Porcia
Back to Terms & Policies

Security & Trust Center

Last Updated: March 2, 2026
Version: 1.0

1. Introduction

Security is fundamental to Porcia. This page describes the technical and organizational measures we implement to protect your data.

Arunkumar Chaubey, an individual resident of India, doing business as Porcia, is committed to maintaining the highest standards of data security and privacy.

Contact Us:

2. Infrastructure Security

2.1 Cloud Provider

Porcia is hosted on Amazon Web Services (AWS), a leading cloud provider with robust security infrastructure.

AWS Regions: United States (primary)

2.2 Network Security

  • VPC Isolation: All resources run in isolated Virtual Private Clouds
  • Security Groups: Firewall rules restrict traffic to only necessary ports and protocols
  • Private Subnets: Databases and sensitive services are not publicly accessible
  • DDoS Protection: AWS Shield provides automatic DDoS mitigation
  • Web Application Firewall: AWS WAF protects against common web exploits

2.3 Compute Security

  • Container Isolation: Application runs in isolated containers
  • Immutable Infrastructure: Containers are rebuilt from scratch on each deployment
  • No SSH Access: Containers do not allow SSH access
  • Least Privilege: IAM roles grant only necessary permissions
  • Automated Patching: Base images updated regularly with security patches

3. Data Security

3.1 Encryption in Transit

  • TLS 1.2+: All data transmitted to and from Porcia is encrypted using TLS 1.2 or higher
  • HTTPS Only: All web traffic is forced to HTTPS
  • Certificate Management: SSL/TLS certificates managed via AWS Certificate Manager
  • Perfect Forward Secrecy: Cipher suites support PFS to protect past sessions

3.2 Encryption at Rest

  • Database Encryption: PostgreSQL database encrypted with AES-256
  • File Storage Encryption: S3 buckets encrypted with AES-256
  • Backup Encryption: All backups encrypted at rest
  • Key Management: Encryption keys managed by AWS KMS

3.3 Secrets Management

  • AWS Parameter Store: OAuth tokens, API keys, and credentials stored encrypted
  • No Hardcoded Secrets: No secrets in source code or configuration files
  • Automatic Rotation: Credentials rotated regularly
  • Access Logging: All secret access logged and monitored

4. Application Security

4.1 Authentication

  • Password Hashing: Passwords hashed with bcrypt (cost factor 10)
  • No Plaintext Storage: Passwords never stored in plaintext
  • Session Management: Secure, HTTP-only session cookies
  • Session Timeout: Automatic logout after 30 days of inactivity
  • Multi-Factor Authentication: Planned for future release

4.2 Authorization

  • Role-Based Access Control (RBAC): Admin, Member, Viewer roles
  • Workspace Isolation: Customers cannot access other customers' data
  • Team Permissions: Granular permissions per team
  • Principle of Least Privilege: Users granted only necessary permissions

4.3 Input Validation

  • Sanitization: All user inputs sanitized to prevent injection attacks
  • Parameterized Queries: SQL injection prevention via Prisma ORM
  • Content Security Policy: CSP headers prevent XSS attacks
  • CSRF Protection: Anti-CSRF tokens on all state-changing requests
  • Rate Limiting: API rate limits prevent abuse

4.4 Secure Development

  • Code Review: All code changes reviewed before deployment
  • Dependency Scanning: Automated scanning for vulnerable dependencies
  • Static Analysis: Code analyzed for security issues
  • Secrets Scanning: Pre-commit hooks prevent accidental secret commits
  • Security Testing: Regular security testing and penetration testing (planned)

5. OAuth Security

5.1 Token Storage

  • Encrypted Storage: OAuth tokens encrypted in AWS Parameter Store
  • No Client-Side Storage: Tokens never stored in browser
  • Automatic Refresh: Expired tokens refreshed automatically
  • Revocation Support: Tokens can be revoked at any time

5.2 Scope Minimization

We request only the minimum OAuth scopes necessary:

Google Workspace:

Microsoft Azure AD:

  • Directory.Read.All
  • Application.Read.All
  • Mail.Read (for email integration)

Okta:

  • okta.apps.read
  • okta.users.read

5.3 OAuth Compliance

  • Google API Limited Use: Full compliance with Google's Limited Use requirements
  • Microsoft Graph: Compliance with Microsoft Graph data handling policies
  • Okta API: Compliance with Okta API usage policies

6. AI Security

6.1 AI Provider

Porcia uses Microsoft Azure OpenAI Service (via Azure AI Foundry), which provides:

  • Enterprise-grade security and compliance
  • Data residency in Azure regions
  • No training on customer data
  • GDPR compliance

6.2 Data Handling

  • No Training: Customer data is NOT used to train AI models
  • Prompt Logging: Prompts and outputs logged for 30 days, then deleted
  • Access Controls: Only authorized systems can access AI service
  • Encryption: All data encrypted in transit to Azure OpenAI

6.3 Human Oversight

  • Human-in-the-Loop: All AI-generated emails require explicit user approval
  • No Autonomous Actions: AI never takes action without user confirmation
  • Review Required: Users must review all AI outputs before use

7. Monitoring and Logging

7.1 Security Monitoring

  • AWS GuardDuty: Continuous threat detection
  • AWS CloudTrail: Audit logging of all infrastructure changes
  • VPC Flow Logs: Network traffic monitoring
  • Sentry: Real-time error and exception tracking
  • CloudWatch Alarms: Automated alerts for anomalies

7.2 Audit Logging

We log:

  • Authentication events (login, logout, failed attempts)
  • Authorization changes (role changes, permission grants)
  • Data access (sensitive operations)
  • Configuration changes
  • Integration connections/disconnections
  • API requests

Log Retention: 90 days

7.3 Alerting

Automated alerts for:

  • Failed login attempts (brute force detection)
  • Unusual data access patterns
  • Infrastructure changes
  • Service errors and downtime
  • Security events

8. Incident Response

8.1 Security Incident Procedures

In the event of a security incident, we will:

  1. Detect: Identify the incident through monitoring and alerts
  2. Contain: Isolate affected systems to prevent spread
  3. Investigate: Determine scope, cause, and impact
  4. Remediate: Fix vulnerabilities and restore normal operations
  5. Notify: Inform affected customers within 72 hours (GDPR requirement)
  6. Document: Create incident report and lessons learned

8.2 Data Breach Notification

If a Personal Data breach occurs, we will:

  • Notify affected customers within 72 hours of becoming aware
  • Provide details about the breach (type of data, number of affected individuals)
  • Describe measures taken to address the breach
  • Assist customers in meeting their notification obligations

Contact: security@porcia.org

8.3 Business Continuity

  • Automated Backups: Daily backups of all data
  • Backup Retention: 90 days
  • Disaster Recovery: Documented recovery procedures
  • RTO/RPO: Recovery Time Objective: 24 hours, Recovery Point Objective: 24 hours

9. Access Controls

9.1 Employee Access

  • Background Checks: All employees undergo background verification
  • Confidentiality Agreements: All employees sign NDAs
  • Least Privilege: Employees granted only necessary access
  • Access Reviews: Quarterly review of access permissions
  • Offboarding: Immediate revocation of access upon termination

9.2 Customer Data Access

  • No Routine Access: Porcia employees do not routinely access customer data
  • Support Access: Access only with customer consent for support purposes
  • Security Access: Access only when necessary for security incident investigation
  • Audit Trail: All customer data access logged

9.3 Physical Security

  • AWS Data Centers: Physical security managed by AWS
  • No On-Premise Servers: All infrastructure is cloud-based
  • Remote Team: Employees work remotely with secure devices

10. Compliance and Certifications

10.1 Current Compliance

  • GDPR: Compliant with EU General Data Protection Regulation
  • CCPA/CPRA: Compliant with California privacy laws
  • Google API Limited Use: Compliant with Google's data usage policies

10.2 Not Compliant With

  • HIPAA: Porcia is NOT HIPAA compliant. Do not use for Protected Health Information (PHI)
  • PCI-DSS: Porcia does not store payment card data (handled by Dodo Payments)

11. Vulnerability Management

11.1 Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities.

To report a vulnerability:

  • Email: security@porcia.org
  • Include: Description, steps to reproduce, potential impact
  • Do NOT publicly disclose until we've had time to address

Our commitment:

  • Acknowledge receipt within 48 hours
  • Provide status updates every 7 days
  • Fix critical vulnerabilities within 30 days
  • Credit researchers (if desired) after fix is deployed

11.2 Bug Bounty

We do not currently have a formal bug bounty program, but we appreciate and acknowledge security researchers who responsibly disclose vulnerabilities.

11.3 Patch Management

  • Critical Vulnerabilities: Patched within 7 days
  • High Vulnerabilities: Patched within 30 days
  • Medium/Low Vulnerabilities: Patched within 90 days
  • Dependency Updates: Automated weekly scans and updates

12. Third-Party Security

12.1 Subprocessor Due Diligence

We vet all subprocessors for:

  • Security certifications (SOC 2, ISO 27001)
  • Data protection compliance (GDPR, CCPA)
  • Encryption and access controls
  • Incident response capabilities

12.2 Subprocessor List

See our Subprocessor List for details on third-party service providers.

12.3 Contractual Protections

All subprocessors are bound by:

  • Data Processing Agreements (DPAs)
  • Confidentiality obligations
  • Security requirements
  • Breach notification obligations

13. Data Retention and Deletion

13.1 Retention Periods

Data TypeRetention
Active account dataWhile account is active
Deleted account data30 days (for recovery)
Raw email content90 days
Parsed metadataWhile account active
AI logs30 days
Billing records7 years (legal requirement)
Backups90 days

13.2 Secure Deletion

When data is deleted:

  • Overwriting: Data overwritten to prevent recovery
  • Backup Deletion: Removed from backups after retention period
  • Subprocessor Deletion: Deletion instructions sent to subprocessors
  • Verification: Deletion verified and documented

14. Privacy by Design

Porcia is built with privacy and security as core principles:

  • Data Minimization: Collect only necessary data
  • Purpose Limitation: Use data only for stated purposes
  • Workspace Isolation: Customer data segregated by workspace
  • Encryption by Default: All data encrypted in transit and at rest
  • User Control: Users can export and delete their data at any time

15. Security Training

  • Employee Training: All employees receive security awareness training
  • Phishing Simulations: Regular phishing tests
  • Secure Coding Training: Developers trained in secure coding practices
  • Incident Response Drills: Regular tabletop exercises

16. Questions and Contact

Security Inquiries

Security Documentation

Arunkumar Chaubey
Doing business as Porcia
C/13 Mangalmurti Society, Ghatkopar West
Mumbai, Maharashtra, India
Phone: +91 8097907763

Version History:

  • v1.0 (March 2, 2026) - Initial release

Last Security Review: March 2, 2026
Next Scheduled Review: June 2, 2026