Security

1. Scope

This page describes security measures for Goexa (https://oexa.org), including the public site, admin application, APIs, and integrations. It is a high-level summary, not a warranty or certification.

2. Infrastructure

• Production traffic is served over HTTPS (TLS).
• Application secrets and API keys are stored in server environment configuration, not in client code.
• Database and authentication are provided through managed services with industry-standard controls.

3. Access control

• Admin access requires authenticated accounts with role-based permissions (editor/admin).
• Production database access is restricted to authorized operators.
• Integration tokens (e.g. Google Analytics, Search Console) are encrypted at rest where supported.

4. Application security

• We apply dependency updates and monitor for known vulnerabilities in our stack.
• Rate limits apply to sensitive endpoints (e.g. image generation, public APIs).
• Row-level security policies restrict data access by project where configured.

5. AI and content

AI providers process prompts and generated content according to their terms. Do not submit unnecessary personal data in prompts. Editorial review is required before publishing AI-assisted content.

6. Incident response

If we become aware of a security incident affecting personal data, we will investigate, mitigate, and notify affected customers or users as required by law and contract.

7. Responsible disclosure

Report suspected vulnerabilities to security@oexa.org. Please include steps to reproduce and avoid public disclosure until we acknowledge.

8. Shared responsibility

Customers are responsible for strong passwords, protecting API keys, configuring integrations securely, and compliance with laws applicable to their content and subscriber lists.

9. Related documents

See also our Privacy Policy and DPA.