CloudAIAgents

Legal

Security

Last updated:

CloudAIAgents is a B2B platform that handles sensitive data on behalf of businesses — Meta access tokens, message contents and analytics. We treat security as a first-class product feature. This page summarises the controls we have in place; it is not exhaustive and is updated as our program matures.

Encryption

  • TLS 1.2+ everywhere; HSTS preload enabled on cloudaiagents.net.
  • Meta access tokens encrypted at rest using AES-256-GCM with keys held in AWS KMS.
  • Application database (Postgres) and object storage encrypted at rest by the provider (AES-256).
  • Per-workspace key isolation prevents lateral access across tenants.

Access control

  • Production access is limited to a named set of engineers and requires hardware-key 2FA.
  • Every production action is logged to a separate, append-only audit store.
  • We use least-privilege IAM and rotate secrets quarterly.

Application security

  • OAuth state cookies are HTTP-only, Secure, SameSite=Lax and short-lived.
  • All webhook deliveries are verified against the App Secret via X-Hub-Signature-256.
  • All signed_request payloads (Deauthorize, Data Deletion) are validated with a constant-time comparison before any side effect.
  • Strict Content-Security-Policy on dashboard routes (in progress).
  • Quarterly third-party penetration tests; findings tracked to closure with SLAs.

Compliance roadmap

  • SOC 2 Type I — target 2026 Q3.
  • SOC 2 Type II — target 2026 Q4 / 2027 Q1.
  • Vietnam PDPL alignment — ongoing.
  • EU GDPR DPA available on request for EU customers.

Responsible disclosure

We welcome vulnerability reports. Email security@cloudaiagents.net with a description and reproduction steps. We will acknowledge within 1 business day and aim to triage within 3 business days. We do not pursue legal action against good-faith security research that respects user privacy, avoids data destruction and complies with Vietnamese law.

PGP key fingerprint and key file available on request.

Incident response

We follow a documented incident-response runbook with named on-call engineers. Customers affected by a confirmed security incident will be notified by email within 72 hours of discovery, in line with applicable law.

Contact

Security: security@cloudaiagents.net
Privacy / DPO: dpo@cloudaiagents.net