Security Policy Labelz
Effective date: March 2026
This policy describes the security practices for Labelz and how to report security issues.
Data Protection Scope: Labelz stores organizations/workspaces, label templates, generated label batches, uploaded assets (like logos), and billing records (invoices/payment references). We aim to protect this data with layered controls.
1. Core security controls
1.1 Transport security
- HTTPS/TLS is used to protect data in transit between your browser and our servers.
- We use secure cookies for authenticated sessions where supported.
1.2 Authentication & access control
- Passwords are stored using secure hashing (Django’s password hashing framework).
- Role-based access controls (RBAC) limit what members can view/edit inside an Organization/Workspace.
- Administrative actions (like member/role changes) are restricted to authorized roles.
1.3 Data protection
- We limit access to production systems to authorized personnel only.
- We follow least-privilege principles for access to databases and storage.
- Backups may be used to support disaster recovery and reliability.
1.4 Application security
- CSRF protection is enabled for state-changing requests (Django CSRF middleware).
- We validate and sanitize inputs to reduce injection and unsafe content risks.
- Uploaded files may be restricted by type/size to reduce abuse and performance issues.
1.5 Payment security
- Payment processing is handled by third-party providers. Labelz receives payment confirmation and references needed for plan activation and invoicing.
- We do not store full card/bank credentials on Labelz servers.
2. Operational security
2.1 Logging & monitoring
- We maintain operational logs for troubleshooting and security monitoring (e.g., errors, suspicious traffic patterns).
- We may rate-limit or block abusive requests to protect stability.
2.2 Vulnerability management
- We periodically review dependencies and apply security patches where feasible.
- We test changes before production deployment to reduce regressions and security risk.
3. Responsible disclosure
If you believe you found a security vulnerability, please report it responsibly:
- Email: shyama@dotswitch.space
- Include: steps to reproduce, affected URL(s), screenshots/logs (if any), and impact assessment.
- Please do not publicly disclose the issue before we have a reasonable chance to investigate and address it.
4. What’s not permitted during testing
- Do not access or modify data belonging to other users/workspaces.
- No denial-of-service (DoS) testing, automated high-volume scanning, or social engineering of our team/users.
- No physical attacks or attempts to compromise infrastructure providers.
5. Incident response
- We investigate suspected security incidents and take steps to contain, remediate, and recover.
- If we determine a breach that affects your data, we will notify affected users when legally required and provide guidance on next steps.
Also see: Privacy Policy and Terms & Conditions.