セキュリティポリシー

TrenT Flyでは、ユーザーのデータのセキュリティを最優先事項としています。

1. 暗号化と安全な通信

• HTTPS/TLS: all communication between your browser and our servers is protected by TLS encryption.
• SSL certificates: valid and up-to-date SSL certificates with automatic renewal.
• Password encryption: passwords are stored using secure hash algorithms (bcrypt).
• Sensitive data: API keys and tokens are stored as encrypted environment variables, never in source code.

2. 安全なデータストレージ

• PostgreSQL database: data stored in managed instances with restricted access and SSL-encrypted connections.
• Data isolation: data from different services is kept in separate databases.
• Access control: database access restricted to authorized services with unique credentials.
• Payment data: financial information processed by PCI-DSS certified partners (Stripe and Mercado Pago).

3. 認証とアクセス制御

• Secure authentication: login requires valid credentials, with protection against brute force attacks.
• Protected sessions: sessions managed with secure tokens and automatic expiration.
• Route protection: all pages with personal data require prior authentication.
• Principle of least privilege: each component has only the permissions strictly necessary for its operation.

4. 攻撃からの保護

We follow OWASP best practices to protect the Platform:

• SQL Injection: we use parameterized queries and ORM.
• Cross-Site Scripting (XSS): dynamic content is sanitized before rendering.
• CSRF: sensitive forms and requests are protected with CSRF tokens.
• Rate Limiting: per-IP request limits to prevent brute force attacks.
• Input validation: all user input is validated and sanitized.
• Security headers: HTTP headers (CSP, X-Frame-Options, HSTS) configured to mitigate attacks.

5. バックアップとデータ復旧

• Automatic backups: regular automated database backups.
• Redundancy: backups stored in a geographically separate location.
• Restoration tests: periodic backup restoration tests to ensure data integrity.
• Backup retention: maintained for an appropriate period for point-in-time recovery.

6. 監視と検出

• Continuous monitoring: systems monitored 24/7 for anomalous activities.
• Audit logs: detailed records of accesses and critical operations.
• Automatic alerts: alert systems notify the technical team of security events.
• Vulnerability analysis: periodic security checks to identify and fix potential vulnerabilities.

7. セキュリティインシデント対応

We maintain a security incident response plan that includes:

• Identification: rapid detection and assessment of scope and impact.
• Containment: immediate measures to contain the incident.
• Eradication: elimination of the root cause.
• Recovery: restoration of systems to normal operation.
• Notification: in case of a significant incident, we will notify the competent authority and affected data subjects.
• Post-incident analysis: comprehensive review to implement improvements.

8. アップデートとメンテナンス

• Software updates: dependencies and libraries kept updated with the latest security patches.
• Code review: all code is reviewed before being deployed to production.
• Separate environments: development, testing, and production environments kept separate.

9. 脆弱性の報告

If you identify a security vulnerability, please report it responsibly:

• Email: [email protected]

When reporting a vulnerability, please:

• Describe the vulnerability in as much detail as possible.
• Provide steps to reproduce the issue, if applicable.
• Do not exploit the vulnerability beyond what is necessary to demonstrate it.
• Do not publicly disclose the vulnerability before we have had the opportunity to fix it.

We are committed to reviewing all reports and responding in a timely manner. We appreciate your contribution to making TrenT Fly safer for everyone.

10. お問い合わせ

セキュリティに関するご質問はこちら：

• セキュリティメール： [email protected]
• 一般メール： [email protected]
• ウェブサイト： apptrent.com.br