Information Security Policy

This Information Security Policy describes the measures ACTIVATE ("we," "us," or "our") takes to protect the data stored and processed by the ACTIVATE Portal ("Portal"), as well as the responsibilities of Portal users in maintaining security.

Our Security Practices

Authentication & Access Control

• Invitation-only access: New accounts are created exclusively via magic-link invitations issued by coaches or administrators. There is no open registration.
• Role-based access control: The Portal enforces three roles (agent, coach, admin) at every layer — middleware, server-side layout rendering, API endpoints, and database row-level security (RLS) policies. Users can only access data appropriate to their role.
• Market center scoping: Coaches can only view and manage agents within their assigned market center. Cross-office data access is restricted to administrators.
• Session management: Authentication sessions are managed by our authentication provider with secure, httpOnly cookies. Sessions expire automatically after periods of inactivity.
• Inactive account enforcement: Deactivated accounts are blocked at the middleware level before any page or API is reached.

Data Protection

• Encryption in transit: All data transmitted between your browser and the Portal is encrypted using TLS (HTTPS). All connections to our database, storage, and third-party services use encrypted channels.
• Encryption at rest: Our database and file storage providers encrypt data at rest using industry-standard encryption.
• Row-level security: The database enforces row-level security (RLS) policies on every table, ensuring that queries only return data the requesting user is authorized to see — even if application-level checks were to fail.
• Service role isolation: Administrative database operations (bypassing RLS) are limited to server-side API routes and are never exposed to client-side code.
• Environment variable protection: Sensitive keys (database service role key, AI API key, email API key) are stored as server-only environment variables and are never sent to the browser.

AI Tool Security

• Rate limiting: AI tool usage is rate-limited to 20 requests per user per 24-hour period to prevent abuse.
• Usage logging: AI tool requests are logged (tool name, token counts) for cost management and abuse detection. Prompt content is not stored beyond the immediate request.
• Server-side processing: All AI API calls are made from the server. API keys are never exposed to the client.

Infrastructure Security

• Managed hosting: The Portal runs on managed cloud infrastructure with automatic security patches, DDoS protection, and edge caching.
• Error monitoring: We use an error monitoring service to detect and respond to application errors. Error reports may include stack traces and, in the case of errors, limited session replay data for debugging purposes. This data is used exclusively for reliability improvement.
• Cron job authentication: Automated scheduled tasks (daily nudges, weekly digests) are protected by a secret token to prevent unauthorized execution.

File Upload Security

• Scoped storage: User-uploaded files (profile photos, community images, marketing assets) are stored in a dedicated storage bucket with access policies.
• Path isolation: Files are stored under user-specific paths to prevent cross-user access to upload directories.

Monitoring & Incident Response

• Application errors are captured automatically and reviewed regularly
• AI tool usage is monitored for unusual patterns
• Bob the Broker conversations are reviewed for escalation events
• In the event of a security incident affecting user data, we will notify affected users and take corrective action promptly

Your Security Responsibilities

Security is a shared responsibility. As a Portal user, you play an important role in protecting your account and data.

Account Security

• Use a strong password: Choose a unique password that you do not use on other websites or services.
• Do not share credentials: Your login credentials are for your use only. Do not share your password or magic link with anyone.
• Secure your devices: Ensure the devices you use to access the Portal are protected with a screen lock, up-to-date software, and appropriate security measures.
• Log out on shared devices: If you access the Portal from a shared or public computer, log out when you are finished.
• Report suspicious activity: If you notice any unauthorized activity on your account or suspect your credentials have been compromised, notify your coach or administrator immediately.

Data Handling

• Protect client information: Do not post confidential client details (addresses, financial information, personal identification) in community posts, comments, or any public-facing area of the Portal.
• Review AI outputs: Before using AI-generated content externally, review it for accuracy and ensure it does not inadvertently disclose sensitive information.
• Be mindful of screenshots: If you take screenshots of Portal data (leaderboards, pipeline, production reports), be aware that they may contain information about other agents.

Community & Communication

• Do not share Portal links externally: Portal URLs and invite links are for authorized ACTIVATE members only.
• Use @mentions responsibly: When mentioning other users, be mindful that the mentioned person will receive a notification and email.

Questions & Reporting

If you have questions about our security practices, discover a vulnerability, or need to report a security concern, please contact us immediately through the Portal's feedback feature or reach out to your ACTIVATE coach or administrator.