Legal Information

1. Technical measures

• Encryption in transit (HTTPS/TLS) and at rest for sensitive data stores.
• Role-based access controls and audit logging for administrative operations.
• Automated backup rotation with encrypted storage.
• Regular dependency patching and infrastructure updates.
• Secrets management via environment variables and dedicated secret stores.

2. Organisational measures

• Restricted access to production systems following the principle of least privilege.
• Staff security awareness training, including phishing prevention and incident handling.
• Documented onboarding/offboarding procedures with immediate access revocation.

3. Incident response

In the event of a security incident, we will investigate promptly, mitigate impact, and notify affected customers and regulators where legally required. We log all security events and review them regularly to detect anomalous activity.

4. Responsible disclosure

We welcome responsible vulnerability reports. Please email AesthetIQInsight@gmail.com with the words “Security Report” in the subject line. Include:

• Detailed steps to reproduce the issue (proof-of-concept preferred).
• The potential impact and any suggested remediation.
• Your contact details so we can follow up.

Please give us a reasonable period (normally 30 days) to investigate and deploy a fix before publicly disclosing any vulnerability. We do not permit testing that degrades service quality, exploits other users’ data, or involves social engineering, denial of service, or physical attacks.

5. Payment security

We do not store full payment card details. All payments are handled by PCI DSS compliant providers (e.g., Stripe). Customer payment methods are tokenised and stored securely with the provider.