Security Policy
How we protect your data and maintain system security
Last Updated: May 20, 2026
Security Commitment
We are committed to:
- Protecting user data through industry-standard practices
- Maintaining transparency about security measures
- Promptly addressing security vulnerabilities
- Continuously improving our security posture
Security Measures
Data Protection
Encryption in Transit
TLS 1.3 for all data transmission
Encryption at Rest
AES-256 encryption for stored data
Database Security
Encrypted connections and backups
API Security
HTTPS only, no HTTP fallback
Authentication
JWT Tokens
JSON Web Tokens for session management
Password Hashing
Secure bcrypt hashing
MFA Support
Multi-factor authentication (planned)
Session Timeout
Automatic timeout after inactivity
Infrastructure
Firewalls
Network segmentation and protection
DDoS Protection
Distributed denial-of-service mitigation
Containerization
Docker with isolated environments
Backup & Recovery
Automated backups and disaster recovery
Application Security
Input Validation
Sanitization of all user inputs
SQL Injection Prevention
Parameterized queries
XSS Protection
Output encoding
CSRF Tokens
Protection for state-changing operations
AI and Content Safety
Hallucination Prevention
Faithfulness checker on all AI outputs
RAG Grounding
Verified sources for content generation
Content Moderation
iFlytek API integration for safety filtering
Prompt Injection Protection
Context isolation between users
Data Privacy in AI
- • No training on user data without consent
- • Context isolation between users
- • Prompt injection protection
Vulnerability Disclosure
Reporting Security Issues
If you discover a security vulnerability, please report it responsibly:
Email: theveloxstudio@gmail.com
Subject: "[SECURITY] Vulnerability Report"
Include in your report:
- • Description of the vulnerability
- • Steps to reproduce
- • Potential impact assessment
- • Suggested mitigation (if any)
- • Your contact information
Response Timeline
| Stage | Timeframe |
|---|---|
| Initial Response | 48 hours |
| Acknowledgment | 72 hours |
| Update on Progress | Weekly |
| Resolution | 90 days maximum |
No Legal Action
We will not take legal action against security researchers who:
- • Follow responsible disclosure
- • Do not access others' data
- • Do not cause harm or service disruption
- • Report in good faith
Security Checklist for Users
Security Roadmap
Current (v1.0)
- Core encryption and authentication
- Input validation and sanitization
- Rate limiting and DDoS protection
- Content moderation
Planned (v1.1)
- Multi-factor authentication (MFA)
- Advanced threat detection
- Security audit logging
- Penetration testing
Future (v2.0)
- SOC 2 compliance
- Bug bounty program
- Third-party security certifications
- Advanced anomaly detection
Compliance
Standards Alignment
Our security practices align with:
OWASP Top 10
GDPR Principles
Industry Best Practices
Competition Requirements
Contact Security Team
For security-related inquiries:
Email: theveloxstudio@gmail.com
Subject: Please include "[SECURITY]" in subject line
PGP Key: Available upon request for encrypted communications
Acknowledgments
We thank the security community for their contributions to making NOBOGYAN safer.
Hall of Fame: Security researchers who have responsibly disclosed vulnerabilities will be listed here (with permission).
Security is an ongoing process. We continuously evaluate and improve our security posture to protect our users and their data.
Copyright © 2026 VELOX Studio. All rights reserved.