Security Policy

Last Updated: December 4, 2025

1. Our Commitment to Security

At EnergyPager, security is our top priority. We handle sensitive energy production data, financial transactions, and blockchain operations—all of which require robust security measures to protect our users and maintain trust in our platform.

This Security Policy outlines the measures we take to protect your data and how you can help us maintain a secure environment for everyone.

2. Infrastructure Security

2.1 Cloud Security

Our platform is built on enterprise-grade infrastructure:

Firebase/Google Cloud Platform: Industry-leading security with encryption at rest and in transit
Firestore Database: Automated backups, access control rules, and audit logging
Firebase Authentication: Secure credential management with bcrypt hashing
HTTPS/TLS: All communications encrypted with 256-bit SSL certificates

2.2 Application Security

Content Security Policy (CSP): Prevents XSS attacks and code injection
CORS Protection: Restricts unauthorized cross-origin requests
Firebase App Check: Validates all requests come from legitimate clients
Rate Limiting: Prevents abuse and DDoS attacks
Input Validation: All user inputs sanitized and validated

2.3 Blockchain Security

Smart Contract Auditing: Contracts reviewed for vulnerabilities (ongoing)
Multi-Signature Wallets: Critical operations require multiple approvals
Gas Optimization: Efficient code reduces attack surface
Immutable Attestations: On-chain data cannot be tampered with

3. Data Protection

3.1 Encryption

At Rest: All stored data encrypted using AES-256
In Transit: TLS 1.3 for all network communications
Backups: Encrypted backups stored in multiple geographic regions

3.2 Access Control

Firestore security rules enforce strict data access permissions
Users can only access their own data (except public marketplace listings)
Admin access requires multi-factor authentication
Principle of least privilege for all system access

3.3 Data Retention

User data retained only as long as necessary
Deleted accounts purged within 30 days
Blockchain data is permanent (by design)
Analytics data anonymized after 90 days

4. Authentication & Authorization

4.1 User Authentication

Firebase Authentication with industry-standard security
Password requirements: minimum 8 characters, complexity enforced
Email verification required for account activation
Session tokens expire after inactivity
Multi-factor authentication available (recommended)

4.2 Wallet Security

We never store your private keys or seed phrases
Wallet connections use industry-standard protocols (WalletConnect, MetaMask)
Signature requests clearly display what you are signing
Optional wallet address whitelisting for additional security

4.3 API Security

API keys required for programmatic access
Rate limiting prevents abuse (10 requests/second default)
API keys can be rotated or revoked instantly
OAuth 2.0 support for enterprise integrations

5. Abuse Prevention

5.1 Rate Limiting

To prevent spam and abuse, we enforce rate limits:

Attestation Creation: 10 per hour per user
Marketplace Queries: 100 per minute
File Uploads: 5 MB maximum size, 20 per day
API Calls: Tier-based limits (Free: 1,000/day, Premium: 100,000/day)

5.2 Data Validation

All submitted energy data undergoes validation:

Sanity checks for reasonable production values
Date range verification (no future dates, max 1 year range)
System capacity verification (production matches panel size)
File type and size validation
Malware scanning for uploaded files

5.3 Fraud Detection

Machine learning algorithms detect suspicious patterns
Manual review for high-value transactions
User reputation scoring
Duplicate attestation prevention across accounts

6. Monitoring & Incident Response

6.1 Real-Time Monitoring

24/7 automated security monitoring
Intrusion detection systems
Anomaly detection for unusual activity
Performance monitoring to detect DDoS attacks

6.2 Incident Response Plan

In the event of a security incident:

Detection: Automated alerts notify security team immediately
Containment: Affected systems isolated within 15 minutes
Investigation: Full forensic analysis conducted
Notification: Affected users notified within 72 hours (or sooner if required by law)
Remediation: Vulnerabilities patched and security measures enhanced

6.3 Audit Logging

All critical actions logged (logins, transactions, admin operations)
Logs retained for 1 year for forensic analysis
Logs encrypted and access restricted to security team

7. Third-Party Security

7.1 Service Provider Vetting

All third-party services undergo security assessment:

SOC 2 Type II compliance required
Regular security audits and penetration testing
Data processing agreements in place
GDPR compliance for EU data processing

7.2 Current Third-Party Services

Google Cloud Platform/Firebase: ISO 27001, SOC 2/3 certified
Ethereum/Base Network: Decentralized, audited protocols
IPFS/Web3.Storage: Decentralized storage, content-addressed
Stripe (future): PCI DSS Level 1 compliant

8. User Security Best Practices

8.1 Protect Your Account

Use a strong, unique password (consider a password manager)
Enable multi-factor authentication (MFA)
Never share your password or API keys
Log out from shared devices
Monitor your account for suspicious activity

8.2 Protect Your Wallet

Store seed phrases offline in a secure location
Use a hardware wallet for large holdings
Verify transaction details before signing
Be cautious of phishing attempts
Only connect wallets on official EnergyPager domains

8.3 Recognize Phishing

We will NEVER:

Ask for your password or seed phrase via email
Request urgent wire transfers or cryptocurrency payments
Email you links asking to "verify your account" immediately
Contact you via social media DMs for support

Official domains only: energypager.com, *.energypager.com

9. Responsible Disclosure

9.1 Report Security Vulnerabilities

If you discover a security vulnerability, please report it responsibly. We appreciate the security research community's efforts to keep our platform safe.

9.2 How to Report

Email:security@energypager.com
PGP Key: Available at energypager.com/pgp-key.txt
Expected Response: Initial acknowledgment within 48 hours

9.3 What to Include

Detailed description of the vulnerability
Steps to reproduce the issue
Potential impact assessment
Any proof-of-concept code (if applicable)
Your contact information for follow-up

9.4 Our Commitment

We will acknowledge your report within 48 hours
We will not take legal action against researchers acting in good faith
We will keep you informed of remediation progress
We will publicly credit you (if desired) after the issue is resolved

9.5 Bug Bounty Program

Coming Soon: We are launching a formal bug bounty program with financial rewards for qualifying vulnerabilities. Stay tuned for details.

10. Compliance & Certifications

10.1 Current Compliance

GDPR: Full compliance for EU/EEA users
CCPA: California Consumer Privacy Act compliance
COPPA: We do not knowingly collect data from children under 13

10.2 In Progress

SOC 2 Type II certification (planned for 2025)
ISO 27001 certification (planned for 2026)
Smart contract security audits (scheduled Q1 2025)

11. Security Updates

11.1 Patching Schedule

Critical vulnerabilities: Patched within 24 hours
High-severity issues: Patched within 7 days
Medium/low severity: Included in regular updates (monthly)

11.2 Dependency Management

Automated dependency scanning for vulnerabilities
Regular updates to Angular, Firebase, and blockchain libraries
Security advisories monitored daily

12. Data Breach Notification

In the unlikely event of a data breach, we will:

Notify affected users within 72 hours (or sooner if required by law)
Provide details on what data was compromised
Explain steps we are taking to remediate
Offer guidance on protecting yourself
Report to relevant authorities as required

13. Contact Us

For security-related questions or concerns:

Security Team:security@energypager.com
General Support:hello@energypager.com
Privacy Concerns:privacy@energypager.com