Security

Data Security

Infrastructure

• →Hosting: Application layer on Vercel (serverless, AWS us-east-1). Database on Supabase (PostgreSQL, AWS us-east-1). All infrastructure is in the United States.
• →Authentication: Slack OAuth 2.0 for app installation. Slack SSO for dashboard sign-in. Supabase Auth for session management.
• →Slack security: All inbound Slack requests are verified using HMAC-SHA256 signature verification before processing. Invalid signatures are rejected immediately.
• →AI processing: Messages are sent to OpenAI's API (US infrastructure) only to generate IT support responses. OpenAI does not retain API data or use it for model training.
• →No secrets in code: All credentials and API keys are stored as environment variables. No secrets are committed to source control.

Vulnerability Disclosure

We take security reports seriously. If you discover a vulnerability in ITSquare.AI, please report it to us responsibly. We commit to the following:

• →We will acknowledge your report within 2 business days.
• →We will investigate and provide a status update within 7 business days.
• →We will notify you when the vulnerability is resolved.
• →We will not pursue legal action against researchers who report in good faith and follow responsible disclosure practices.
• →Please do not publicly disclose the vulnerability until we have had the opportunity to address it.

Certifications

ITSquare.AI is an early-stage product. We do not currently hold SOC 2, ISO 27001, HIPAA, or PCI DSS certifications. We are committed to pursuing SOC 2 Type II certification as the product matures. If your organization has specific compliance requirements, contact us at brucelee@itsquare.ai to discuss.