Theme
Security
Last updated: December 28, 2025
At Opensure, we take the security of your data seriously. This page outlines the security measures we implement to protect the Opensure platform and your information.
Security Audits
We conduct regular comprehensive security audits using industry-standard tools and methodologies.
Latest Audit: December 2025
Overall Security Posture: Moderate-Strong (3.2/5)
Our most recent audit was performed using:
- Semgrep SAST Scanner - Static Application Security Testing
- Multi-Agent Security Review - Django, Frontend, API, Docker, Secrets, Auth analysis
- Automated Vulnerability Scanning - CI/CD integrated
Audit Schedule: Quarterly comprehensive audits with continuous automated scanning.
Infrastructure Security
Cloud Hosting
- Hosted on Google Cloud Platform (GCP) with SOC 2 Type II certification
- All data stored in US-based data centers
- Automatic failover and disaster recovery systems
- Regular infrastructure security audits
- Cloud Run with resource limits and health checks
Network Security
- All traffic encrypted with TLS 1.3
- Web Application Firewall (WAF) protection
- DDoS mitigation via Cloudflare
- HSTS preload enabled (max-age: 31536000)
- Regular penetration testing
Data Protection
Encryption
- In Transit: All data encrypted using TLS 1.3
- At Rest: Database encryption using AES-256
- Secrets Management: Fernet encryption for sensitive credentials
- Database Connections: SSL required for all database connections
Database Security
- PostgreSQL with automated backups
- Point-in-time recovery capability
- Network isolation with private subnets
- Access restricted to application layer only
Application Security
Authentication
- Secure authentication via Auth0
- Support for Single Sign-On (SSO)
- Multi-factor authentication (MFA) available
- Session management with automatic timeout
- Argon2 password hashing (OWASP recommended)
- JWT + Session-based authentication
Access Control
- Role-based access control (RBAC)
- Principle of least privilege
- Audit logging of all access events
- API key management with scoped permissions
- Multi-tenant isolation
Production Security Settings
| Setting | Status |
|---|---|
| DEBUG mode disabled | Enforced |
| HTTPS redirect | Enabled |
| HSTS preload | Enabled |
| Secure cookies | Enabled |
| HttpOnly cookies | Enabled |
| X-Frame-Options | DENY |
| Content-Type sniffing protection | Enabled |
| CORS restrictions | Enforced |
Code Security
- Automated Semgrep security scanning in CI/CD pipeline
- Dependency vulnerability monitoring
- Regular code reviews
- Pre-commit hooks for secrets detection
- Multi-stage Docker builds
- Non-root container execution
Browser Extension Security
Permissions
The Opensure Marketfinder extension requests only necessary permissions:
activeTab: Access current tab only when activatedstorage: Store user preferences locallyidentity: Authenticate with Opensure account
Data Handling
- No background data collection
- Data processed only on user action
- No tracking of browsing history
- Local storage encrypted
- Short-lived authentication tokens
Container Security
- Non-root user execution (appuser, UID 1000)
- Multi-stage builds to minimize attack surface
- Resource limits configured
- Health checks implemented
- Regular base image updates
Compliance
Standards
- SOC 2 Type II (via cloud provider)
- GDPR compliant data handling
- CCPA compliant for California residents
- OWASP Top 10 security guidelines followed
Data Residency
- All customer data stored in the United States
- No data transferred to third countries without consent
Incident Response
Monitoring
- 24/7 automated security monitoring
- Real-time alerting for suspicious activity
- Log aggregation and analysis
- Continuous vulnerability scanning
Response Process
- Detection and triage
- Containment and investigation
- Remediation and recovery
- Post-incident review
- Customer notification (if applicable)
Vulnerability Disclosure
If you discover a security vulnerability, please report it responsibly:
Email: [email protected]
We commit to:
- Acknowledge receipt within 24 hours
- Provide an initial assessment within 72 hours
- Work with you to understand and resolve the issue
- Credit reporters in our security acknowledgments (if desired)
Please do not publicly disclose vulnerabilities until we have addressed them.
Security Updates
We continuously improve our security posture. Major security updates are communicated through:
- In-app notifications
- Email to account administrators
- Updates to this security page
Recent Security Improvements
- Enhanced SQL injection protections
- Strengthened rate limiting on API endpoints
- Improved nginx security headers
- Added webhook replay protection
- Enhanced token management
Contact
For security-related inquiries:
InsureCert Systems Inc. Email: [email protected]