Valid AI is committed to maintaining the highest standards of security to protect our members' data and ensure the integrity of our AI governance platform.

Data Protection & Encryption

• Password Security: User passwords are hashed using bcrypt with salt
• File Storage: Media files are stored with AWS S3 (encryption handled by AWS)
• Database: PostgreSQL database connections (encryption depends on hosting provider)
• Email Transport: Gmail SMTP with TLS enabled for email delivery

Authentication & Access Control

• Authentication: Email and password-based login using Flask-Login
• Role-Based Access: Separate admin and delegate user types with different permissions
• Organization Isolation: Delegates can only access their own organization's data
• Session Management: Flask session management with secure cookies
• Login Tracking: Login timestamps and counts are recorded in the database

AI System Security

• Input Validation: All user inputs are sanitized and validated to prevent XSS and injection attacks
• Rate Limiting: Configurable rate limits (default: 10 messages per minute) to prevent abuse
• Content Filtering: AI guardrails ensure queries are relevant to AI governance topics
• Safety Guardrails: Content safety checks prevent inappropriate or malicious prompts
• Secure API Integration: OpenAI API communications are encrypted and authenticated

Application Security

• File Upload Security: MIME type validation using python-magic and file size limits (200MB max)
• CSRF Protection: Flask-WTF provides CSRF token validation for forms
• SQL Injection Prevention: SQLAlchemy ORM prevents direct SQL injection
• Error Handling: Custom error pages that don't expose system details

Logging & Monitoring

• Application Logging: Python logging with structured log formatting
• Health Checks: Basic health endpoint for database connectivity monitoring
• Performance Metrics: Basic response time and error tracking in the monitoring service
• Login Tracking: User login attempts and timestamps are logged to database