Security

Security is not an afterthought at Organize — it is a foundational design principle. We built this platform for our own studio operations before making it available to others, and our security posture reflects the level of trust we place in it ourselves. This document describes the technical controls, organisational practices, and policies we maintain to protect the confidentiality, integrity, and availability of your data.

This Security Policy is publicly available as part of our commitment to transparency. Where specific implementation details are withheld, it is solely to avoid providing a roadmap for adversarial actors.

The Organize platform is hosted on enterprise-grade cloud infrastructure operated by providers who maintain independent security certifications, including ISO/IEC 27001 and SOC 2 Type II. Our infrastructure is provisioned with security-hardened configurations and undergoes regular review.

Production environments are logically separated from development and staging environments. No production data is used in non-production environments without explicit anonymisation.

We maintain infrastructure redundancy and automated failover capabilities to support service continuity. System health and availability are monitored continuously, with alerts configured for anomalous conditions.

In Transit. All data transmitted between your browser or client application and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS exclusively and apply HTTP Strict Transport Security (HSTS) headers to prevent downgrade attacks. Connections using deprecated protocol versions are rejected.

At Rest. All data stored in our databases and object storage systems is encrypted at rest using AES-256 or equivalent industry-standard algorithms. Encryption keys are managed through a dedicated key management service and are rotated on a defined schedule.

Backups. Database backups are performed automatically on a regular schedule. Backup data is encrypted using the same standards applied to primary storage and is stored in geographically separated locations. Backup integrity is tested periodically through restoration exercises.

Access to production systems and customer data is restricted to personnel who require it to perform their role. We apply the principle of least privilege: access rights are granted at the minimum level necessary and are reviewed regularly. All privileged access is logged and subject to audit.

Multi-factor authentication (MFA) is enforced for all internal systems and is strongly recommended — and where technically enforceable, required — for Customer accounts. Shared credentials are prohibited.

Access rights are revoked immediately upon changes in personnel roles or upon termination of employment or engagement. Automated deprovisioning workflows ensure timely removal of system access.

Our engineering practices incorporate security throughout the software development lifecycle. Code changes undergo peer review prior to deployment. We maintain secure coding guidelines based on industry standards including the OWASP Top Ten.

Dependencies and third-party libraries are monitored for known vulnerabilities using automated tooling. Critical security patches are applied on an expedited basis. Our deployment pipeline includes automated security scanning to identify common vulnerability patterns before code reaches production.

We conduct periodic penetration tests and security assessments of the platform. Findings are tracked, prioritised by severity, and remediated within defined service-level timeframes.

Production systems operate within a network architecture designed to minimise attack surface. External access is restricted to defined entry points protected by firewalls and network access control lists. Administrative interfaces are not exposed to the public internet.

We employ intrusion detection and anomaly monitoring to identify suspicious network activity. Distributed denial-of-service (DDoS) mitigation controls are in place at the network perimeter.

All personnel with access to systems or data complete security awareness training upon onboarding and on a recurring annual basis. Training covers phishing recognition, credential hygiene, secure data handling, and incident reporting procedures.

Personnel are subject to confidentiality obligations as a condition of their engagement. We conduct background screening for roles with access to sensitive systems, in accordance with applicable law.

We maintain a documented information security policy that is reviewed and updated at least annually or following material changes to our operating environment.

We maintain a written incident response plan that defines procedures for the detection, containment, eradication, recovery, and post-incident review of security events. The plan assigns clear roles and escalation paths to ensure timely and coordinated response.

In the event of a confirmed data breach that affects your personal data, we will notify affected Customers without undue delay and, where required by applicable law, within seventy-two (72) hours of becoming aware of the breach. Notifications will include the nature of the incident, categories and approximate volume of data affected, likely consequences, and the measures taken or proposed to address it.

We assess the security posture of third-party vendors and sub-processors before engagement and on an ongoing basis. All sub-processors handling personal data are bound by contractual obligations providing protections materially equivalent to those in this Policy. We maintain an up-to-date register of sub-processors and make it available upon request.

We welcome reports from independent security researchers and the broader community. If you have identified a potential security vulnerability in the Organize platform, we ask that you report it to us responsibly before making any information public.

Please send vulnerability reports to security@organize.so with a detailed description of the issue, steps to reproduce, and any supporting evidence. We will acknowledge receipt within forty-eight (48) hours and provide a remediation timeline within ten (10) business days.

We request that researchers refrain from accessing, modifying, or deleting any data beyond what is strictly necessary to demonstrate the vulnerability, and that they do not disclose the issue publicly until we have had a reasonable opportunity to address it. We commit to acting in good faith toward researchers who adhere to these guidelines.

For security questions or concerns outside the scope of vulnerability disclosure, please contact:

Organize Security Team
security@organize.so