StyleAI is now Conversion! Read more in our announcement

Conversion Data Security Framework

Introduction

Data security and privacy are fundamental pillars of our software business. We understand that our customers entrust us with their most valuable information, and we take that responsibility seriously. Our comprehensive security framework is designed to protect customer data through multiple layers of defense, industry-leading practices, and continuous monitoring.

Built on enterprise-grade infrastructure and following strict security protocols, our approach ensures that your data remains secure, private, and available when you need it. This document outlines our key security measures and demonstrates our commitment to maintaining the highest standards of data protection.

Data Center Security

Our infrastructure is built on Google Cloud Platform (GCP), leveraging their enterprise-grade security measures and globally distributed data centers. GCP provides us with robust physical security, network protection, and operational excellence that meets the stringent requirements of enterprise customers worldwide.

Data Protection & Encryption

We implement comprehensive encryption strategies to protect your data at every stage:

  • Leverage GCP datastore, which encrypts data both at rest and in transit using robust, industry-standard encryption protocols
    • Encryption algorithm: AES-256 (Advanced Encryption Standard)
    • Key management: Google Cloud Key Management Service (KMS) handles key generation, rotation, and storage
    • Data layers encrypted: Includes database storage files, binary logs, and temporary files
  • Backup and Recovery: We store backups for the past 30 days and maintain point-in-time recovery capabilities to ensure data integrity and availability
  • Data in Transit: All data transmission is protected using TLS 1.2 encryption between our frontend and backend services

Application Security

We implement multiple layers of security in our application architecture:

  • All data in transit is protected using TLS 1.2 encryption between our frontend and backend services
  • Sensitive configuration and credentials are secured using GCP's Secret Manager, ensuring proper access controls and audit logging
  • Every application API endpoint requires authentication and proper authorization
  • We implement a granular permission system with separate read, write, create, and delete access levels for all resources

Authentication & Authorization

We enforce strict access controls throughout our system:

  • User passwords are securely hashed using industry-standard algorithms
  • Every application API endpoint requires authentication and proper authorization
  • We implement a granular permission system with separate read, write, create, and delete access levels for all resources

Incident Response & Monitoring

Our proactive security monitoring ensures rapid detection and response to potential threats:

  • 24/7 Security Monitoring: Continuous threat detection and security monitoring across all systems
  • Real-time Alerting: Comprehensive metrics and alerts on key services to identify issues before they impact operations
  • Audit Logging: We store verbose logs for up to 14 days to support forensic analysis and compliance requirements
  • Incident Management: Internal procedures for handling security incidents, including escalation protocols and communication plans

Access Controls & Identity Management

We maintain strict control over who can access our systems and customer data:

  • Multi-factor Authentication (MFA): Required for all employees who access internal services and systems
  • Role-based Access Control (RBAC): Granular permissions based on job responsibilities and principle of least privilege
  • Employee Lifecycle Management: Systematic access provisioning during onboarding and immediate deprovisioning upon departure
  • Privileged Access Management: Enhanced security controls and monitoring for administrative functions and sensitive operations

Compliance & Regulatory Standards

We are committed to meeting industry security standards and regulatory requirements:

  • Full compliance with CCPA and GDPR privacy regulations
  • Data Subject Rights: Complete user data deletion available upon request, processed within 30 business days
  • Regular Compliance Reviews: Ongoing assessment of our practices against evolving regulatory requirements

This document represents our current security practices and is updated regularly to reflect improvements and industry best practices. For specific security questions or to report security concerns, please contact our security team at [email protected]