Security Policy

Atledtechnology takes the security of its platform, infrastructure, and user data seriously. This Security Policy describes the measures we implement to protect the confidentiality, integrity, and availability of the Service at https://www.atledtechnology.com, as well as the procedures for responsible disclosure of security vulnerabilities. This policy applies to all users, researchers, and third parties interacting with our Service.

All infrastructure powering Atledtechnology is hosted entirely within the European Union and managed directly by our team. We do not rely on third-party cloud providers for user data storage. Our infrastructure security measures include:

• Network-level controls: firewall rules, intrusion detection, and port restrictions to limit attack surface
• Server hardening: non-essential services disabled, SSH key-based authentication only, password login disabled
• Containerization: services are isolated using Docker containers to limit lateral movement in case of compromise
• Automated monitoring: continuous monitoring of system health, resource usage, and anomalous access patterns
• Backup and recovery: regular encrypted backups with tested restoration procedures to ensure data availability

We apply security best practices throughout the development and operation of the Service:

• Authentication: passwords are hashed using strong one-way algorithms (e.g., bcrypt or Argon2); plain-text passwords are never stored or logged
• Session management: session tokens are randomly generated, cryptographically secure, and expire after a period of inactivity
• Input validation: all user inputs are validated and sanitized server-side to prevent injection attacks (SQL injection, XSS, CSRF)
• Dependency management: third-party libraries are regularly audited and updated to address known CVEs
• Access logging: all administrative and privileged actions are logged with timestamps and source IP addresses

Users are responsible for maintaining the security of their own accounts. We strongly recommend:

• Using a strong, unique password not reused across other services
• Enabling two-factor authentication (2FA) if available on the Service
• Logging out of the Service when using shared or public devices
• Never sharing your credentials with anyone

If you suspect your account has been compromised, contact us immediately at luca.ricci@atledtechnology.com. We will investigate and take appropriate action, including account suspension if necessary to prevent further harm.

All personal data collected by the Service is handled in accordance with our Privacy Policy and the GDPR (EU) 2016/679. From a security standpoint:

• All connections to the Service are encrypted via HTTPS/TLS — unencrypted HTTP connections are automatically redirected
• Storage volumes containing user data are encrypted at rest
• Backups are encrypted before storage and access-controlled
• Passwords and authentication tokens are never stored in recoverable form

To report a vulnerability:

• Email: luca.ricci@atledtechnology.com
• Subject line: [SECURITY] Vulnerability Report – Atledtechnology
• Include: a clear description of the vulnerability, steps to reproduce, potential impact, and any supporting evidence (screenshots, logs, proof-of-concept)

Our commitments to reporters:

• We will acknowledge receipt of your report within 48 hours
• We will provide a status update within 7 business days
• We will work to remediate confirmed vulnerabilities within a reasonable timeframe depending on severity
• We will not pursue legal action against researchers who act in good faith and follow this policy

Out of scope: denial-of-service attacks, social engineering, physical security attacks, reports generated by automated scanners without manual validation, and vulnerabilities in third-party services not under our control.

In the event of a confirmed security incident or data breach, Atledtechnology will:

• Contain the incident promptly to limit exposure
• Investigate the scope, cause, and impact of the breach
• Notify affected users within 72 hours of becoming aware of the breach, in accordance with GDPR Article 33
• Report the breach to the Garante per la protezione dei dati personali (Italian DPA) where required by law at www.garanteprivacy.it
• Remediate the root cause and implement measures to prevent recurrence
• Document the incident and response for internal review and regulatory compliance

If you wish to conduct authorized security research, contact us at luca.ricci@atledtechnology.com to request permission.

We may update this Security Policy from time to time to reflect improvements in our security practices or changes in applicable law. Changes will be posted on this page with an updated revision date. We encourage you to review this page periodically.