Security Policy
How we safeguard your data — and how to report a vulnerability responsibly.
Last updated: May 6th, 2025
4.1 Our Commitment
MinMaxDoc is committed to protecting your data through industry‑standard technical and organizational measures.
4.2 Technical Safeguards
Encryption in Transit & at Rest: All traffic is encrypted via SSL/TLS. Sensitive data (passwords, API keys) is encrypted or hashed (bcrypt).
Hosting: Services run on Google Cloud Platform (GCP) in U.S. regions within ISO 27001‑certified data centers.
Network Security: Firewalls, network segmentation, and continuous monitoring guard against unauthorized access.
Penetration Testing: We perform annual third‑party penetration tests and remediate findings promptly.
Backups & DR: Encrypted backups are taken daily with a 30‑day retention and verified restore procedures.
4.3 Organizational Measures
Access Controls: Role‑based access; least‑privilege principle. Multifactor authentication required for administrative access.
Security Training: All personnel complete annual security awareness training.
Incident Response: A documented plan enables rapid detection, containment, and notification.
4.4 User Responsibilities
- Use a strong, unique password and enable optional 2‑factor authentication.
- Keep your devices secure and up‑to‑date.
- Report suspicious activity immediately.
4.5 Responsible Disclosure
If you discover a vulnerability, email [click to reveal] with details. Please give us a reasonable opportunity to respond before any public disclosure, and do not access, modify, or delete data belonging to other users while testing. We appreciate responsible researchers and will acknowledge valid reports, typically within 3 business days. This page is the disclosure policy referenced by our security.txt (RFC 9116).
4.6 Changes
Security practices evolve; we may update this Policy. Material changes will be posted.