1. Purpose and Scope

This Security Policy defines the technical and organizational measures Freehold Flowers implements to protect personal data and ensure service availability across our mobile application, APIs, and supporting infrastructure.

2. Cryptography

• TLS 1.2+ (preferably TLS 1.3) for all network communications.
• Database connections enforced with SSL/TLS.
• Passwords hashed with bcrypt (12 rounds) and salted.
• JWTs signed and configured with expiration and revocation lists.

3. Identity, Authentication & Access Control

• Least-privilege and role-based access control (RBAC) for employees and services.
• Key-based SSH access; no shared credentials in production.
• Time-based access reviews and immediate revocation on role changes.

4. Application Security Controls

• Input validation and output encoding to prevent injection and XSS.
• Parameterized queries / ORM usage for database access.
• Rate limiting and IP throttling to mitigate brute-force attacks.
• Webhook signature verification (HMAC-SHA256) for authenticity.

5. Infrastructure Security

• Network segmentation and firewalls between public and private tiers.
• Regular OS patching and vulnerability scanning (SAST/DAST).
• Centralized logging and monitoring of authentication, errors, and admin actions.
• Backups performed daily; recovery procedures tested periodically.

6. Data Handling

• Payment data processed exclusively by Stripe (PCI DSS Level 1).
• No storage of full card data on our servers.
• Minimal data collection necessary to operate delivery and e-commerce features.

7. Mobile Permissions

• Location (Drivers Only): requested at runtime and used solely for active deliveries.
• Camera: optional for proof-of-delivery photos.
• Notifications: order updates and driver alerts.

8. Incident Response

We maintain an incident response process aligned with ISO/IEC 27035. Suspected incidents are triaged, contained, investigated, and remediated. Where personal data may be affected, users are notified in accordance with applicable law (e.g., GDPR 72-hour breach notification).

9. Vendor & Third-Party Risk

We assess critical vendors (e.g., Stripe, hosting providers) for security posture (SOC 2 / ISO 27001 where applicable) and execute appropriate data processing agreements.

10. Business Continuity & Disaster Recovery

• Regularly tested backup restoration procedures.
• Documented recovery time objectives (RTO) and recovery point objectives (RPO) for critical systems.

11. Compliance

Our security controls are designed to support compliance with PCI DSS (via Stripe), GDPR security principles, and applicable U.S. regulations.

12. Contact

Privacy Officer – Freehold Flowers
10 W Main St, Freehold, NJ 07728, USA
Email: freeholdflowersnj@gmail.com