Privacy Policy

Introduction:
This document outlines the security and data privacy protocols that Navar
adheres to in order to protect client data and ensure compliance with the
latest regulations. We are currently exploring a pathway towards ISO 27001
compliance and are taking steps to prepare for the audit process.

Encryption and Data ProtectionTLS Encryption:
All data transmitted between Navar and our users is securely encrypted using Transport Layer Security (TLS), ensuring that all communications are safeguarded from unauthorized access.Data Encryption at Rest and in Transit:We use advanced encryption protocols to protect all data handled by our services both during transmission and while it is stored. This applies across all platforms and interactions, ensuring continuous protection of sensitive information (more details below).

Service-Specific Security
Vercel Serverless Functions
•⁠ Purpose: Backend servers that host our application code.
•⁠ Data Collected: This processes all application data in memory (not permanently stored).
•⁠ Location: Frankfurt, Germany
[Security Overview]

Vercel Postgres (Neon)
•⁠ Purpose: Application database.
•⁠ Data Collected: User and application data (PII).
•⁠ Hosted on: AWS data centers under the management of Neon.
•⁠ Location: Frankfurt, Germany.

Security Features:
•⁠ All connections require SSL mode.
[Security overview by Neon]
•⁠ Backups: We make automatic backups of this database and store them in AWS S3.

AWS (Postgres Backups)
•⁠ Purpose: Store database backups.
•⁠ Data Collected: User and application data (PII).
•⁠ Location: eu-central-1, Frankfurt, Germany.
•⁠ Encryption: "Amazon S3 server-side encryption uses 256-bit Advanced Encryption Standard Galois/Counter Mode (AES-GCM) to encrypt all uploaded objects."

Upload Thing (AWS S3)
•⁠ Purpose: File storage database. This is a service that wraps around Amazon's S3 storage service. The relationship is detailed [here].
•⁠ Data Collected: User uploaded files (can have PII).
•⁠ Encryption: "Amazon S3 server-side encryption uses 256-bit Advanced Encryption Standard Galois/Counter Mode (AES-GCM) to encrypt all uploaded objects."
•⁠ Location: EU Central - Frankfurt
•⁠ Security: We implement access controls to make files accessible only through short-lived signed URLs.

Sentry
•⁠ Purpose: Real-time error tracking and monitoring.
•⁠ Data Collected: Device, IP address, Account ID (non PII).
•⁠ Location: Frankfurt, Germany
•⁠ Anonymization: Strong data anonymization practices in place.

ChatGPT
•⁠ Purpose: Service used for AI capabilities.
•⁠ Provider: OpenAI.
•⁠ Server Location: United States.
•⁠ Privacy Features: [OpenAI’s Enterprise Privacy] outlines no model training on business data and strong encryption standards.

Anthropic (Claude 3.5-sonnet)
•⁠  ⁠Purpose: Service used for AI capabilities.
•⁠  ⁠Provider: Anthropic.
•⁠  ⁠Server Location: Not specified by Anthropic, but indications suggest the US.
•⁠  ⁠Privacy Features: Commercial terms "Anthropic may not train models on Customer Content from paid Services."

GitHub
•⁠ Purpose: GitHub serves as our central code repository platform, utilizing Git for version control. It is instrumental in our software development process, facilitating code storage, review, and collaboration. We also use it as part of our CI/CD pipeline with GitHub Actions.
•⁠ Data Collected: GitHub stores our application code. It also records metadata like commit history and contributor details.Data Protection:Secrets
•⁠ Management: Sensitive data such as API keys and credentials are managed securely using GitHub Secrets, ensuring they are not exposed in the code.
•⁠ Compliance and Certifications: GitHub complies with major standards and certifications, which helps us align with global compliance requirements.
•⁠ Security Best Practices: We adhere to best practices for repository security, including limiting direct commits to protected branches, enforcing squash merging to maintain a clean commit history, and regularly auditing repository access and external integrations.

Network Security
Vercel has recently deployed Vercel Firewall available for our product, which replaces the need for DDoS protection services such as Cloudflare.

Here are the features:
- Automated DDoS Protection: Vercel automatically protects all deployments from DDoS attacks, regardless of the subscription plan. This includes blocking abnormal or suspicious levels of incoming requests.
- Attack Challenge Mode: To further safeguard your applications, Vercel offers an Attack Challenge Mode that verifies incoming traffic to confirm its legitimacy. This mode can be activated during high-volume attacks, adding an additional layer of security.
- Web Application Firewall (WAF): The Vercel WAF allows for customized security settings, including IP blocking and specific rules tailored to your needs. Changes to the firewall configuration take effect globally within 300ms and can be instantly reverted.
- Real-Time Traffic Monitoring: The Vercel dashboard provides a live overview of your web traffic, allowing you to monitor, control, and respond to threats in real-time. This visibility is crucial for maintaining the integrity and availability of your web applications.
- Advanced Security with TLS Fingerprints: Employing sophisticated JA3 and JA4 TLS fingerprinting technologies, Vercel enhances your security measures against advanced threats, such as Botnets and Advanced Persistent Threats (APTs), ensuring a high level of protection.

Access Controls
To ensure secure access to our systems, we employ the following access controls:
- Two-Factor Authentication (2FA): All administrative access to our back-end and related systems is secured with 2FA, significantly reducing the risk of unauthorized access.
- Administrative Permissions: Currently, as the sole developer, I maintain root access to all systems. Plans are in place to implement a Least Privilege Permissions model as our team grows, which will restrict access based on the minimal necessary rights to perform job functions.

Monitoring
Sentry Integration: We utilize Sentry to monitor the health and performance of our website. This tool helps us detect anomalies and receive timely alerts on security or performance issues, enhancing our proactive response capabilities.

Vulnerability Management
- Dependabot: We leverage GitHub’s Dependabot to automatically scan our repositories for known vulnerabilities in dependencies. This ensures timely updates and helps maintain secure software components.
- GitHub Actions: Our CI/CD pipeline, implemented via GitHub Actions, performs automated linting, security checks, and builds before deployment. Specific actions include:ESLint: Analyzes code to identify problematic patterns or code that doesn’t adhere to certain style guidelines.
Prettier: Ensures that all code adheres to a consistent style.
Build and Deployment: Automates the compilation of code into deployable artifacts, followed by deployment to production environments. This process means we do not share our source code with Vercel before deploying.
- Code Review: All changes to code bases are reviewed through pull requests that must be approved before merging, ensuring oversight and maintaining coding standards.

Incident Response
Navar Incident Response Plan: We maintain an internal document that outlines the procedures to be followed in case of a security breach, ensuring a swift and effective organizational response.

Database Backups
We make automatic backups of our Vercel Postgres database using pg_dump and storing them in S3 buckets. These are done using Vercel Cron Jobs once a day.

Contact
Mike Betts | mike@navar.ai

Change at the speed of AI

HomeAbout usChange EngineersFAQsLog in | Sign upContactImprintPrivacy Policy
© NAVAR. All rights reserved.