LiveNow live. Start building.

Security Policy

Updated Dec 10, 2025

This Security Policy describes the security measures and practices implemented by Trekeffect Inc., a Connecticut corporation doing business as Oaysus ("Company," "we," "us," or "our"), to protect our platform services and the data entrusted to us by our customers.

As an early-stage company, we are committed to implementing security measures appropriate to our size and the nature of our services. We continuously work to improve our security practices as we grow.

This Policy should be read alongside our Privacy Policy and Terms of Service.

1Infrastructure Security

Cloud Infrastructure

Our services are hosted on industry-leading cloud platforms:

  • Amazon Web Services (AWS): Database hosting (RDS), file storage (S3), and backend API services in the US-East-1 region
  • Google Cloud Platform (GCP): Frontend application hosting and content delivery

Both AWS and GCP maintain SOC 2, ISO 27001, and other industry security certifications. We leverage their security infrastructure, physical security controls, and compliance frameworks.

Network Security

  • Firewalls: AWS security groups restrict network access to only necessary ports and services
  • DDoS Protection: AWS Shield provides protection against distributed denial-of-service attacks
  • TLS Encryption: All data transmitted to and from our services is encrypted using TLS 1.2 or higher

2Data Protection

Encryption

  • Data in Transit: All data transmitted between your browser and our servers is encrypted using TLS (HTTPS)
  • Authentication Tokens: User session tokens are encrypted using JWT (JSON Web Tokens) with secure signing
  • Payment Data: All payment processing is handled by Stripe; we do not store complete payment card information on our servers

Data Storage

  • Database: Customer data is stored in PostgreSQL databases hosted on AWS RDS
  • File Storage: Uploaded files and assets are stored in AWS S3
  • Logical Separation: Customer data is logically separated using unique identifiers; all customers share the same database infrastructure

Backups

  • Automated Backups: Daily automated database backups
  • Retention Period: Backups are retained for 15 days on a rolling basis
  • Storage: Backups are stored securely in AWS

3Access Controls

User Authentication

  • Secure Login: Password-based authentication with secure password hashing
  • Session Management: JWT-based session tokens with configurable expiration
  • Account Lockout: Protection against brute-force attacks through rate limiting

Administrative Access

  • Limited Personnel: Production database access is limited to essential personnel only
  • Authentication Required: All administrative access requires authentication
  • Principle of Least Privilege: Access is granted only as necessary for job functions

4Application Security

Development Practices

  • Code Review: All code changes are reviewed before deployment
  • Input Validation: User inputs are validated and sanitized to prevent injection attacks
  • Dependency Management: Third-party dependencies are monitored for known vulnerabilities

Customer-Uploaded Code

Important: We do not review, audit, or scan customer-uploaded code (Custom Components) for security vulnerabilities.

Customers who upload custom code, components, or third-party integrations are solely responsible for the security of that code. See our Terms of Service for details on customer responsibilities.

5Incident Response

Response Process

In the event of a security incident, we will:

  1. Investigate promptly to determine the scope and impact
  2. Take immediate steps to contain and mitigate the incident
  3. Notify affected customers within 72 hours of confirming a data breach
  4. Report to relevant authorities as required by law
  5. Conduct a post-incident review to prevent recurrence

Reporting Security Issues

If you discover a security vulnerability or have concerns about our security practices, please contact us immediately at [email protected] with "Security Issue" in the subject line.

We appreciate responsible disclosure and will work with you to address any legitimate security concerns.

6Current Limitations

In the interest of transparency, we want to be clear about what security measures we have not yet implemented as an early-stage company:

  • Third-Party Security Certifications: We do not currently hold SOC 2, ISO 27001, or similar certifications for our own operations (though our infrastructure providers do)
  • Penetration Testing: We have not conducted formal third-party penetration testing
  • Full Data-at-Rest Encryption: While authentication tokens are encrypted, not all database fields are encrypted at rest
  • Comprehensive Audit Logging: We maintain system logs but do not have comprehensive audit trails for all data access
  • Dedicated Security Team: We do not have a dedicated security team at this time

We are committed to improving our security posture as we grow. If your organization has specific security requirements, please contact us to discuss.

7Third-Party Services

We use the following third-party services that have access to customer data:

  • Amazon Web Services (AWS): Cloud infrastructure, database hosting, file storage
  • Google Cloud Platform (GCP): Frontend hosting, content delivery
  • Stripe: Payment processing and subscription billing

These providers have their own security policies and certifications. We select providers with strong security track records and compliance certifications.

8Policy Updates

We may update this Security Policy from time to time to reflect changes in our security practices or services.

We will communicate material changes by:

  • Updating the "Last Updated" date at the top of this Policy
  • Notifying customers of significant security-related changes via email
  • Posting updates on our website

Security Contact Information

For security-related questions, concerns, or to report security vulnerabilities, please contact us:

Trekeffect Inc. (d/b/a Oaysus)
11 Spinnaker Drive
Niantic, CT 06357
United States

Response Time: We will acknowledge security reports within 48 hours.

Security Incident Reporting

For urgent security incidents that may affect customer data or service availability, please contact us immediately at [email protected] with "URGENT SECURITY INCIDENT" in the subject line.