Security

Last updated: 2025-09-08

1. Our Commitment to Security

At Sublimest AI, Inc., security is fundamental to everything we do. We understand that real estate data is highly sensitive and valuable, and we've implemented comprehensive security measures to protect your information, maintain system integrity, and ensure reliable service delivery.

Our security program follows industry best practices and is designed to protect against unauthorized access, data breaches, system vulnerabilities, and other security threats. We continuously monitor, assess, and improve our security posture to stay ahead of emerging threats.

2. Data Security & Encryption

2.1 Data Encryption

All data transmission between your device and our servers is protected using industry-standard encryption protocols:

  • In Transit: All data is encrypted using TLS 1.3 (Transport Layer Security) with 256-bit encryption
  • At Rest: All stored data is encrypted using AES-256 encryption with regularly rotated keys
  • Database Encryption: Database connections use encrypted channels with certificate-based authentication
  • API Security: All API communications are secured with OAuth 2.0 and JWT tokens

2.2 Data Classification & Handling

We classify data based on sensitivity levels and apply appropriate security controls:

  • Public Data: Market trends, general statistics (no specific protection required)
  • Internal Data: System logs, performance metrics (access-controlled)
  • Confidential Data: User account information, property details (encrypted, access-logged)
  • Restricted Data: Payment information, personal identification (highest level encryption, strict access controls)

3. Platform Security Measures

3.1 Infrastructure Security

Our platform is built on secure, enterprise-grade infrastructure:

  • Cloud Security: Hosted on AWS with SOC 2 Type II compliance
  • Network Security: Virtual Private Cloud (VPC) with network segmentation
  • Firewall Protection: Web Application Firewall (WAF) and DDoS protection
  • Load Balancing: Distributed architecture with automatic failover
  • Monitoring: 24/7 security monitoring with real-time threat detection

3.2 Application Security

We implement security at every layer of our application:

  • Secure Development: Following OWASP guidelines and security-first development practices
  • Code Review: All code undergoes security review before deployment
  • Vulnerability Testing: Regular penetration testing and vulnerability assessments
  • Input Validation: All user inputs are validated and sanitized
  • SQL Injection Prevention: Parameterized queries and ORM security measures

4. User Account Security

4.1 Authentication & Authorization

We provide multiple layers of account security:

  • Strong Password Requirements: Minimum 8 characters with complexity requirements
  • Multi-Factor Authentication (MFA): Optional 2FA via SMS, email, or authenticator apps
  • OAuth Integration: Secure login with Google, Microsoft, and other providers
  • Session Management: Secure session tokens with automatic expiration
  • Role-Based Access: Granular permissions based on user roles and subscription levels

4.2 Account Protection

Additional security measures to protect your account:

  • Login Monitoring: Detection of suspicious login attempts and unusual activity
  • Account Lockout: Automatic lockout after multiple failed login attempts
  • Email Verification: Required email verification for account creation and changes
  • Password Reset: Secure password reset process with time-limited tokens
  • Device Management: Tracking of authorized devices and browsers

5. Payment Security

5.1 Payment Processing

We use industry-leading payment security standards:

  • PCI DSS Compliance: Our payment processing meets Payment Card Industry standards
  • Stripe Integration: Payments processed through Stripe's secure infrastructure
  • Tokenization: Credit card numbers are tokenized and never stored on our servers
  • Fraud Detection: Advanced fraud detection and prevention systems
  • Secure Billing: Encrypted billing information with restricted access

5.2 Financial Data Protection

Your financial information is protected through:

  • No Storage: We do not store complete credit card information
  • Encrypted Tokens: Only encrypted payment tokens are retained
  • Audit Trails: All payment transactions are logged and monitored
  • Compliance: Regular PCI DSS audits and compliance verification

6. Data Protection & Compliance

6.1 Privacy Compliance

We comply with Canadian and international privacy regulations:

  • PIPEDA Compliance: Personal Information Protection and Electronic Documents Act
  • Quebec Law 25: Compliance with Quebec's modernized privacy legislation
  • GDPR Considerations: European data protection standards for EU users
  • CCPA Compliance: California Consumer Privacy Act requirements

6.2 Data Governance

Our data governance framework includes:

  • Data Minimization: We only collect data necessary for service delivery
  • Purpose Limitation: Data is used only for stated purposes
  • Retention Policies: Data is retained only as long as necessary
  • Right to Deletion: Users can request deletion of their personal data
  • Data Portability: Users can export their data in standard formats

7. Security Incident Response

7.1 Incident Response Plan

We maintain a comprehensive incident response plan:

  • Detection: Automated monitoring systems detect potential security incidents
  • Assessment: Rapid assessment of incident scope and impact
  • Containment: Immediate steps to contain and mitigate threats
  • Investigation: Thorough investigation to determine root cause
  • Recovery: Restoration of normal operations with enhanced security
  • Communication: Timely notification to affected users and authorities

7.2 Breach Notification

In the event of a security breach:

  • Immediate Response: Incident response team activated within 1 hour
  • User Notification: Affected users notified within 72 hours
  • Regulatory Reporting: Compliance with legal notification requirements
  • Remediation: Steps taken to prevent future incidents
  • Transparency: Public disclosure of significant incidents

8. Third-Party Security

8.1 Vendor Management

We carefully evaluate and monitor all third-party services:

  • Security Assessments: All vendors undergo security evaluations
  • Contractual Requirements: Security requirements included in all vendor contracts
  • Regular Reviews: Ongoing monitoring of third-party security posture
  • Data Processing Agreements: Clear data handling requirements for all processors

8.2 Key Security Partners

Our security infrastructure relies on trusted partners:

  • Amazon Web Services (AWS): Cloud hosting with enterprise security features
  • Stripe: PCI DSS compliant payment processing
  • Cloudflare: DDoS protection and web application firewall
  • MongoDB Atlas: Database hosting with encryption and access controls
  • Sentry: Error monitoring and security incident detection

9. Security Training & Awareness

9.1 Employee Training

All Sublimest employees receive comprehensive security training:

  • Security Orientation: New employee security training program
  • Regular Updates: Ongoing security awareness training
  • Phishing Simulation: Regular testing of employee awareness
  • Incident Response: Training on security incident procedures
  • Data Handling: Proper procedures for handling sensitive data

9.2 Security Culture

We maintain a culture of security awareness:

  • Shared Responsibility: Security is everyone's responsibility
  • Continuous Improvement: Regular security reviews and improvements
  • Threat Intelligence: Staying informed about emerging threats
  • Best Practices: Following industry security standards and guidelines

10. User Security Best Practices

10.1 Account Security Tips

Help us keep your account secure by following these best practices:

  • Use Strong Passwords: Create unique, complex passwords for your account
  • Enable Two-Factor Authentication: Add an extra layer of security to your account
  • Keep Software Updated: Use up-to-date browsers and operating systems
  • Monitor Your Account: Regularly review your account activity
  • Secure Your Devices: Use device locks and secure networks
  • Report Suspicious Activity: Contact us immediately if you notice unusual activity

10.2 Safe Usage Guidelines

Additional security recommendations:

  • Public WiFi: Avoid accessing sensitive information on public networks
  • Shared Devices: Always log out when using shared or public computers
  • Email Security: Be cautious of phishing emails claiming to be from Sublimest
  • Browser Security: Use modern browsers with security features enabled
  • Data Backup: Keep local backups of important data

11. Security Certifications & Audits

11.1 Compliance Certifications

We maintain certifications and compliance with security standards:

  • SOC 2 Type II: Annual audit of security controls
  • ISO 27001: Information security management system certification
  • PCI DSS: Payment card industry data security standard
  • PIPEDA Compliance: Canadian privacy law compliance
  • GDPR Compliance: European privacy regulation compliance

11.2 Security Audits

Regular security assessments ensure our controls remain effective:

  • Annual Security Audits: Comprehensive third-party security assessments
  • Penetration Testing: Regular testing of our security defenses
  • Vulnerability Scanning: Continuous monitoring for security vulnerabilities
  • Code Security Review: Security analysis of all application code
  • Compliance Audits: Regular verification of regulatory compliance

12. Reporting Security Issues

12.1 Responsible Disclosure

We welcome reports of security vulnerabilities from security researchers and users:

  • Security Email: security@sublimest.ai
  • Response Time: We respond to all security reports within 24 hours
  • Investigation: All reports are thoroughly investigated
  • Recognition: We acknowledge researchers who report valid vulnerabilities
  • Coordination: We work with reporters to ensure responsible disclosure

12.2 Bug Bounty Program

We operate a bug bounty program for security researchers:

  • Scope: Covers all Sublimest systems and applications
  • Rewards: Monetary rewards for valid security vulnerabilities
  • Guidelines: Clear guidelines for responsible testing
  • Hall of Fame: Recognition for security researchers

13. Contact Information

13.1 Security Team

For security-related questions, concerns, or reports:

  • Security Email: security@sublimest.ai
  • Emergency Contact: Available 24/7 for critical security issues
  • Response Time: We respond to all security inquiries within 24 hours
  • Escalation: Critical issues are escalated to senior leadership immediately

13.2 General Contact

For general questions about our security practices:

  • Email: support@sublimest.ai
  • Phone: +1 (555) 123-4567
  • Address: 123 Security Street, Montreal, QC H3H 2Y7, Canada

14. Updates to This Security Notice

We regularly review and update our security practices and this security notice. Material changes will be communicated through:

  • Email Notification: Registered users will be notified of significant changes
  • Website Notice: Updates will be posted on our website
  • Version History: Previous versions are available upon request
  • Effective Date: Changes take effect 30 days after notification

Security is Our Priority

If you have any questions about our security practices or need to report a security concern, please don't hesitate to contact our security team at security@sublimest.ai. We take all security matters seriously and are committed to maintaining the highest levels of security for our platform and your data.