Security at Carapis

Last updated: July 29, 2025

At Carapis, the security of your data is a top priority. We maintain rigorous technical and organizational safeguards to ensure the confidentiality, integrity, and availability of our platform and user information.

1. Infrastructure and Hosting

Our platform is hosted on modern, industry-standard cloud infrastructure providers (e.g., AWS, Vercel, or equivalent), offering:

Data encryption at rest and in transit (TLS 1.2+)
Regular security patches and OS updates
Geo-redundant backups and fault-tolerant architecture
Role-based access controls for internal systems

2. Application Security

We implement the following practices across our development lifecycle:

Secure coding standards based on OWASP guidelines
Automated dependency scanning for vulnerabilities
Code review and CI/CD pipelines with security gates
Input validation and rate limiting to mitigate injection, scraping abuse, and DoS vectors

3. Authentication and Access

Account access is protected by secure password hashing (bcrypt).
We support 2-Factor Authentication (2FA) for client accounts.
All administrative access is restricted via VPN and MFA.
Principle of least privilege is enforced across all internal roles.

4. Data Isolation and Client Segregation

Carapis uses logical data segregation mechanisms to prevent cross-access between clients. Each customer's access to data is controlled and audited.

5. Monitoring and Incident Response

Real-time monitoring and logging are implemented across infrastructure.
Alerts are configured for abnormal behavior, rate anomalies, and unauthorized access attempts.
We maintain a structured incident response plan, including escalation procedures and client notification policies.

6. Data Protection and Retention

We follow the principles of data minimization and purpose limitation. Personal information is collected only as needed for service delivery and is:

Encrypted at rest and during transmission
Regularly reviewed and deleted when no longer necessary
Subject to strict access controls and audit trails

7. Vendor and Third-Party Risk

We evaluate all subprocessors and third-party tools for compliance with industry security standards. All third parties handling client data are required to:

Sign Data Processing Agreements (DPAs) where applicable
Provide assurances of data security and confidentiality
Undergo periodic review for risk assessment

8. Responsible Disclosure

If you believe you’ve discovered a security vulnerability in our platform, we encourage you to report it responsibly by contacting:

Email: security@carapis.com

We will acknowledge and investigate all valid reports.

9. Limitations and Shared Responsibility

While Carapis employs strong security controls, no system is immune to risk. We expect our clients to:

Use strong, unique passwords and enable 2FA
Keep API keys confidential
Avoid exposing or mishandling data retrieved from Carapis

Carapis shall not be liable for breaches resulting from client-side misconfigurations, credential leaks, or insecure downstream integrations.

10. Compliance Alignment

While Carapis is not formally certified under SOC 2 or ISO 27001, our practices are inspired by their frameworks and designed to meet the security expectations of modern enterprise clients.

We are committed to transparency, security maturity, and continuous improvement.