Policy
Security & Responsible Disclosure
Effective: June 27, 2026Last updated: June 27, 2026
Draft — pending attorney review
This document is a working draft maintained by RestPilot AI. It is not a substitute for legal advice and will be reviewed and finalized by qualified counsel before launch.
Our security practices and how to report a vulnerability.
Security practices
- Transport: all traffic is served over HTTPS with modern TLS.
- Storage: account and application data is stored in encrypted, access-controlled databases operated by our infrastructure provider.
- Authentication: sessions use industry-standard token authentication. Optional social sign-in via Google.
- Row-level security: per-user database isolation is enforced at the database layer, not just the application layer.
- Secrets: server-side secrets (API keys, webhook secrets) are never shipped to the browser.
- Backups: automated backups are retained for a rolling 30-day window.
Responsible disclosure
We welcome security research conducted in good faith. If you discover a vulnerability:
- Email security@restpilot.ai with a clear description and steps to reproduce.
- Do not access, modify, or delete data that does not belong to you.
- Do not perform denial-of-service testing or social-engineering attacks against our staff or users.
- Give us a reasonable time to investigate and remediate before public disclosure.
We will acknowledge reports within 5 business days and will not pursue legal action against researchers acting in good faith and within this policy.
Breach notification
In the event of a security incident affecting your personal data, we will notify affected users and applicable regulators in accordance with applicable law.