Security

AIMPACT's infrastructure is designed with security as a foundational principle. Our platform operates on enterprise-grade cloud infrastructure with multiple layers of protection:

• Cloud Hosting: Our services are hosted across geographically distributed data centers with automatic failover and redundancy. All hosting providers maintain SOC 2 Type II certification.
• DDoS Protection: Multi-layered DDoS mitigation including network-level filtering, rate limiting, and intelligent traffic analysis to ensure service availability during attack events.
• Network Isolation: Production environments are isolated using virtual private clouds (VPCs) with strict network segmentation. Internal services communicate through private networks inaccessible from the public internet.
• Edge Security: All traffic is routed through a global edge network with Web Application Firewall (WAF) rules, bot management, and real-time threat intelligence.

We employ industry-leading encryption standards to protect your data at every stage:

At Rest

• All stored data is encrypted using AES-256 encryption
• Database encryption with provider-managed or customer-managed keys
• Encrypted backups stored in geographically separate locations
• Secure key management with automatic key rotation

In Transit

• All connections secured with TLS 1.3 (minimum TLS 1.2)
• HTTP Strict Transport Security (HSTS) enforced across all domains
• Certificate pinning for mobile and API clients
• Perfect forward secrecy (PFS) for all TLS connections

Application Layer

• Sensitive fields (API keys, credentials) are additionally encrypted at the application layer
• End-to-end encryption for certain high-sensitivity data flows
• Cryptographic hashing (bcrypt/argon2) for all password storage

We enforce strict access controls to ensure that data is only accessible to authorized individuals:

Role-Based Access Control (RBAC)

• Principle of least privilege applied to all internal and customer-facing access
• Granular permission levels for team members and administrators
• Automated provisioning and de-provisioning of access rights
• Regular access reviews conducted quarterly

Multi-Factor Authentication (MFA)

• MFA required for all employee access to production systems
• MFA available and recommended for all customer accounts
• Support for TOTP authenticator apps and hardware security keys
• Adaptive authentication with risk-based step-up verification

Audit Logging

• Comprehensive audit trails for all system and data access
• Immutable logs stored securely with tamper-detection mechanisms
• Real-time alerting on suspicious access patterns
• Log retention for a minimum of 12 months

AIMPACT maintains alignment with recognized security and privacy standards:

• ISO 27001 Standards: Our information security management system is aligned with ISO 27001 requirements, covering risk assessment, access control, incident management, and business continuity.
• SOC 2 Type II: Our infrastructure providers maintain SOC 2 Type II compliance, and we follow SOC 2 criteria for security, availability, and confidentiality in our own operations.
• GDPR: We comply with the General Data Protection Regulation for processing data of EU residents, including data minimization, purpose limitation, and data subject rights.
• PDPO: We comply with the Hong Kong Personal Data (Privacy) Ordinance for all data processing activities.

Regular Audits

• Annual third-party security assessments and penetration tests
• Quarterly internal security reviews and vulnerability scanning
• Continuous automated security testing integrated into our development pipeline
• Independent code reviews for security-critical components

We maintain a structured incident response program to quickly identify, contain, and resolve security events:

24-Hour Notification

In the event of a confirmed data breach affecting your personal information, we commit to notifying affected users within 24 hours of confirmation. Notifications will include:

• Nature and scope of the incident
• Types of data potentially affected
• Actions taken to contain and remediate the incident
• Recommended steps for affected users
• Contact information for our security team

Response Team

Our dedicated security response team includes:

• On-call security engineers with 15-minute response time
• Defined escalation procedures and communication protocols
• Coordination with law enforcement and regulatory bodies as required
• Post-incident review process with root cause analysis and preventive measures

We value the security research community and encourage responsible disclosure of security vulnerabilities.

How to Report

If you discover a security vulnerability, please report it to us at security@aimpact.com. Please include:

• A detailed description of the vulnerability
• Steps to reproduce the issue
• Potential impact assessment
• Any proof-of-concept code (if applicable)

Scope

The following are in scope for our bug bounty program:

• Authentication and authorization flaws
• Data exposure or leakage vulnerabilities
• Cross-site scripting (XSS), CSRF, and injection attacks
• Server-side request forgery (SSRF)
• Business logic vulnerabilities

Out of scope: denial of service attacks, social engineering, physical security, and third-party services.

Rewards

We offer monetary rewards based on the severity and impact of the vulnerability:

• Critical (remote code execution, data breach): Up to $5,000
• High (authentication bypass, privilege escalation): Up to $2,500
• Medium (stored XSS, CSRF on sensitive actions): Up to $1,000
• Low (information disclosure, reflected XSS): Up to $250

We commit to acknowledging reports within 48 hours and providing an initial assessment within 5 business days. We will not take legal action against researchers who act in good faith and comply with our responsible disclosure guidelines.