Security Policy
Last updated: March 22, 2026
Inventles Labs Private Limited ("Inventles," "we," "us," or "our") is committed to maintaining the security and integrity of our products, services, and customer data. This Security Policy outlines our practices, commitments, and procedures for safeguarding our systems and your information.
1. Secure Development Practices
Security is integrated into every phase of our software development lifecycle:
- Security-by-Design: Security requirements are defined at the design stage of every product. Threat modeling is conducted for new features that handle sensitive data or authentication.
- Code Review: All code changes are reviewed before merging. Security-sensitive changes receive additional scrutiny focused on input validation, access control, and data handling.
- Input Validation: All user inputs are validated and sanitized server-side to prevent injection attacks (SQL, XSS, SSRF), regardless of any client-side validation.
- Dependency Management: Third-party dependencies are regularly audited for known vulnerabilities. Updates are applied promptly when security patches are available.
- Least Privilege: Our products request only the minimum permissions necessary to function. Each API scope and permission is documented with justification.
2. Data Protection
Encryption
- All data in transit is encrypted using TLS 1.2 or higher
- Data at rest is encrypted through the hosting platform's native encryption mechanisms
- API tokens and secrets are never logged, stored in plain text, or transmitted in URLs
Data Storage
- For products built on third-party platforms (e.g., Atlassian Forge, JetBrains), data is stored entirely within the platform's certified infrastructure
- We do not maintain external databases or data warehouses containing customer data
- No customer data is transferred to or processed by third-party analytics, advertising, or tracking services
Access Control
- Our products implement role-based access control (RBAC) derived from the host platform's existing permission model
- Administrative actions are restricted to authorized users only
- All configuration changes are recorded in audit logs with user attribution and timestamps
Data Retention and Deletion
- Customer data is retained only for as long as necessary to provide the service
- Uninstalling our products removes all associated application data from the platform
- In-app tools are provided for granular data deletion without requiring full uninstallation
3. Logging and Monitoring
- Application logs are maintained for debugging and operational purposes only
- No personally identifiable information (PII) is written to application logs, including user IDs, email addresses, names, or authentication tokens
- Error logs capture only technical details (error codes, stack traces, operation names) necessary for troubleshooting
- Log retention follows the hosting platform's policies
4. Vulnerability Management
Reporting a Vulnerability
We take security vulnerabilities seriously. If you discover a potential security issue in any of our products, please report it responsibly:
- Email: support@inventles.com
- Include a detailed description of the vulnerability, steps to reproduce, and any supporting evidence
- Do not publicly disclose the vulnerability until we have had reasonable time to investigate and remediate
Our Response
| Severity | Initial Response | Target Remediation |
|---|---|---|
| Critical | Within 24 hours | Patch within 48 hours |
| High | Within 48 hours | Patch within 7 days |
| Medium | Within 5 business days | Patch within 30 days |
| Low | Within 10 business days | Next scheduled release |
5. Incident Response
In the event of a confirmed security incident:
- Containment: Immediate steps are taken to contain the incident and prevent further impact
- Investigation: A thorough investigation is conducted to determine scope, root cause, and affected data
- Notification: Affected customers are notified within 72 hours of confirming a data breach, with details of what happened, what data was affected, and remediation steps
- Remediation: The vulnerability is patched and deployed. A post-incident review is conducted to prevent recurrence
- Transparency: For significant incidents, a post-incident summary is made available upon request
6. Infrastructure Security
- Our products are built on trusted, certified cloud platforms (e.g., Atlassian Forge, AWS) that maintain SOC 2, ISO 27001, and other industry certifications
- We do not operate our own data centers or servers for customer data processing
- CI/CD pipelines include automated security checks and manifest validation before deployment
- Production deployments require manual approval and are gated through a controlled release process
7. Authentication and Authorization
- Our products rely on the host platform's authentication mechanism (e.g., Atlassian accounts). We do not implement custom authentication or store credentials
- API calls use platform-provided tokens with defined scopes. No long-lived tokens or API keys are stored by the application
- Administrative operations are protected by permission checks at both the application and platform level
8. Third-Party Security
- We evaluate the security posture of all third-party services before integration
- Third-party dependencies are sourced from reputable registries (npm) and pinned to specific versions
- We do not share customer data with third parties for any purpose other than providing the core service functionality
9. Employee Security
- Access to production systems and customer data is limited to authorized personnel on a need-to-know basis
- Source code repositories use branch protection, required reviews, and signed commits
- Security awareness is maintained as part of our development culture
10. Compliance
We maintain the following policies and commitments:
- Privacy Policy Security covering data collection, use, and rights
- Terms of Service governing product use
- Service Level Agreement with availability and support commitments
- Trust Center with detailed security and data handling practices
11. Changes to This Policy
We may update this Security Policy to reflect improvements in our practices or changes in regulatory requirements. Material changes will be communicated by updating the "Last updated" date. We encourage periodic review of this page.
12. Contact
For security-related inquiries, vulnerability reports, or questions about this policy:
- Company: Inventles Labs Private Limited
- Email: support@inventles.com
- Registered Address: Nashik, India