Security Policy

Effective Date: March 12, 2026 Last Updated: March 12, 2026

MarketDragon ("we," "our," or "us"), located at 78 Veloso St. Bo Obrero, Davao City 8000, Philippines, is committed to maintaining the highest standards of security to protect our clients' data, marketing assets, and business information.

This Security Policy outlines the technical and organizational measures we implement to safeguard information processed through our AI-powered managed marketing platform.

1. Infrastructure Security

1.1 Encrypted Connections

• All data transmitted between your devices and MarketDragon servers is encrypted using TLS 1.2 or higher.
• We enforce HTTPS across all platform endpoints; HTTP connections are automatically redirected to HTTPS.
• API communications between our platform and third-party services use encrypted channels exclusively.
• We regularly update our TLS certificates and cipher suites to align with current security best practices.

1.2 Secure Hosting

• Our infrastructure is hosted on enterprise-grade cloud platforms with industry-leading security certifications (ISO 27001, SOC 2).
• Servers are deployed in geographically distributed data centers with redundancy and failover capabilities.
• Network architecture implements defense-in-depth principles with multiple security layers including firewalls, intrusion detection systems (IDS), and intrusion prevention systems (IPS).
• DDoS protection is enabled at the infrastructure level to ensure service availability during volumetric attacks.

1.3 Server Hardening

• All servers follow hardening guidelines based on CIS benchmarks.
• Unnecessary services, ports, and default accounts are disabled or removed.
• Operating systems and software are regularly patched with the latest security updates.
• Automated vulnerability scanning is performed on all production systems.

2. Data Encryption

2.1 Encryption at Rest

• All sensitive data stored in our databases is encrypted using AES-256 encryption.
• Database backups are encrypted with separate encryption keys stored in a secure key management system.
• File storage (brand assets, media, documents) uses server-side encryption with managed keys.

2.2 Encryption in Transit

• All API calls, webhook communications, and data transfers between services use TLS 1.2+ encryption.
• Internal service-to-service communication within our infrastructure is encrypted.
• Email communications containing sensitive information use TLS encryption where supported by the recipient's mail server.

2.3 Key Management

• Encryption keys are stored in a dedicated, hardware-backed key management system separate from application data.
• Key rotation is performed on a regular schedule and immediately upon any suspected compromise.
• Access to encryption keys is restricted to a minimal number of authorized senior engineers.

3. Access Controls

3.1 Authentication

• All user accounts require strong passwords meeting minimum complexity requirements (minimum 8 characters, mixed case, numbers, and special characters).
• Multi-factor authentication (MFA) is available for all accounts and is mandatory for administrator accounts.
• Session tokens are securely generated, have limited lifetimes, and are invalidated upon logout.
• Failed login attempts are rate-limited, and accounts are temporarily locked after multiple consecutive failures.

3.2 Authorization

• Role-Based Access Control (RBAC): All platform access is governed by role-based permissions (Owner, Admin, Manager, Member, Viewer).
• Principle of Least Privilege: Users are granted only the minimum permissions necessary to perform their assigned tasks.
• Resource Isolation: Each company's data is logically isolated from other companies on the platform; cross-tenant access is not possible.
• API Access: API keys are scoped to specific permissions and can be revoked at any time.

3.3 Internal Access

• MarketDragon employee access to production systems and client data is strictly controlled and logged.
• Access is granted on a need-to-know basis and requires manager approval.
• All employee access to client data is audited, and logs are retained for 12 months.
• Employees undergo background checks and sign confidentiality agreements.

4. AI Data Handling

4.1 Data Minimization

• When processing content through AI models, we transmit only the minimum data necessary for the specific task (e.g., brand context, campaign brief, content parameters).
• Personal data of your customers is not included in AI prompts unless explicitly required for personalized content (e.g., name in an email).
• We sanitize and de-identify data where possible before AI processing.

4.2 AI Provider Security

• We use enterprise-grade AI providers (such as OpenAI) that maintain SOC 2 compliance and robust data protection practices.
• Our AI provider agreements include provisions ensuring:
  • Client data is not used to train or improve the provider's models.
  • Data is processed only for the specific request and not retained beyond the immediate processing need.
  • Appropriate encryption and access controls are maintained by the provider.

4.3 AI Output Review

• AI-generated content undergoes quality checks before delivery or publication.
• We implement content safety filters to prevent generation of harmful, misleading, or inappropriate content.
• Clients retain full editorial control and approve all content before it goes live.

4.4 AI Prompt Security

• Prompts sent to AI providers are constructed to avoid leaking sensitive business data.
• We do not include passwords, API keys, financial data, or other highly sensitive information in AI prompts.
• Prompt templates are reviewed for security implications as part of our development process.

5. Social Media Token Security

5.1 Token Storage

• Social media access tokens (Facebook, Instagram, TikTok, and others) are encrypted at rest using AES-256 encryption with dedicated encryption keys.
• Tokens are stored in isolated, access-controlled database tables separate from general application data.
• We never store social media passwords; we use only OAuth tokens provided through authorized platform integrations.

5.2 Token Lifecycle Management

• Automatic Refresh: Long-lived tokens are automatically refreshed before expiration to maintain uninterrupted service.
• Revocation: Tokens are immediately revoked when a client disconnects a social media account or terminates their subscription.
• Scope Limitation: We request only the minimum OAuth scopes necessary for the features the client has subscribed to.
• Monitoring: Token usage is monitored for anomalies that could indicate unauthorized access.

5.3 Platform Compliance

• Our social media integrations comply with each platform's developer policies and security requirements.
• We undergo platform security reviews as required (e.g., Facebook App Review).
• We promptly update our integrations in response to platform security advisories or policy changes.

6. Incident Response

6.1 Incident Response Plan

MarketDragon maintains a comprehensive incident response plan that includes:

• Detection: Automated monitoring systems and alerts for security anomalies, unauthorized access attempts, and data breaches.
• Classification: Incidents are classified by severity level (Critical, High, Medium, Low) to determine response priority and escalation path.
• Containment: Immediate actions to contain the incident and prevent further damage, including isolating affected systems.
• Eradication: Identifying and removing the root cause of the incident from our environment.
• Recovery: Restoring affected systems and data from secure backups, with verification of integrity before returning to production.
• Post-Incident Review: Conducting a thorough post-mortem analysis to identify lessons learned and implement preventive measures.

6.2 Notification

• Client Notification: Affected clients will be notified within 48 hours of confirming a security incident that involves their data.
• Regulatory Notification: We will assist clients in meeting their notification obligations to the National Privacy Commission and affected data subjects as required by the Philippine Data Privacy Act.
• Transparency: We provide clear, honest communication about the nature and impact of security incidents.

6.3 Incident Response Team

• A dedicated incident response team is available to respond to security incidents.
• Team members are trained in incident handling procedures and conduct regular tabletop exercises.
• Escalation procedures ensure that critical incidents receive immediate executive attention.

7. Reporting Vulnerabilities

7.1 Responsible Disclosure

MarketDragon welcomes responsible disclosure of security vulnerabilities. If you discover a potential security issue, please report it to us:

• Email: [email protected]
• Subject Line: "Security Vulnerability Report"

7.2 What to Include

When reporting a vulnerability, please provide:

• A description of the vulnerability and its potential impact.
• Steps to reproduce the issue.
• Any relevant screenshots, logs, or proof-of-concept code.
• Your contact information for follow-up questions.

7.3 Our Commitment

• We will acknowledge receipt of your report within 48 hours.
• We will investigate the reported vulnerability promptly and keep you informed of our progress.
• We will not take legal action against individuals who discover and report vulnerabilities in good faith and in accordance with this policy.
• We will credit reporters (with their permission) when a vulnerability is confirmed and resolved.

7.4 Scope

This vulnerability disclosure policy covers:

• The MarketDragon web application and platform.
• APIs and integrations operated by MarketDragon.
• MarketDragon-controlled infrastructure.

It does not cover third-party services, social media platforms, or payment processors. Please report vulnerabilities in those services directly to the respective providers.

8. Compliance and Certifications

8.1 Regulatory Compliance

MarketDragon operates in compliance with:

• Philippine Data Privacy Act of 2012 (RA 10173): We comply with all requirements regarding the collection, processing, storage, and disposal of personal data.
• Implementing Rules and Regulations (IRR): We follow the IRR of the Data Privacy Act as issued by the National Privacy Commission.
• Payment Card Industry Data Security Standard (PCI-DSS): Payment processing is handled through PCI-DSS compliant processors (Xendit).

8.2 Security Reviews

• We conduct regular internal security audits and vulnerability assessments.
• Third-party penetration testing is performed periodically to identify and address vulnerabilities.
• Our security practices are reviewed and updated in response to evolving threats and industry best practices.

9. Employee Security

9.1 Training

• All employees complete security awareness training upon hire and annually thereafter.
• Development team members receive additional training on secure coding practices and OWASP Top 10 vulnerabilities.
• Incident response team members participate in regular simulation exercises.

9.2 Access Management

• Employee access to systems is provisioned based on role and revoked immediately upon termination.
• Privileged access requires additional approval and is subject to periodic access reviews.
• All employee devices used to access production systems must meet minimum security requirements (encryption, current patches, endpoint protection).

10. Business Continuity

10.1 Backup and Recovery

• Automated daily backups of all critical data and systems.
• Backups are encrypted and stored in geographically separate locations.
• Recovery procedures are tested quarterly to ensure data can be restored within defined recovery time objectives.

10.2 Disaster Recovery

• Our disaster recovery plan ensures service continuity in the event of infrastructure failures, natural disasters, or other disruptions.
• Recovery time objectives (RTO) and recovery point objectives (RPO) are defined and regularly reviewed.

11. Contact Us

For security-related questions, concerns, or to report a vulnerability:

• Email: [email protected]
• Phone: +639989392801
• Address: 78 Veloso St. Bo Obrero, Davao City 8000, Philippines

MarketDragon - Security-First Marketing Technology.