal requirements:

  • Domestic Laws: Personal Information Protection Act, Information and Communications Network Act, Cloud Computing Act
  • Cloud Security: Cloud Computing Development and User Protection Act
  • Basic Security: Information and Communications Infrastructure Protection Act, Cybersecurity Framework Act
  • International Standards: GDPR (EU), CCPA (California) and other global privacy regulations

12. Security Policy Management

This security policy is reviewed regularly at least once a year and updated as needed due to legal changes or technological developments.

When policies change, users are notified in advance, and explicit consent is obtained for significant changes.

For inquiries about security policies or to report security incidents, please contact:

Security Officer: Sangmin Lee (CEO)

Email: contact@patenty.ai

Address: 115 Ho, 86 Sesil-ro, Haeundae-gu, Busan, Korea