Legal/Security & Responsible Disclosure

Policy

Security & Responsible Disclosure

Effective: June 27, 2026Last updated: June 27, 2026

Draft — pending attorney review

This document is a working draft maintained by RestPilot AI. It is not a substitute for legal advice and will be reviewed and finalized by qualified counsel before launch.

Our security practices and how to report a vulnerability.

Security practices

  • Transport: all traffic is served over HTTPS with modern TLS.
  • Storage: account and application data is stored in encrypted, access-controlled databases operated by our infrastructure provider.
  • Authentication: sessions use industry-standard token authentication. Optional social sign-in via Google.
  • Row-level security: per-user database isolation is enforced at the database layer, not just the application layer.
  • Secrets: server-side secrets (API keys, webhook secrets) are never shipped to the browser.
  • Backups: automated backups are retained for a rolling 30-day window.

Responsible disclosure

We welcome security research conducted in good faith. If you discover a vulnerability:

  • Email security@restpilot.ai with a clear description and steps to reproduce.
  • Do not access, modify, or delete data that does not belong to you.
  • Do not perform denial-of-service testing or social-engineering attacks against our staff or users.
  • Give us a reasonable time to investigate and remediate before public disclosure.

We will acknowledge reports within 5 business days and will not pursue legal action against researchers acting in good faith and within this policy.

Breach notification

In the event of a security incident affecting your personal data, we will notify affected users and applicable regulators in accordance with applicable law.