Security Policy

This Security Policy describes how Genchi Software Inc ("Genchi," "we," "us," or "our") protects information processed by the Genchi SaaS platform and website at www.genchi.com (the "Service"). It complements our Privacy Policy, Terms of Service, Service Level Agreement, and Subprocessors page.

Genchi is a Delaware C-Corporation registered in California and headquartered in San Francisco.

This Security Policy is effective as of [TODAY'S DATE].

Last updated: [TODAY'S DATE].

1. Introduction

Genchi takes the security of customer data seriously. This document outlines the technical and organizational measures we use to protect information entrusted to us by customers and end users. Where this policy uses the term "Customer Data," it has the meaning given in our Terms of Service.

Security is an ongoing commitment, not a one-time achievement. The practices described below reflect our current state. We continue to invest in security as our product and customer base grow, and we update this policy as those investments mature.

2. Infrastructure and Hosting

The Service is hosted on Amazon Web Services (AWS) in the United States (US-East region). We rely on AWS for physical security, environmental controls, and underlying infrastructure security. AWS is independently certified to SOC 1, SOC 2, ISO 27001, and other standards; details are available at https://aws.amazon.com/compliance/.

• Network and transport security: All connections to the Service are encrypted in transit using TLS 1.2 or higher. We use modern cipher suites and disable weak protocols. HTTPS is enforced for all user-facing endpoints.
• Database: Customer Data is stored in a managed PostgreSQL database hosted on AWS. The database is not directly exposed to the public internet; it is accessible only from the application servers within our private network.
• Backups: The database is backed up regularly through AWS-managed backup processes. Backups are retained for the period required to support recovery and dispute resolution as described in our Privacy Policy.

3. Data Protection

• Encryption at rest: Sensitive credentials, including OAuth access tokens and refresh tokens issued by integrated services (such as Atlassian Jira and Atlassian Identity), are encrypted at rest using AES-256-CBC. User passwords are not stored; instead, we store one-way bcrypt hashes.
• Encryption in transit: All traffic between users, our application servers, and third-party APIs (including Atlassian, Stripe, SendGrid, and others listed on our Subprocessors page) uses TLS 1.2 or higher.
• Tenant isolation: Customer Data is logically separated by company identifier at the application layer. Application code enforces that users can only access data belonging to their own company.
• Minimal data collection: We collect only the information reasonably necessary to provide the Service, as described in our Privacy Policy. We do not collect IP addresses or device fingerprints during normal use of the application.
• Data minimization in logs: Application logs are designed to record operational events (errors, request paths, system state) rather than user content. We do not log OAuth tokens, passwords, payment details, or imported issue content. A small number of log entries may include user email addresses for traceability of account-lifecycle events.

4. Authentication and Access Control

Users sign in to Genchi using one of the following methods:

• Email and password (passwords stored as bcrypt hashes)
• Sign in with Google (Google Identity)
• Sign in with Atlassian (Atlassian Identity, OAuth 2.0)

Session authentication uses signed JSON Web Tokens (JWTs) with appropriate expiration and rotation.

• Bot prevention: Sensitive flows such as account signup and team invitations are protected by Google reCAPTCHA to prevent automated abuse.
• Integration authentication: Genchi integrates with third-party services (Atlassian Jira, Atlassian Identity, Asana, Slack, Stripe) using each provider's standard OAuth 2.0 flows. Genchi never asks users for the passwords, API keys, or Personal Access Tokens of third-party services.
• Administrative access: Access to production systems by Genchi personnel is limited to authorized employees on a need-to-know basis. Production access is protected by SSH key authentication and is logged.
• Authorization within the Service: The Service uses a role-based model distinguishing between regular users and administrators. Sensitive operations — including connecting and disconnecting integrations, importing data from external systems, and managing team membership — require administrator role.

5. Application Security

• Secure development practices: New features are reviewed before deployment, with attention to authentication, authorization, input validation, and the handling of credentials.
• Input validation: User input is validated at the application layer. Database queries use parameterized statements to prevent SQL injection. Identifiers passed to external systems (e.g., Jira project keys passed to JQL queries) are validated against expected formats before use.
• Rate limiting: Public-facing API endpoints include rate limits to mitigate abuse and protect downstream services.
• Dependency management: Third-party dependencies are tracked and updated. We monitor security advisories for our stack (Node.js, npm, PostgreSQL, nginx, AWS components) and apply relevant updates.
• Error monitoring: Application errors are forwarded to Sentry (Functional Software, Inc.), our error monitoring sub-processor, to help us detect and resolve issues quickly. Error reports are scoped to operational metadata and do not include OAuth tokens, payment details, or imported issue content.

6. Sub-Processors and Third-Party Services

We use a small number of trusted sub-processors to deliver the Service. Each sub-processor is selected for its security posture and is bound by data processing agreements where applicable.

The current list of sub-processors is published at https://www.genchi.com/subprocessors.html. As of the effective date above, our sub-processors include:

• Amazon Web Services (AWS) — application and database hosting (US-East).
• Stripe, Inc. — payment processing.
• Functional Software, Inc. (Sentry) — error monitoring.
• Google LLC (Identity, reCAPTCHA) — authentication and bot prevention.
• Twilio, Inc. (SendGrid) — transactional email delivery.

Customer-initiated integrations with Atlassian Jira, Atlassian Identity, Asana, and Slack are not sub-processors; they are external services that customers choose to connect to their own Genchi account.

We will provide reasonable notice before adding or replacing sub-processors that handle Customer Data.

7. Vulnerability Disclosure

We welcome responsible disclosure of security vulnerabilities affecting the Service.

How to report: If you believe you have found a security issue, please contact us at security@genchi.com with:

• A description of the issue and its potential impact.
• Steps to reproduce.
• Any supporting evidence (screenshots, proof-of-concept code, etc.).

What to expect: We will acknowledge your report within five business days and provide an estimated remediation timeline based on severity. We will keep you informed of progress and notify you when the issue is resolved.

Safe harbor: We will not pursue legal action against researchers who:

• Make a good-faith effort to avoid privacy violations, data destruction, and service degradation.
• Report vulnerabilities promptly through the channel above.
• Do not exploit vulnerabilities beyond what is necessary to demonstrate them.
• Do not disclose vulnerabilities publicly before we have had a reasonable opportunity to address them.

8. Incident Response

In the event of a security incident affecting Customer Data, we will:

• Investigate promptly to determine the scope and impact.
• Take steps to contain and remediate the incident.
• Notify affected customers without undue delay, in accordance with applicable law (including GDPR Article 33 and applicable U.S. state breach notification statutes).
• Provide post-incident summaries on request.

We maintain a documented incident response process. Customer notifications will include the nature of the incident, the categories of data potentially affected, our response actions, and recommended steps for affected users.

For real-time service availability information, see our public status page at status.genchi.com.

9. Compliance

• Privacy regulations: Genchi is committed to handling personal data in accordance with applicable privacy laws, including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). For details on data subject rights and how to exercise them, see our Privacy Policy.
• GDPR roles: Genchi acts as a data controller with respect to information collected directly from app users (account, billing, usage). Genchi acts as a data processor with respect to Customer Data imported from third-party services on the customer's behalf.
• CCPA roles: Genchi is a "business" under the CCPA with respect to its direct relationship with users, and a "service provider" with respect to Customer Data processed on customers' behalf.
• Atlassian Marketplace: As a Marketplace partner, Genchi follows Atlassian's Marketplace Security Bug Fix Policy and Security Incident Communication guidelines.
• Certifications: Genchi does not currently hold third-party security certifications such as SOC 2 or ISO 27001. We will update this section as our compliance program matures.

10. Customer Responsibilities

Security is a shared responsibility. Customers are responsible for:

• Choosing strong passwords and keeping them confidential.
• Promptly notifying us of any suspected unauthorized access to their account.
• Managing user access within their organization, including timely removal of access when team members leave.
• Reviewing the data they import into Genchi and ensuring it is appropriate to share with the Service.
• Complying with applicable laws when configuring integrations and handling Customer Data.

11. Data Retention and Deletion

• Retention: We retain Customer Data for as long as the customer maintains an active account, plus a short period after account closure for backups, dispute resolution, and legal compliance, as described in our Privacy Policy.
• Disconnection of integrations: When a customer disconnects an integration (e.g., Jira or Atlassian Identity), the associated OAuth access and refresh tokens, along with workspace metadata for that integration, are removed promptly. Imported business data (such as issues imported into the customer's Genchi account) remains in the customer's Genchi account for ongoing use within the Service.
• Deletion requests: Customers may request deletion of all their data at any time by emailing security@genchi.com or support@genchi.com. We will honor verified deletion requests within 30 days, in accordance with GDPR Article 17 and CCPA, subject to limited exceptions for legal or accounting obligations.
• Personal Data Report (Atlassian): For Atlassian-integrated data, Genchi participates in Atlassian's Personal Data Report (PDR) process, processing weekly account-status updates and removing closed Atlassian accounts from our systems.

12. Changes to This Policy

We may update this Security Policy from time to time to reflect changes in our practices, our infrastructure, or applicable law. We will post the updated policy at this URL and update the "Last updated" date above. Material changes will be communicated to customers through reasonable means.

13. Contact

For security-related questions, vulnerability reports, or data deletion requests, please contact:

• Security email: support@genchi.com