JETTSON_

Security

Last updated: May 2, 2026

Security is a foundation of how we build Jettson, not a checkbox. This page summarizes the technical, operational, and procedural controls we have in place. For deeper assurance, see our subprocessor list and Privacy Policy.

Encryption

  • In transit: TLS 1.2+ on every connection. HSTS preloaded with a two-year max-age.
  • At rest: AES-256 on every database, file store, and backup (Firestore + Cloud Storage default encryption).
  • Secrets: Server-side only, in environment variables; never committed to source.
  • Cookies: HttpOnly + Secure + SameSite=Lax for auth state.

Authentication & access control

  • Google, Apple, and Microsoft Sign-In via OAuth 2.0 with CSRF-safe state cookies.
  • Server-side Firebase ID-token verification on every authenticated API route.
  • Per-user data isolation: every read scopes to users/{uid}/... in Firestore.
  • Rate limiting on auth, account, and high-value endpoints; per-IP and per-uid keys.
  • Cloudflare Turnstile bot mitigation on signup.

HTTP security headers

Every response carries:

  • Strict-Transport-Security (preloaded, two-year max-age)
  • Content-Security-Policy (restricts script, style, font, connect, frame, object sources)
  • X-Content-Type-Options: nosniff
  • X-Frame-Options: SAMEORIGIN + CSP frame-ancestors
  • Referrer-Policy: strict-origin-when-cross-origin
  • Permissions-Policy (camera, microphone, geolocation, payment, USB)
  • Cross-Origin-Opener-Policy + Cross-Origin-Resource-Policy

Activity transparency

  • Every action Jettson takes on your behalf — emails sent, PDFs generated, calendar events created, integrations connected — is recorded in a per-user audit log.
  • Recipients and identifiers are redacted in the log (e.g. abc***@domain.com) so the activity trail itself never leaks contacts.
  • Audit entries are server-write only — Firestore rules block client-side writes, so the trail can't be tampered with from the user's session.
  • You can review your full activity in /studio/settings → Activity at any time.

Application security

  • Input validation at every API boundary (zod schemas via the withGuards wrapper).
  • Parameterized queries via Firestore SDK; no raw SQL.
  • Prompt-injection guard wraps all attacker-controlled content (email bodies, calendar invites) in clearly delimited fences before passing to the LLM.
  • Stripe webhooks signature-verified with timestamp tolerance.
  • File uploads: type allowlist, size cap, server-side MIME validation, randomly named storage paths.
  • No raw payment card data ever touches our servers — Stripe Elements/Checkout only.

Operational security

  • Continuous compliance scanner runs on a cron and emails alerts on any high-severity drift.
  • Dependency vulnerability scanning (npm audit) on every release.
  • Sentry error monitoring with PII scrubbed at the SDK layer.
  • Audit log of sensitive events (auth failures, rate-limit breaches, suspicious input) retained for 90 days.
  • Principle of least privilege: each Firebase Admin invocation runs scoped to the action it performs.
  • Quarterly internal threat-model review.

Data residency & sub-processors

Primary data (Firestore + Cloud Storage) is stored in us-central1. AI inference providers process data in the United States. See the subprocessor list for the complete map of where data flows and the DPAs that govern each relationship.

Compliance posture

  • GDPR & UK GDPR — lawful basis documented, DPA available, SCCs for transfers.
  • CCPA / CPRA — "Do Not Sell" honored; consumer rights covered.
  • PIPEDA, LGPD — referenced in our privacy policy.
  • WCAG 2.1 AA — partial conformance; see our Accessibility Statement.
  • HIPAAJettson is not a HIPAA-covered product. Do not use Jettson with Protected Health Information.
  • SOC 2 Type II — on the 2026 roadmap; documentation available on request for enterprise customers.

Vulnerability disclosure

We welcome reports from security researchers. To responsibly disclose a vulnerability:

  • Email security@jettson.ai with reproduction steps.
  • Or use the security.txt contact channels.
  • We acknowledge reports within two business days and aim to triage critical findings within 24 hours.
  • We do not currently run a paid bug-bounty program but credit researchers in our changelog with permission.
  • Please do not run automated scans that disrupt service, attempt social engineering, or exfiltrate data beyond proof-of-concept.

Incident response

We follow a documented incident-response runbook covering detection, containment, eradication, recovery, and post-mortem. In the event of a confirmed personal-data breach, we notify affected customers within 72 hours per GDPR Art. 33 and CCPA §1798.82, and post a transparency report.

Status & uptime

Real-time service status is published at jettson.ai/status. Our SLA is documented in our enterprise agreements; service credits are the sole remedy for failure to meet committed uptime.

Contact

Security issues: security@jettson.ai
Privacy / DPA: privacy@jettson.ai
General: support@jettson.ai