Grasp Visual
All Compliance Documents

Security Documentation

Version: 1.0Last Updated: December 26, 2024Effective: December 26, 2024Tier 2 (Small Business/Commercial)

1. Security Commitment

Grasp Visual is committed to protecting the security and privacy of your data. This document outlines our security practices, measures, and procedures for the Email to Print service.

2. Security Architecture

2.1 Data Flow Security

  • Email Processing: All email processing occurs locally on your device
  • Server Communication: All server communications use HTTPS/TLS encryption
  • Authentication: Multi-factor authentication support for admin accounts
  • Token Storage: OAuth tokens stored securely using OS keychain

2.2 Network Security

  • HTTPS/TLS: All web traffic encrypted with TLS 1.2 or higher
  • Certificate Management: Valid SSL certificates from trusted Certificate Authorities
  • Secure Headers: Security headers (HSTS, CSP, X-Frame-Options) implemented
  • Rate Limiting: Protection against brute force and DDoS attacks

3. Authentication and Authorization

3.1 User Authentication

  • Gmail OAuth 2.0: Secure OAuth flow for Gmail account access
  • Server-Based OAuth: OAuth secrets stored on server, not in client application
  • Session Management: Secure session tokens with expiration
  • Password Security: Strong password requirements (if applicable)

3.2 Admin Access

  • Role-Based Access Controls: Admin access restricted to authorized personnel
  • API Key Authentication: Secure API keys for programmatic access
  • Session Timeout: Automatic session expiration after inactivity
  • Audit Logging: Logging of admin actions and access

4. Data Protection

4.1 Data Encryption

  • In Transit: All data encrypted using TLS 1.2+ during transmission
  • At Rest: Sensitive data encrypted in database
  • Local Storage: Application data encrypted using OS keychain
  • Backup Encryption: Backups encrypted before storage

4.2 Data Minimization

  • Email Content: Email content and attachments not stored on servers
  • Minimal Collection: Only collect data necessary for service operation
  • Data Retention: Automatic deletion of data per retention policy
  • User Control: Users can delete their data at any time

4.3 Access Controls

  • Principle of Least Privilege: Users granted minimum necessary access
  • Role-Based Access: Different access levels for users and admins
  • Access Logging: All data access logged and monitored
  • Regular Reviews: Periodic review of access permissions

5. Infrastructure Security

5.1 Server Security

  • Operating System: Regular security updates and patches
  • Firewall: Network firewall rules restricting unnecessary ports
  • Intrusion Detection: Monitoring for suspicious activity
  • Vulnerability Scanning: Regular security scans and assessments

5.2 Database Security

  • Access Control: Database access restricted to application servers
  • Encryption: Database encryption at rest
  • Backup Security: Encrypted backups stored securely
  • Connection Security: Database connections use encrypted channels

5.3 Application Security

  • Input Validation: All user inputs validated and sanitized
  • SQL Injection Prevention: Parameterized queries and prepared statements
  • XSS Protection: Content Security Policy and input sanitization
  • CSRF Protection: CSRF tokens for state-changing operations

6. Security Monitoring and Incident Response

6.1 Monitoring

  • Log Aggregation: Centralized logging of security events
  • Anomaly Detection: Automated detection of unusual patterns
  • Alert System: Real-time alerts for security events
  • Regular Audits: Periodic security audits and reviews

6.2 Incident Response Plan

  1. Detection: Identify and confirm security incident
  2. Containment: Isolate affected systems to prevent spread
  3. Investigation: Analyze incident to determine scope and impact
  4. Remediation: Remove threat and restore systems
  5. Notification: Notify affected users if required by law
  6. Post-Incident: Review and improve security measures

6.3 Breach Notification

  • Legal Requirements: Compliance with GDPR, CCPA, and other regulations
  • Timeline: Notification within 72 hours (GDPR) or as required by law
  • Content: Clear description of incident, data affected, and remediation steps
  • Channels: Email, website notice, or other appropriate channels

7. Third-Party Security

7.1 Vendor Assessment

  • Security Reviews: Assessment of third-party vendors before integration
  • Data Processing Agreements: DPAs with vendors processing personal data
  • Regular Reviews: Periodic reassessment of vendor security
  • Incident Reporting: Requirements for vendors to report security incidents

7.2 Third-Party Services

  • Google Gmail API: OAuth 2.0 authentication, read-only access
  • Cloud Hosting: Secure cloud infrastructure with encryption
  • Payment Processors: PCI DSS compliant payment processing (if applicable)

8. Compliance and Standards

8.1 Compliance Frameworks

  • GDPR: General Data Protection Regulation compliance
  • CCPA: California Consumer Privacy Act compliance
  • OWASP Top 10: Protection against common web vulnerabilities
  • WCAG 2.1 AA: Accessibility standards compliance

8.2 Security Standards

  • TLS 1.2+: Minimum encryption standard for data in transit
  • Strong Cryptography: Industry-standard encryption algorithms
  • Secure Coding: OWASP secure coding practices
  • Regular Updates: Timely application of security patches

9. Security Best Practices for Users

9.1 Account Security

  • Use strong, unique passwords
  • Enable two-factor authentication when available
  • Keep your software and operating system updated
  • Do not share your account credentials

9.2 Gmail Account Security

  • Use Google's security features (2FA, security alerts)
  • Regularly review connected apps and revoke unused access
  • Monitor your Gmail account for suspicious activity
  • Keep your Gmail password secure

9.3 Device Security

  • Keep your device's operating system updated
  • Use antivirus and anti-malware software
  • Lock your device when not in use
  • Be cautious when connecting to public Wi-Fi

10. Security Updates and Patches

10.1 Update Policy

  • Critical Updates: Applied within 24-48 hours
  • High Priority: Applied within 1 week
  • Regular Updates: Applied monthly or as needed
  • Notification: Users notified of significant security updates

10.2 Vulnerability Disclosure

  • Responsible Disclosure: Security researchers can report vulnerabilities
  • Bug Bounty: Recognition for valid security reports (if applicable)
  • Response Time: Acknowledgment within 48 hours, resolution timeline provided

11. Security Training and Awareness

11.1 Staff Training

  • Regular security awareness training
  • Secure coding practices
  • Incident response procedures
  • Privacy and data protection training

11.2 User Education

  • Security best practices documentation
  • Regular security tips and updates
  • Clear privacy and security policies

12. Contact and Reporting

12.1 Security Concerns

If you discover a security vulnerability or have security concerns, please contact us:

Security Team
Email: security@graspvisual.com

Grasp Visual
Email: info@graspvisual.com
Website: www.graspvisual.com
Address: 15201 Mason Rd 1000 - PMD 367, Cypress, TX 77433

12.2 Incident Reporting

For security incidents affecting your account:

  • Contact us immediately
  • Provide details of the incident
  • We will investigate and respond within 48 hours
This Security Documentation is effective as of December 26, 2024. Last updated: December 26, 2024.