At Ionhour, we take the security of our platform and your data seriously. This page outlines our security practices and provides guidelines for reporting security vulnerabilities responsibly.
1. Our Security Practices
- All data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption
- Authentication is managed through a self-hosted Keycloak instance with industry-standard password hashing
- Role-based access control (RBAC) is enforced throughout the platform, with need-to-know access to production systems
- Infrastructure is hosted on Amazon Web Services, which maintains SOC 2 Type II, ISO 27001, and ISO 27017 certifications
- We conduct periodic security reviews and penetration testing of our platform
- Multi-tenant workspace isolation is enforced through tenant-scoped database queries
- Automated monitoring and alerting systems detect and respond to anomalous activity
2. Responsible Disclosure Policy
How to Report
If you discover a security vulnerability in the Ionhour platform, please report it responsibly by emailing security@ionhour.com. Please include the following in your report:
- A clear description of the vulnerability
- Steps to reproduce the issue
- The potential impact or severity of the vulnerability
- Any supporting evidence such as screenshots, logs, or proof-of-concept code
A PGP key is available upon request for encrypted communications.
What We Commit To
- Acknowledge receipt of your report within 48 hours
- Provide an initial assessment of the vulnerability within 5 business days
- Keep you informed of the progress toward resolution
- Credit you publicly for the discovery (with your permission)
- Not pursue legal action against researchers who act in good faith and comply with this policy
What We Ask
- Allow a minimum of 90 days before publicly disclosing the vulnerability
- Do not access or modify other users’ data during your research
- Do not degrade the performance or availability of the Service
- Do not engage in social engineering, phishing, or physical attacks against Ionhour employees or users
- Do not exploit a vulnerability beyond what is necessary to demonstrate proof-of-concept
3. Scope
The following assets are in scope for security research:
- app.ionhour.com
- api.ionhour.com
- ionhour.com
The following are out of scope:
- Third-party services and integrations
- Denial-of-service (DoS/DDoS) attacks
- Social engineering attacks
- Physical attacks against Ionhour facilities
- Attacks targeting Ionhour employees or users
4. Safe Harbour
Ionhour will not pursue civil or criminal action against security researchers who:
- Act in good faith and in accordance with this disclosure policy
- Avoid privacy violations and destruction of data
- Do not cause service interruption or degradation
- Report vulnerabilities promptly upon discovery
- Do not publicly disclose the vulnerability before it has been resolved
5. Contact
- Security reports: security@ionhour.com
- General support: support@ionhour.com