Security Policy

Purpose & Scope

This policy establishes the security objectives and minimum controls for the Ekosistem App platform — the web application, the API, the persistent stores, the third-party services and the human processes around them. It applies to all engineering work performed by Plademy Oy and any service provider acting on its behalf.

Security Principles & Controls

Ekosistem App follows defense-in-depth: every external request crosses authentication, authorization, validation, rate-limit, sanitization and audit boundaries before it can change state. The minimum required controls are:

• Invite-only access, JWT authentication (15-minute access token, 7-day refresh in httpOnly cookie) and Redis-backed token blacklist.
• Strict role-based access control: system_admin > ecosystem_owner > ecosystem_admin > moderator > member; ecosystem membership is verified on every authenticated endpoint.
• All input validated by Zod schemas with .strict() and sanitized via isomorphic-dompurify before persistence and before render.
• Persistent data accessed exclusively through Drizzle ORM — no raw SQL or string-interpolated queries — running on Postgres with row-level security.
• Per-route rate limiting using Upstash Redis sliding-window counters (strict, write, general and upload tiers).
• Strict CORS allowlist, security headers (CSP, X-Frame-Options, HSTS) and a fail-fast Zod-validated environment schema at startup.

Operational Practices

Day-to-day operations are run by Plademy Oy's engineering team. The following practices are mandatory:

• Secrets only in environment variables, never in code or repository — committed .env files are forbidden.
• Production database access is performed exclusively over TLS via the managed Supabase connection.
• Code review and Drizzle-checked migrations precede every database schema change.
• Pino structured logs with PII scrubbing; production builds disable console output.
• Deployments to Railway (API) and Vercel (web) are triggered by main-branch pushes to enable change traceability via git history.
• AI moderation results, audit logs and report records are retained for accountability.

Roles & Responsibilities

Plademy Oy is the operator of the platform. The following roles are accountable:

• Engineering — implements and verifies security controls; owns code, infrastructure and dependency management.
• Operations — maintains production environments, monitors logs and incidents, runs the recovery operations plan.
• Ecosystem owners — set their own community policies, define member roles and act as data controllers within their ecosystems.
• Members — abide by the Terms of Service and the rules of the ecosystems they join.

Review & Contact

This policy is reviewed at least annually, after every material change to the platform or stack, and following any security incident. Comments or concerns can be sent to developer@plademy.com.