RectifAI
Back to site

Legal

Security Policy

How Webb Applications secures RectifAI and how to report a vulnerability.

Security Policy

Effective date: 19 April 2026
Last updated: 19 April 2026

Webb Applications takes security seriously. This policy describes the technical and organisational controls we use to protect RectifAI and your data, and how to report a vulnerability responsibly.

1. Vulnerability disclosure

If you discover a security vulnerability in RectifAI, please report it to us responsibly before public disclosure.

Security contact: security@webbapplications.co.uk

When reporting, please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • Any proof-of-concept code or screenshots (if applicable)

We will acknowledge receipt within 48 hours and aim to provide an initial assessment within 5 business days. We will keep you informed of our remediation progress.

We ask that you:

  • Do not access or modify customer data
  • Do not perform denial-of-service attacks
  • Do not publicly disclose the issue until we have released a fix

We will not pursue legal action against researchers who follow these guidelines in good faith.

2. Encryption

Data in transit

  • All communication between clients and the Service uses TLS 1.2+
  • HTTP requests are automatically redirected to HTTPS at the load balancer
  • Database connections use SSL-only mode (ENCRYPTED_ONLY)
  • Cloud Pub/Sub messages are transmitted over encrypted channels

Data at rest

  • OAuth tokens (access tokens and refresh tokens) are encrypted using AES-256-GCM with a 96-bit IV and 128-bit authentication tag before being written to the database
  • Encryption keys are stored in Google Cloud Secret Manager and never hardcoded in application code
  • The Cloud SQL database uses SSD storage with Google-managed encryption at rest
  • Google Cloud Storage objects (profile images, workspace images) are encrypted using Google's default service account encryption

3. Access controls

  • Role-based access control (RBAC) is enforced at the application layer for all workspace resources
  • Workspace members can only access data belonging to their own workspace
  • All API endpoints require authenticated sessions; unauthenticated requests are rejected
  • OAuth integrations use the minimum required scopes for each provider
  • Application secrets, database credentials, and API keys are stored exclusively in Google Cloud Secret Manager and injected at runtime; they are never stored in source code or environment files

4. Infrastructure security

  • RectifAI runs on Google Cloud Platform (europe-west2, London), which holds ISO/IEC 27001, SOC 2 Type II, and other certifications
  • Cloud Run services run as non-root containers in Google's managed execution environment
  • Container images are built and stored in Artifact Registry (europe-west2)
  • Cloud SQL instances use unix socket connections via Cloud SQL Auth Proxy (no public IP exposure)
  • Workload identity is managed via GCP Workload Identity Federation and OIDC tokens; no long-lived service account keys are used in CI/CD

5. Secret management

All credentials, API keys, OAuth client secrets, and signing secrets are:

  • Stored in Google Cloud Secret Manager
  • Rotated when a team member leaves or a compromise is suspected
  • Never logged, printed, or committed to version control
  • Audited for presence in source code using Gitleaks on every pull request

6. Dependency management

  • Production dependencies are audited using npm audit on every pull request and on a weekly scheduled scan
  • Only production dependencies are audited to reduce noise from development tooling

7. Error monitoring and logging

  • Errors and performance traces are captured via Sentry (hosted in Germany at de.sentry.io)
  • Sentry is configured with text masking enabled and media blocked to reduce PII exposure in error payloads
  • Approximately 10–20% of transactions are sampled in production; 1% of sessions are replayed (100% of sessions that encounter an error)
  • Application logs may contain incident metadata but are not intentionally populated with user credentials or raw secrets

8. Authentication and session management

  • User authentication is handled by NextAuth.js, an open-source library running within the RectifAI application, using Atlassian SSO as the identity provider
  • Sessions use secure, HTTP-only cookies managed by NextAuth.js
  • An internal HMAC signing secret is used to authenticate requests between the Atlassian Forge app and the RectifAI backend
  • All OAuth flows use PKCE where supported

9. Incident response

In the event of a security incident affecting customer data:

  1. We will investigate and contain the incident as quickly as possible
  2. We will notify affected workspace administrators within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms (as required by UK GDPR Art. 33)
  3. We will provide a full incident report within 30 days describing the nature of the breach, data affected, and remediation steps

10. Certifications

RectifAI does not currently hold independent certifications (SOC 2, ISO/IEC 27001). We run on Google Cloud Platform, which is itself certified under ISO/IEC 27001, SOC 2 Type II, and PCI DSS.

We are committed to pursuing independent compliance certifications as the product matures.

11. Contact

Security issues: security@webbapplications.co.uk
General privacy: privacy@webbapplications.co.uk
Support: support@webbapplications.co.uk