# Security Policy

Last updated: March 16, 2026

## Our Commitment

Recovered Hours takes security seriously. We implement industry-leading practices to protect your data.

---

## Data Protection

### Encryption
- **In transit:** All data encrypted using TLS 1.3
- **At rest:** AES-256 encryption for all stored data
- **Backups:** Encrypted and stored in separate geographic locations

### Access Control
- Role-based access control (RBAC) for all systems
- Multi-factor authentication required for all team members
- Minimum necessary access principle
- Quarterly access reviews

### Network Security
- Web Application Firewall (WAF) on all endpoints
- DDoS protection
- Regular penetration testing (quarterly)
- Intrusion detection systems

---

## Compliance

### GDPR Compliance
- Data Processing Agreement (DPA) available
- Right to deletion guaranteed
- Data portability supported
- Processing logs maintained

### Industry Standards
- SOC 2 Type II in progress
- ISO 27001 certified infrastructure
- PCI DSS compliant (for payment processing)

---

## Incident Response

### Our Process
1. **Detection:** Automated monitoring 24/7
2. **Analysis:** Security team alerts within 15 minutes
3. **Containment:** Immediate isolation of affected systems
4. **Notification:** You will be notified within 72 hours of any breach affecting your data
5. **Resolution:** Full root cause analysis and remediation

### Contact
If you discover a security issue, contact us immediately:
- Email: security@recoveredhours.com
- Response time: Within 24 hours

---

## Your Responsibilities

While we secure our systems, please also:
- Use strong passwords
- Enable two-factor authentication
- Don't share credentials
- Report suspicious activity immediately

---

## Updates

We update this policy periodically. Significant changes will be communicated via email.

Questions? Contact us at hello@recoveredhours.com