Security Policy

We employ multiple layers of security to protect 1raket and your data:

Infrastructure Security

• Transport Layer Security (TLS): All connections to 1raket are encrypted using TLS 1.2 or higher. We exclusively serve traffic over HTTPS to ensure all data transmitted between your browser and our servers is encrypted.
• Cloud Infrastructure: Our platform is hosted on secure cloud infrastructure with 24/7 monitoring, automatic backups, and redundancy.
• Database Security: We use Supabase with Row Level Security (RLS) policies that enforce data access controls at the database level.
• Secure Storage: Files and media are stored on AWS S3 with encryption at rest and served through CloudFront CDN with secure access controls.
• Regular Security Audits: We conduct regular security assessments and system audits to identify and address vulnerabilities.

Application Security

• Input Validation: All user inputs are validated and sanitized to prevent injection attacks (SQL injection, XSS, etc.).
• CAPTCHA Protection: Google reCAPTCHA Enterprise protects against bots, automated attacks, and abuse on critical forms like registration and password reset.
• Rate Limiting: We implement rate limiting on sensitive endpoints to prevent brute force attacks and abuse.
• Content Security: HTML content is sanitized using industry-standard libraries to prevent malicious code injection.
• URL Validation: External links and URLs are validated to prevent phishing and malicious redirects.

Payment Information

We never store your complete credit card or debit card numbers. Payment processing is handled by trusted third-party payment processors (PayPal, GCash) who maintain PCI DSS compliance.

Sensitive Data Encryption

• Passwords: All passwords are hashed using bcrypt with salt before storage. We never store plain-text passwords.
• Payment Information: Payment credentials (PayPal tokens, GCash details) are encrypted before storage.
• Personal Information: Sensitive personal information is transmitted only over encrypted HTTPS connections.
• Database Encryption: Our database uses encryption at rest to protect stored data.

Data Access Controls

• Limited employee access to production data with strict need-to-know basis
• All administrative access is logged and monitored
• Role-based access control (RBAC) for system administrators
• Regular access reviews and privilege audits

Secure Authentication

1raket uses NextAuth.js for secure authentication with multiple options:

• Email and Password: Password authentication with bcrypt hashing and email verification
• Google OAuth: Secure single sign-on through Google for simplified and secure access
• Email Verification: Required for all email/password registrations to confirm account ownership
• Session Management: Secure JWT-based sessions with automatic expiration

Automated Security Measures

• CAPTCHA Verification: Deployed when suspicious activity is detected, including:
  • Login attempts from suspicious IP addresses
  • Rapid succession login attempts
  • Bot-like behavior patterns
  • Account creation and password reset requests
• Account Lockout: Temporary lockout after multiple failed login attempts
• Session Timeout: Automatic logout after extended periods of inactivity
• IP Monitoring: Tracking of suspicious login patterns and unusual access locations

Password Reset Security

Our password reset process includes:

• One-time verification codes sent to your registered email
• Time-limited reset tokens (expire after 1 hour)
• CAPTCHA verification to prevent automated attacks
• Email notification when password is changed

Your account security depends on your actions. Please follow these best practices:

Password Best Practices

• Use Strong Passwords: Create passwords with at least 12 characters, including uppercase, lowercase, numbers, and special characters
• Unique Passwords: Never reuse passwords across different websites or services
• Password Managers: Use a reputable password manager to generate and store strong, unique passwords
• Regular Updates: Change your password periodically, especially if you suspect unauthorized access
• Never Share: Never share your password with anyone, including 1raket staff

Account Security

• Secure Email: Protect your email account with a strong password and two-factor authentication
• Verify Login Locations: Be alert to login notifications from unfamiliar locations
• Log Out: Always log out when using shared or public computers
• Monitor Activity: Regularly review your account activity for suspicious behavior
• Report Suspicious Activity: Contact us immediately if you notice unauthorized access

Device and Browser Security

• Keep your operating system and browser updated with latest security patches
• Use reputable antivirus and anti-malware software
• Avoid accessing 1raket from public or untrusted Wi-Fi networks
• Clear browser cache and cookies regularly
• Be cautious of phishing emails pretending to be from 1raket

The following activities are strictly prohibited and may result in account termination and legal action:

Unauthorized Access and Attacks

• Brute Force Attacks: Attempting to gain unauthorized access through automated password guessing
• Account Takeover: Attempting to access or control accounts that don't belong to you
• Credential Stuffing: Using stolen credentials from data breaches to access accounts
• Phishing: Attempting to steal login credentials or personal information from other users

Platform Abuse

• Malware Distribution: Uploading, hosting, or distributing malicious software, viruses, or trojans
• DDoS Attacks: Attempting to disrupt service availability through distributed denial-of-service attacks
• Load Testing: Conducting unauthorized stress tests or performance testing on our infrastructure
• Spam and Abuse: Sending unsolicited messages, automated spam, or abusive content

Data Misuse

• Scraping: Unauthorized automated extraction of data from the platform
• Data Mining: Using unauthorized tools to collect or index platform data
• Personal Information Harvesting: Collecting user information without authorization
• Reverse Engineering: Attempting to decompile, disassemble, or reverse engineer our code or APIs

Social Engineering

• Impersonating 1raket staff or support personnel
• Deceiving users to reveal sensitive information
• Creating fake pages or communications that appear to be from 1raket

We welcome and encourage responsible disclosure of security vulnerabilities. If you discover a security issue, please help us protect our users by reporting it responsibly.

How to Report

Send detailed information about the security issue to:

What to Include

• Detailed description of the vulnerability
• Steps to reproduce the issue
• Potential impact and severity assessment
• Any proof-of-concept code or screenshots (if applicable)
• Your contact information for follow-up questions

Responsible Disclosure Guidelines

• Give us reasonable time to address the issue before public disclosure (at least 90 days)
• Do not access, modify, or delete user data during your research
• Do not perform testing that could harm the platform or users
• Do not exploit the vulnerability beyond what's necessary to demonstrate it
• Make a good faith effort to avoid privacy violations and service disruption

Bug Bounty Program

We appreciate security researchers who help us keep 1raket secure. While we don't currently have a formal bug bounty program, we recognize and thank researchers who responsibly disclose valid security issues.

In the event of a security incident affecting user data or platform security:

Our Response Process

1. Detection and Assessment: Identify and assess the scope and severity of the incident
2. Containment: Take immediate action to contain the incident and prevent further damage
3. Investigation: Conduct thorough investigation to understand the cause and impact
4. Remediation: Fix vulnerabilities and restore normal operations
5. Notification: Notify affected users and relevant authorities as required by law
6. Post-Incident Review: Analyze the incident and implement improvements to prevent recurrence

User Notification

If a security incident affects your account or data, we will:

• Notify you via email within 72 hours of discovering the incident (as required by the Data Privacy Act)
• Provide details about what happened and what data was affected
• Recommend actions you should take to protect yourself
• Keep you updated as we learn more about the incident

If Your Account is Compromised

If you believe your account has been compromised:

1. Change your password immediately
2. Review recent account activity for unauthorized actions
3. Contact us at [email protected]
4. Change passwords on other sites if you reused the same password
5. Monitor your financial accounts for suspicious activity