Security

Last updated: 29 June 2026

1. Security Philosophy

Security is foundational to Spectre AI Pro. We implement a defence-in-depth strategy with multiple layers of technical and organisational measures, aligned with ISO/IEC 27001 controls, the NIS2 Directive (Directive (EU) 2022/2555), and GDPR Article 32 requirements for security of processing.

2. Encryption

  • Data in transit: All network traffic is encrypted using TLS 1.3 (Transport Layer Security). HSTS (HTTP Strict Transport Security) is enforced across all domains. SSL/TLS certificates are automatically rotated before expiry.
  • Data at rest: All stored data, including databases, file storage, and backups, is encrypted using AES-256 (Advanced Encryption Standard).
  • Password storage: User passwords are hashed using bcrypt with adaptive cost factors, never stored in plaintext, and never logged.
  • API keys and secrets: All API keys, OAuth tokens, and service credentials are stored in encrypted secret management systems and rotated on a regular schedule.
  • Key management: Encryption keys are managed through dedicated key management services (KMS) with restricted access, audit logging, and automatic rotation policies.

3. Authentication and Access Control

  • Multi-factor authentication (MFA): Available for all user accounts and enforced for all administrative and internal team accounts.
  • OAuth 2.0: Third-party authentication via Google and Apple uses the OAuth 2.0 protocol with PKCE (Proof Key for Code Exchange) where applicable.
  • Session management: JWT-based sessions with configurable expiry, secure httpOnly cookies, and CSRF protection on all state-changing requests.
  • Role-based access control (RBAC): Internal access is granted on a least-privilege basis with role-specific permissions and regular access reviews.
  • Zero-trust architecture: No implicit trust is granted based on network location; all access requests are authenticated and authorised.

4. Infrastructure Security

  • Hardened servers: All servers run minimal OS configurations with automated security patching. Unused ports, services, and packages are disabled.
  • Network security: Firewalls, security groups, and network segmentation isolate services. No direct database access is available from the public internet.
  • DDoS protection: Cloud-level DDoS mitigation absorbs and filters volumetric attacks before they reach our infrastructure.
  • Web Application Firewall (WAF): Inspects incoming traffic for malicious patterns, including SQL injection, XSS, and CSRF attempts.
  • Content Security Policy (CSP): Strict CSP headers prevent injection of unauthorised scripts and resources.
  • Container security: All container images are scanned for vulnerabilities before deployment and run with non-root users.

5. Data Security

  • Database security: Databases are encrypted at rest, accessible only through authenticated application layers, and backed up with encrypted snapshots.
  • Data isolation: Each organisation’s data is logically isolated. Multi-tenant access controls prevent cross-organisation data leakage.
  • Secure deletion: When data is deleted, it is purged from primary storage and marked for secure deletion from backups within 30 days.
  • Voice data: Audio streams are processed in memory and not persisted to disk. Transcription text is retained only if saved as part of a conversation.
  • File uploads: Uploaded files are scanned for malicious content, stored in encrypted object storage, and served via signed, time-limited URLs.

6. Monitoring and Incident Response

  • Continuous monitoring: Security information and event management (SIEM) systems aggregate logs from all services for real-time threat detection.
  • Intrusion detection: Automated alerts trigger on anomalous access patterns, failed authentication spikes, and suspicious API behaviour.
  • Incident response plan: A documented incident response plan defines roles, escalation procedures, and communication protocols. Security incidents are classified by severity with defined response time objectives.
  • Breach notification: In accordance with GDPR Articles 33–34, we notify the supervisory authority within 72 hours of a confirmed breach and affected users without undue delay where high risk is identified.
  • Post-incident review: All security incidents undergo a root-cause analysis with corrective and preventive actions (CAPA) documented and implemented.

7. Vulnerability Management

  • Dependency scanning: All third-party dependencies are continuously scanned for known vulnerabilities (CVEs) and updated promptly.
  • Code security: Static application security testing (SAST) and secret scanning run on every code change. Dynamic application security testing (DAST) is performed regularly.
  • Penetration testing: Independent third-party penetration tests are conducted at least annually and after major architectural changes.
  • Responsible disclosure: We welcome security researchers to report vulnerabilities responsibly. Contact security@spectre.pro with details. We commit to acknowledging reports within 48 hours and providing updates on remediation.

8. Compliance and Certifications

  • GDPR (Regulation (EU) 2016/679): Full compliance with EU data protection law. See our GDPR page for details.
  • NIS2 (Directive (EU) 2022/2555): We implement risk management measures and incident reporting obligations aligned with the NIS2 Directive.
  • ePrivacy Directive (Directive 2002/58/EC): Cookie consent and electronic communications security in compliance with the ePrivacy Directive. See our Cookie Policy.
  • EU AI Act (Regulation (EU) 2024/1689): We provide transparency about AI-generated content and implement human oversight for AI-assisted decisions.
  • ISO/IEC 27001: Our security controls are aligned with the ISO/IEC 27001 information security management standard.
  • SOC 2: We follow SOC 2 Trust Services Criteria for security, availability, and confidentiality.

9. Organisational Security

  • Security training: All team members receive mandatory security awareness training upon onboarding and annually thereafter, covering phishing, data handling, and GDPR obligations.
  • Background checks: Personnel with access to production systems undergo background verification before being granted access.
  • Access reviews: Access rights are reviewed quarterly. Departing personnel lose access immediately upon termination.
  • Vendor management: All sub-processors are evaluated for security and GDPR compliance before engagement, with periodic reassessments.
  • Data processing agreements: Article 28 GDPR-compliant DPAs are in place with all sub-processors.

10. Business Continuity

We maintain a business continuity plan (BCP) and disaster recovery plan (DRP) to ensure service availability in the event of infrastructure failure, natural disaster, or other disruption. Encrypted backups are performed daily and stored in geographically separated regions. Recovery point objectives (RPO) and recovery time objectives (RTO) are defined per service tier and tested at least twice annually.

11. Responsible Disclosure

If you believe you have discovered a security vulnerability, please report it responsibly to security@spectre.pro. Do not attempt to exploit the vulnerability or access data that is not yours. We are committed to working with security researchers to verify and remediate reported issues. We request that you:

  • Provide a detailed description of the vulnerability and steps to reproduce it.
  • Avoid accessing, modifying, or deleting data that does not belong to you.
  • Do not perform denial-of-service attacks or use automated scanning tools that may degrade service.
  • Allow reasonable time for remediation before public disclosure.

12. Contact

For security-related questions or to report a vulnerability:
Security: security@spectre.pro
Data Protection Officer: dpo@spectre.pro
General: admin@spectre.pro