OutGrave

01Our Security Commitment
02Security Governance
03Data Encryption
04Infrastructure Security
05Application Security
06Network Security
07Access Control and Authentication
08Vulnerability Management
09Penetration Testing
10Incident Response
11Business Continuity and Disaster Recovery
12Third-Party Security
13Employee Security
14Physical Security
15Compliance and Certifications
16Security Awareness and Training
17Responsible Disclosure Policy
18Bug Bounty Program
19Security Contact

1. Our Security Commitment

1.1 Security Is Our Foundation

At OUTGRAVE, security is not an afterthought — it is a fundamental part of everything we build. As a software technology company developing desktop, mobile, and web applications, as well as digital goods and technology services, we understand that our users trust us with their data. We take that responsibility seriously.

Our security program is built on the following core principles:

Security by Design: Security is integrated into every stage of our development lifecycle, from architecture and design through development, testing, deployment, and operations
Defense in Depth: We implement multiple layers of security controls to protect against a wide range of threats
Least Privilege: Access to systems and data is granted on a strict need-to-know, need-to-access basis
Continuous Improvement: Our security program evolves continuously in response to new threats, technologies, and business requirements
Transparency: We are open about our security practices and our customers' security

1.2 Scope of This Security Page

This Security page describes the technical, organizational, and physical security measures we implement to protect our Services, infrastructure, and your data. It covers:

Our security governance structure and policies
The specific security technologies and controls we use
Our processes for managing vulnerabilities and incidents
Our compliance with industry standards and regulations
How we handle security research and disclosures

2. Security Governance

2.1 Security Team and Leadership

OUTGRAVE maintains a dedicated security team responsible for the development, implementation, and oversight of our security program. Our security leadership includes:

Chief Information Security Officer (CISO): Oversees the overall security strategy and program
Security Operations Team: Manages day-to-day security monitoring, incident response, and threat detection
Security Engineering Team: Builds and maintains security tools, controls, and infrastructure
Compliance and Risk Team: Manages compliance requirements, risk assessments, and audits

2.2 Security Policies

We maintain a comprehensive set of security policies that govern all aspects of our operations. These policies are reviewed and updated at least annually, or more frequently as needed. Our key policies include:

Policy	Purpose
Information Security Policy	Establishes the overall framework for information security management
Data Protection Policy	Governs how personal data is collected, processed, stored, and protected
Access Control Policy	Defines rules for granting, reviewing, and revoking system access
Incident Response Policy	Outlines procedures for detecting, reporting, and responding to security incidents
Acceptable Use Policy	Defines acceptable use of company systems, networks, and data
Password Policy	Establishes password complexity, rotation, and storage requirements
Remote Work Policy	Governs security requirements for remote and mobile workers
Third-Party Security Policy	Defines security requirements for vendors and partners
Encryption Policy	Specifies encryption standards and key management procedures
Business Continuity Policy	Outlines procedures for maintaining operations during disruptions

2.3 Security Reviews and Audits

We conduct regular security reviews and audits, including:

Internal Audits: Quarterly reviews of security controls and compliance
External Audits: Annual independent security assessments by third-party auditors
Compliance Audits: Audits to verify compliance with regulatory requirements (GDPR, CCPA, etc.)
Peer Reviews: Regular cross-team reviews of security implementations

2.4 Risk Management

We maintain an ongoing risk management program that includes:

Risk Assessments: Regular identification, analysis, and evaluation of security risks
Risk Treatment: Implementation of controls to mitigate identified risks
Risk Acceptance: Formal acceptance of residual risks where appropriate
Risk Monitoring: Continuous monitoring of the risk landscape and control effectiveness

3. Data Encryption

3.1 Encryption in Transit

All data transmitted between our Services and your devices is encrypted using industry-standard protocols:

Protocol	Version	Key Strength	Cipher Suites
TLS (Transport Layer Security)	TLS 1.2, TLS 1.3	2048-bit RSA, 256-bit ECDHE	TLSAES256GCMSHA384, TLSAES128GCMSHA256, ECDHE-RSA-AES256-GCM-SHA384
HTTPS	HTTP over TLS	2048-bit RSA	As above
SSH	SSH-2	4096-bit RSA	aes256-ctr, aes128-ctr
VPN	IPsec/IKEv2, OpenVPN	256-bit AES	AES-256-GCM, AES-256-CBC

What This Means for You:

All communications with our websites are encrypted via HTTPS (look for the padlock icon in your browser)
All API calls are encrypted via TLS 1.2 or higher
All data synced between our applications and our servers is encrypted
We do not support legacy protocols (SSL 2.0, SSL 3.0, TLS 1.0, TLS 1.1)

3.2 Encryption at Rest

All data stored on our servers and systems is encrypted at rest using strong encryption algorithms:

Storage Layer	Encryption Method	Algorithm	Key Management
Databases	Transparent Data Encryption (TDE)	AES-256	AWS KMS / Cloud KMS
File Storage	Server-side encryption	AES-256	AWS S3 SSE-S3 / SSE-KMS
Backups	Client-side encryption	AES-256	Dedicated key management system
Logs	Server-side encryption	AES-256	AWS KMS / Cloud KMS
Application Config	Encrypted using secrets management	AES-256	HashiCorp Vault / AWS Secrets Manager

3.3 Key Management

We use a centralized key management system to securely generate, store, rotate, and revoke encryption keys:

Key Generation: Keys are generated using cryptographically secure random number generators (CSPRNGs)
Key Storage: Keys are stored in hardware security modules (HSMs) or cloud key management services (AWS KMS, Google Cloud KMS)
Key Rotation: Encryption keys are rotated on a regular schedule (minimum annually) and immediately upon any suspected compromise
Key Access: Access to encryption keys is restricted to authorized security personnel and logged
Key Backup: Keys are backed up securely and stored in geographically separate locations

3.4 End-to-End Encryption (Where Applicable)

For certain features and services, we may offer end-to-end encryption (E2EE) where data is encrypted on your device before being transmitted and can only be decrypted by you or the intended recipient. In such cases, we do not have access to the decryption keys and cannot read the encrypted data.

4. Infrastructure Security

4.1 Cloud Infrastructure

Our Services are hosted on leading cloud infrastructure providers, including:

Amazon Web Services (AWS)
Google Cloud Platform (GCP)
Vercel (for frontend hosting and edge functions)
Cloudflare (for CDN, DDoS protection, and DNS)

4.2 Infrastructure Hardening

Our cloud infrastructure is hardened according to industry best practices:

Operating Systems: Minimal base images with unnecessary services removed; CIS benchmark compliance
Patch Management: Automated patching with regular vulnerability scanning; critical patches applied within 24 hours
Configuration Management: Infrastructure as Code (IaC) using Terraform and CloudFormation; configuration drift monitoring
Container Security: Container images scanned for vulnerabilities; minimal base images; running as non-root users
Orchestration: Kubernetes clusters with network policies, pod security policies, and role-based access control (RBAC)

4.3 Network Segmentation

Our infrastructure is segmented into isolated network zones:

Public Zone: Load balancers, CDN edges, and public-facing endpoints
Application Zone: Application servers, API servers, and web servers
Data Zone: Databases, caches, and storage systems
Management Zone: Administration systems, monitoring, and CI/CD pipelines
Isolated Zone: Systems handling sensitive data or processing

Network traffic between zones is controlled by strict firewall rules and security groups. Inbound and outbound traffic is logged and monitored.

4.4 Redundancy and High Availability

Our infrastructure is designed for high availability across multiple:

Availability Zones (AZs): Services are deployed across at least 3 availability zones within each region
Geographic Regions: Critical services are deployed across multiple geographic regions
Content Delivery Networks (CDNs): Static and dynamic content is served through a global CDN with edge caching

5. Application Security

5.1 Secure Software Development Lifecycle (SSDLC)

Security is integrated into every phase of our software development lifecycle:

5.1.1 Design Phase

Threat Modeling: We conduct threat modeling for all new features and significant changes using industry-standard methodologies (STRIDE, PASTA)
Security Requirements: Security requirements are defined alongside functional requirements
Architecture Review: Security architecture reviews are conducted before development begins
Privacy by Design: Privacy considerations are integrated into product design

5.1.2 Development Phase

Secure Coding Standards: We follow industry-standard secure coding guidelines (OWASP Top 10, SEI CERT, CWE Top 25)
Code Review: All code changes require peer review with automated and manual security checks
Static Analysis: Static Application Security Testing (SAST) tools scan all code for vulnerabilities automatically
Dependency Scanning: All third-party dependencies and open-source libraries are scanned for known vulnerabilities
Pre-Commit Hooks: Security hooks run before code is committed to detect secrets, vulnerabilities, and misconfigurations

5.1.3 Testing Phase

Dynamic Analysis: Dynamic Application Security Testing (DAST) scans running applications for vulnerabilities
Integration Testing: Security integration tests validate security controls and configurations
Fuzz Testing: Input validation and error handling are tested using fuzzing techniques
Regression Testing: Security regression tests ensure that existing security controls remain effective

5.1.4 Deployment Phase

Infrastructure Scanning: Infrastructure configuration is scanned for security misconfigurations
Container Scanning: Container images are scanned for vulnerabilities before deployment
Deployment Approval: Security-signoff is required for all production deployments
Canary Deployments: Changes are rolled out gradually with automated rollback capabilities

5.1.5 Operations Phase

Continuous Monitoring: Applications are monitored for security events and anomalies
Log Analysis: Application logs are analyzed for security incidents
Runtime Protection: Web Application Firewalls (WAF) and Runtime Application Self-Protection (RASP) are deployed
Incident Response: Security incidents are handled through our incident response process

5.2 Web Application Security

We implement the following controls to protect our web applications:

Input Validation: All user input is validated, sanitized, and encoded on both client and server sides
Output Encoding: Output is encoded based on context (HTML, JavaScript, CSS, URL) to prevent XSS attacks
Parameterized Queries: All database queries use parameterized statements or prepared statements to prevent SQL injection
CSRF Protection: Anti-CSRF tokens are implemented for all state-changing requests
Authentication: Strong authentication mechanisms, including multi-factor authentication (MFA) support
Session Management: Secure session handling with HTTP-only, secure, SameSite cookies and session timeouts
Content Security Policy (CSP) : Strict CSP headers are enforced to prevent XSS and data injection
HTTP Security Headers: We implement HTTP security headers including HSTS, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy

5.3 API Security

Our API endpoints are protected by:

Authentication: API keys, OAuth 2.0, JWT tokens with short expiration
Authorization: Fine-grained permission models and scope-based access control
Rate Limiting: Request rate limiting to prevent abuse and DoS attacks
Input Validation: Strict schema validation of all API inputs
Versioning: API versioning to manage changes and deprecation
Logging: Comprehensive API access logging and monitoring

5.4 Mobile Application Security

Our mobile applications implement:

Code Obfuscation: ProGuard (Android) and LLVM (iOS) obfuscation to protect against reverse engineering
Root/Jailbreak Detection: Detection of compromised devices with appropriate security responses
Certificate Pinning: SSL certificate pinning to prevent man-in-the-middle attacks
Secure Storage: Sensitive data is stored using platform-specific secure storage (Keychain for iOS, EncryptedSharedPreferences for Android)
Data Minimization: Mobile apps collect only the minimum data necessary for functionality
Offline Security: Offline data is encrypted; app data is wiped after repeated failed authentication attempts

6. Network Security

6.1 Firewall and Perimeter Security

Web Application Firewall (WAF): Cloudflare WAF with custom rules blocking SQL injection, XSS, and other OWASP Top 10 attacks
Network Firewalls: Stateful inspection firewalls at all network boundaries with default-deny policies
DDoS Protection: Multi-layered DDoS protection at both network (L3/L4) and application (L7) layers
Rate Limiting: Per-IP and per-account rate limiting on all endpoints

6.2 Intrusion Detection and Prevention (IDS/IPS)

Network-based IDS/IPS: Monitors network traffic for malicious patterns and known attack signatures
Host-based IDS: Monitors system logs, file integrity, and process behavior on individual systems
Anomaly Detection: Machine learning-based detection of unusual network patterns and behaviors
Threat Intelligence: Integration with threat intelligence feeds to identify known malicious IPs, domains, and patterns

6.3 Network Monitoring

Traffic Analysis: Continuous analysis of network traffic flows for anomalies
Packet Inspection: Deep packet inspection for critical traffic
DNS Monitoring: Monitoring of DNS queries for signs of data exfiltration or C2 communication
Network Logging: Comprehensive logging of all network connections and firewall events

6.4 VPN and Remote Access

VPN Access: Encrypted VPN access for remote administration and support
Split Tunneling: Restricted split tunneling to prevent data leakage
MFA Requirement: Multi-factor authentication required for all VPN connections
Session Timeout: Automatic session termination after inactivity

7. Access Control and Authentication

7.1 Identity and Access Management (IAM)

We implement a centralized IAM system to manage user identities, roles, and permissions across all systems:

Single Sign-On (SSO): Integration with SSO providers for centralized authentication
Just-in-Time (JIT) Access: Temporary, time-bound access grants for sensitive systems
Privileged Access Management (PAM) : Elevated access is managed through a PAM system with session recording and approval workflows

7.2 Authentication Methods

Method	Implementation	Required For
Password-based	bcrypt hashing, minimum 12 characters, complexity requirements	User accounts
Multi-Factor Authentication (MFA)	Time-based One-Time Passwords (TOTP), SMS codes, hardware security keys (FIDO2/WebAuthn)	Administrative access, sensitive operations
Single Sign-On (SSO)	SAML 2.0, OAuth 2.0, OpenID Connect	Enterprise customers (optional)
API Authentication	API keys, OAuth 2.0 tokens, JWT	API access
Biometric Authentication	Fingerprint, Face ID (device-level)	Mobile app access (optional)

7.3 Access Control Model

We follow the Principle of Least Privilege (PoLP) and Need-to-Know basis:

Role-Based Access Control (RBAC) : Permissions are assigned based on job roles and functions
Attribute-Based Access Control (ABAC) : Fine-grained access decisions based on user attributes, resource attributes, and environment conditions
Separation of Duties (SoD) : Critical operations require multiple authorized individuals

7.4 Access Reviews

We conduct regular access reviews to ensure that permissions remain appropriate:

Quarterly Reviews: All user access permissions are reviewed on a quarterly basis
Event-Triggered Reviews: Access is reviewed upon role changes, transfers, or terminations
Automated Recertification: Automated workflows for access recertification

7.5 Offboarding

When an employee, contractor, or partner leaves or changes roles:

Immediate Revocation: All access is revoked immediately upon termination
Credential Rotation: All shared credentials and secrets are rotated
Asset Recovery: All company devices and assets are recovered
Exit Interview: Security exit interview to remind of ongoing confidentiality obligations

8. Vulnerability Management

8.1 Vulnerability Scanning

We conduct regular vulnerability scanning across all systems and applications:

Scan Type	Frequency	Coverage
External Network Scan	Weekly	All public-facing IPs and domains
Internal Network Scan	Weekly	All internal systems and servers
Web Application Scan	Weekly (automated), Quarterly (manual)	All web applications and APIs
Container Image Scan	Every build	All container images
Dependency Scan	Every commit	All dependencies (npm, pip, maven, etc.)
Infrastructure Scan	Daily (IaC), Weekly (live)	Cloud infrastructure configuration
Database Scan	Monthly	Database configurations and access controls

8.2 Vulnerability Prioritization

Vulnerabilities are prioritized based on:

CVSS Score: Common Vulnerability Scoring System (CVSS v3.1)
Exploitability: Whether a known exploit exists
Asset Criticality: The importance of the affected system
Data Sensitivity: The type of data that could be affected
Attack Vector: The complexity and prerequisites for exploitation

8.3 Remediation SLAs

Risk Level	CVSS Score	Remediation SLA
Critical	9.0 - 10.0	24 hours
High	7.0 - 8.9	7 days
Medium	4.0 - 6.9	30 days
Low	0.1 - 3.9	90 days

8.4 Patch Management

Automated Patching: Critical security patches are deployed automatically
Emergency Patching: Zero-day vulnerabilities are patched within the remediation SLA
Patch Testing: Patches are tested in staging environments before production deployment
Change Management: All patches go through our change management process

9. Penetration Testing

9.1 Regular Penetration Testing

We engage independent, third-party security firms to conduct penetration testing of our Services on a regular basis:

Frequency: At least annually, plus after major infrastructure or application changes
Scope: All critical applications, APIs, infrastructure, and systems
Methodology: NIST SP 800-115, OWASP Testing Guide, OSSTMM
Deliverables: Comprehensive report including findings, risk ratings, and remediation recommendations

9.2 Types of Testing

Test Type	Description	Frequency
External Penetration Testing	Tests public-facing systems and applications from the perspective of an external attacker	Annually
Internal Penetration Testing	Tests internal systems from the perspective of an authenticated user or insider threat	Annually
Web Application Testing	Tests web applications for OWASP Top 10 and custom vulnerabilities	Annually and after major changes
API Testing	Tests API endpoints for authentication, authorization, and injection vulnerabilities	Annually and after major changes
Mobile Application Testing	Tests iOS and Android applications for platform-specific vulnerabilities	Annually
Social Engineering Testing	Tests employee awareness through phishing simulations	Annually

9.3 Remediation of Findings

All penetration testing findings are:

01Logged in our vulnerability management system
02Prioritized based on risk severity
03Assigned to responsible team members
04Remediated within established SLAs
05Re-tested to verify remediation

10. Incident Response

10.1 Incident Response Team

We maintain a dedicated Computer Security Incident Response Team (CSIRT) that is available 24/7/365 to respond to security incidents. The team includes:

Incident Commander: Overall coordination and decision-making
Security Analysts: Technical investigation and analysis
System Administrators: System containment and remediation
Legal Counsel: Legal and regulatory guidance
Communications Lead: Internal and external communications
DPO: Data protection and privacy guidance

10.2 Incident Response Phases

Our incident response process follows the NIST SP 800-61 framework:

Phase 1: Preparation

Maintain incident response runbooks and playbooks
Conduct regular tabletop exercises and simulations
Ensure tools, access, and resources are available

Phase 2: Detection and Analysis

Monitor security alerts from multiple sources (SIEM, IDS/IPS, EDR, logs, user reports)
Triage and classify incidents by severity
Gather and preserve evidence
Determine the scope and impact of the incident

Phase 3: Containment, Eradication, and Recovery

Short-term containment (isolate affected systems)
Long-term containment (apply temporary fixes)
Eradication (remove the root cause)
Recovery (restore systems to normal operation)
Verification (confirm that systems are secure)

Phase 4: Post-Incident Activity

Conduct a formal post-mortem and lessons learned review
Update incident response plans and procedures
Implement preventive measures
Provide notification to affected parties (where required)

10.3 Incident Severity Levels

Severity	Description	Response Time	Reporting
Critical	Active data breach, system compromise, ransomware	Immediate (15 min)	DPO, executive team, regulators, affected users
High	Significant vulnerability, targeted attack, unauthorized access	1 hour	DPO, security team, affected users (if applicable)
Medium	Suspicious activity, policy violation, isolated malware	4 hours	Security team
Low	Minor policy violation, false positive, informational	24 hours	Security team

10.4 Data Breach Notification

In the event of a personal data breach, we will:

01Contain: Immediately contain the breach and prevent further data loss
02Assess: Investigate the scope, cause, and impact of the breach
03Notify Supervisory Authority: Notify the relevant data protection authority within 72 hours (GDPR Article 33)
04Notify Affected Users: Notify affected individuals without undue delay (GDPR Article 34)
05Document: Document all facts, actions, and decisions related to the breach
06Remediate: Implement measures to prevent recurrence

11. Business Continuity and Disaster Recovery

11.1 Business Continuity Plan (BCP)

We maintain a comprehensive Business Continuity Plan that ensures the continued operation of critical business functions during and after a disruption. Our BCP covers:

Critical Business Functions: Identification and prioritization of essential services and operations
Recovery Time Objectives (RTO) : Maximum acceptable downtime for each service
Recovery Point Objectives (RPO) : Maximum acceptable data loss for each service
Alternate Facilities: Designated alternate work locations and infrastructure
Crisis Management: Escalation procedures and decision-making authority

11.2 Disaster Recovery Plan (DRP)

Our Disaster Recovery Plan ensures technical recovery of systems and data:

Component	RTO	RPO	Recovery Strategy
Critical applications	4 hours	15 minutes	Active-active multi-region deployment
Core applications	24 hours	1 hour	Active-passive with automated failover
Non-critical applications	72 hours	24 hours	Backup and restore
Customer data	4 hours	15 minutes	Continuous replication and automated backups
Logging and analytics	24 hours	4 hours	Backup and restore

11.3 Backup Strategy

Frequency: Critical data is backed up continuously; other data is backed up at least daily
Encryption: All backups are encrypted at rest and in transit (AES-256)
Storage: Backups are stored in geographically separate locations from primary data
Retention: Daily backups retained for 30 days, weekly backups for 3 months, monthly backups for 12 months
Testing: Backup restoration is tested on a quarterly basis

11.4 Testing

We conduct regular testing of our business continuity and disaster recovery capabilities:

Tabletop Exercises: Quarterly tabletop exercises for key scenarios
DR Drills: Semi-annual full-scale disaster recovery drills
Backup Restoration: Quarterly testing of backup restoration processes

12. Third-Party Security

12.1 Vendor Security Assessment

We evaluate the security posture of all third-party service providers, vendors, and partners before engagement and on an ongoing basis:

Security Questionnaire: All vendors complete a comprehensive security assessment
Due Diligence: Review of security certifications, audit reports, and compliance documentation
Risk Rating: Vendors are assigned a risk rating based on the sensitivity of data they handle
Contractual Security Requirements: All vendor contracts include security and data protection obligations
Ongoing Monitoring: Vendor security posture is monitored throughout the relationship

12.2 Data Processing Agreements

We enter into Data Processing Agreements (DPAs) with all vendors who process personal data on our behalf. Our DPAs include:

Description of processing activities
Security measures to be implemented
Confidentiality obligations
Sub-processing restrictions
Data breach notification obligations
Data deletion or return requirements
Audit rights

12.3 Sub-Processor Management

Approval: All sub-processors require our prior written approval
Notification: We notify customers of any changes to sub-processors
Contractual Flow-Down: The same data protection obligations apply to sub-processors

12.4 Customer Security Responsibilities

While we implement strong security measures, customers also play a role in maintaining security:

Account Credentials: Keep your passwords secure and enable MFA
API Keys: Protect your API keys and rotate them regularly
Software Updates: Keep our applications updated to the latest versions
Reporting: Report any security concerns or suspicious activity to us immediately

13. Employee Security

13.1 Background Checks

All employees, contractors, and temporary staff undergo background checks prior to engagement, including:

Identity verification
Criminal background check
Employment history verification
Education and credential verification
(Where legally permissible and role-appropriate)

13.2 Security Training

All employees complete mandatory security training:

Onboarding Training: Completed before system access is granted
Annual Refresh Training: Completed by all employees annually
Role-Specific Training: Additional training for roles with elevated access or responsibilities
Phishing Simulations: Regular simulated phishing campaigns to test awareness
Just-in-Time Training: Targeted training upon detection of risky behavior

13.3 Confidentiality

All employees and contractors are required to sign:

Confidentiality Agreement: Binding agreement to protect company and customer data
Acceptable Use Policy: Agreement to use company systems and data responsibly
Code of Conduct: Agreement to ethical behavior and professional standards

13.4 Remote Work Security

Employees working remotely must comply with our Remote Work Security Policy, which includes:

Use of company-managed devices with endpoint security software
VPN connection for access to internal systems
Multi-factor authentication for all corporate accounts
Physical security of devices in public spaces
Secure Wi-Fi networks (no public or unsecured networks)

13.5 Offboarding

When an employee leaves OUTGRAVE:

All system access is revoked immediately
Company devices are collected and wiped
Shared credentials and secrets are rotated
A security exit interview is conducted
Confidentiality obligations are reaffirmed

14. Physical Security

14.1 Data Center Security

Our cloud infrastructure is hosted in data centers managed by our cloud providers (AWS, GCP, Vercel, Cloudflare). These data centers implement comprehensive physical security measures, including:

Perimeter Security: Fencing, barriers, and secure entry points
Access Control: Multi-factor authentication, biometric scanners, and proximity cards
Monitoring: 24/7 CCTV surveillance with video retention
On-Site Security: 24/7 security personnel
Environmental Controls: Fire suppression, climate control, power redundancy
Visitor Management: Escorted access, visitor logs, and identification requirements

14.2 Office Security

Our physical office locations implement:

Access Control: Key card or biometric access systems
Visitor Management: Registration, badging, and escorts for visitors
Alarm Systems: Monitored intrusion detection systems
Secure Storage: Locked cabinets and secure areas for sensitive equipment
Clean Desk Policy: Requirement to secure sensitive materials when unattended

15. Compliance and Certifications

15.1 Regulatory Compliance

We comply with applicable data protection and privacy regulations, including:

Regulation	Jurisdiction	Scope
GDPR (General Data Protection Regulation)	European Economic Area	Personal data of EEA residents
UK GDPR (UK General Data Protection Regulation)	United Kingdom	Personal data of UK residents
CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)	California, USA	Personal information of California residents
VCDPA (Virginia Consumer Data Protection Act)	Virginia, USA	Personal data of Virginia residents
CPA (Colorado Privacy Act)	Colorado, USA	Personal data of Colorado residents
CTDPA (Connecticut Data Privacy Act)	Connecticut, USA	Personal data of Connecticut residents
UCPA (Utah Consumer Privacy Act)	Utah, USA	Personal data of Utah residents
PIPEDA (Personal Information Protection and Electronic Documents Act)	Canada	Personal information of Canadian residents
LGPD (Lei Geral de Protecao de Dados)	Brazil	Personal data of Brazilian residents
DPDP Act (Digital Personal Data Protection Act)	India	Personal data of Indian residents

15.2 Compliance Monitoring

We continuously monitor our compliance through:

Internal Audits: Regular self-assessments against compliance requirements
External Audits: Independent third-party assessments
Automated Compliance Checks: Infrastructure-as-code compliance scanning
Gap Analysis: Periodic gap analysis against regulatory requirements

15.3 Certifications

We are committed to achieving and maintaining industry-recognized security certifications. For our current certification status, please contact us at security@outgrave.com.

16. Security Awareness and Training

16.1 Training Programs

We provide comprehensive security training to ensure all employees understand their security responsibilities:

Training Module	Audience	Frequency
Security Fundamentals	All employees	Upon hire, annually
Phishing Awareness	All employees	Upon hire, semi-annually
Data Protection and Privacy	All employees	Upon hire, annually
Secure Coding	Developers	Upon hire, annually
Cloud Security	Infrastructure team	Upon hire, annually
Incident Response	CSIRT members	Quarterly
Physical Security	All employees	Upon hire, annually
Social Engineering Awareness	All employees	Annually

16.2 Phishing Simulations

We conduct regular phishing simulations to test and improve employee awareness:

Frequency: Monthly simulated phishing campaigns
Variety: Different phishing techniques (credential harvesting, malware delivery, spear phishing)
Feedback: Immediate feedback and training for employees who fail simulations
Reporting: Encouragement to report suspected phishing attempts

16.3 Security Champions Program

We maintain a Security Champions program that identifies and empowers security advocates within development and operations teams. Security Champions:

Act as liaisons between their teams and the security team
Review security requirements and designs
Promote security best practices within their teams
Assist with security incident response

17. Responsible Disclosure Policy

17.1 Our Commitment

We value the contributions of security researchers and the broader security community. We are committed to working with researchers who report security vulnerabilities to us responsibly and in good faith.

17.2 What We Ask of Researchers

If you discover a security vulnerability in our Services, we ask that you:

01Report Privately: Submit your findings to security@outgrave.com — do not disclose the vulnerability publicly until we have had an opportunity to investigate and remediate
02Provide Details: Include sufficient information to allow us to reproduce and validate the vulnerability, including:

Type of vulnerability
Affected URL or component
Steps to reproduce
Proof of concept or exploit code
Your contact information

01Act in Good Faith: Do not:

Access, modify, or delete data that does not belong to you
Perform actions that could degrade the performance of our Services
Use social engineering, phishing, or physical attacks
Violate any applicable laws

17.3 What We Promise

If you report a vulnerability to us responsibly, we promise to:

01Acknowledge: Respond to your report within 24 hours
02Validate: Investigate and validate the reported vulnerability
03Remediate: Develop and deploy a fix within a reasonable timeframe based on severity
04Disclose: Coordinate public disclosure with you after the fix has been deployed
05Recognize: Acknowledge your contribution (with your permission) in our security acknowledgments

17.4 Safe Harbor

We will not pursue legal action against researchers who:

Report vulnerabilities in accordance with this Responsible Disclosure Policy
Make a good faith effort to avoid privacy violations, data destruction, and service interruption
Cease testing upon notification that their activities are causing harm

18. Bug Bounty Program

18.1 Program Overview

We operate a Bug Bounty Program to encourage and reward the responsible disclosure of security vulnerabilities. The program is open to security researchers worldwide.

18.2 Scope

The Bug Bounty Program covers:

Our websites and web applications
Our mobile applications (iOS and Android)
Our API endpoints
Our infrastructure and cloud services
Our desktop applications

The following are explicitly out of scope:

Third-party services and integrations
Physical security attacks
Social engineering attacks
Denial of Service (DoS) attacks
Spam or phishing attacks
Self-XSS vulnerabilities
Missing security headers without exploitable impact
Rate limiting issues without demonstrated impact

18.3 Bounty Rewards

Vulnerability Severity	Bounty Range
Critical	$1,000 - $5,000
High	$500 - $1,000
Medium	$100 - $500
Low	$50 - $100

Bounty amounts are determined based on:

Impact and exploitability of the vulnerability
Quality and completeness of the report
Uniqueness of the finding

18.4 How to Participate

01Find a security vulnerability within scope
02Report it to security@outgrave.com with full details
03Allow us reasonable time to investigate and fix the issue
04Receive acknowledgment and (if applicable) a bounty reward

18.5 Eligibility

To be eligible for a bounty reward, you must:

Be the first person to report the vulnerability
Not be a current or former employee of OUTGRAVE
Not be subject to any government sanctions or restrictions
Comply with all applicable laws and our Responsible Disclosure Policy
Provide a clear, reproducible report

19. Security Contact

19.1 Reporting Security Issues

If you have discovered a security vulnerability, have a security concern, or wish to report a security incident, please contact our security team:

Email: security@outgrave.com PGP Key: Available upon request Response Time: We will acknowledge your report within 24 hours

19.2 Urgent Security Issues

For urgent security issues or active incidents, please use the contact information above and mark your email with [URGENT] in the subject line.

19.3 Non-Security Inquiries

For non-security inquiries, please use the appropriate contact:

Privacy Questions: privacy@outgrave.com
Legal Notices: legal@outgrave.com
General Support: support@outgrave.com

19.4 Status and Updates

For the latest security updates, service status, and incident reports, please visit our status page at [status.outgrave.com — coming soon].

This Security page was last updated on June 4, 2026. We review and update this page regularly to reflect changes in our security practices.

Security

Table of Contents