Last
updated: 28 November 2025
Applies to: plugai.world web/app/API
services
CISO: ceo@plugai.world
PLUG AI WORLD is committed to protecting confidentiality, integrity, and availability across plugai.world, its APIs, Firebase-based serverless infrastructure, and AI/ML services. This policy applies to the public website, web applications, API endpoints, internal administrative systems, and operational pipelines.
Chief Information Security Officer (CISO): ceo@plugai.world — owns security program, risk, incident response, and policy governance.
Engineering & DevOps — secure architecture, CI/CD integrity, monitoring, vulnerability management, and change control.
Data Protection Officer (DPO) — GDPR/DPDPA/CCPA compliance, data subject requests, DPIAs/PIAs.
Compliance & Legal — vendor risk, contracts, sub-processor oversight, regulatory monitoring.
All Employees & Contractors — mandatory training, policy adherence, incident reporting.
Public — website content, marketing copy.
Internal — operational metrics, runbooks, non-sensitive business docs.
Confidential — account data, support tickets, non-public metrics.
Restricted / Sensitive — authentication secrets, API keys, encryption keys, PII/financial data, proprietary models and datasets.
We align with applicable regulations and frameworks including EU/UK GDPR, India’s Digital Personal Data Protection Act (DPDPA, 2023) and DPDP Rules, 2025, California CCPA/CPRA, and cookie/tracking requirements. We maintain transparency, lawful bases for processing, data subject rights mechanisms, breach notifications, and export control/IP compliance. Security controls are mapped to ISO/IEC 27001/27002 and SOC 2 Trust Service Criteria (readiness/alignment; certification status to be updated).
Cloud & Hosting: Google Firebase (serverless) with hardened configurations and least-privilege access.
Logical Segmentation: Separation of public endpoints, application services, and data stores using distinct Firebase projects/environments.
Zero Trust: Identity-centric controls, continuous verification.
Multi-Environment: Isolated dev/staging/prod with separate credentials and roles.
Infrastructure-as-Code (IaC): Config in GitHub with protected branches, reviews, and drift detection.
Workforce Access: SSO where feasible; MFA mandatory for admin/engineering.
RBAC: Fine-grained roles in Firebase and GitHub; least-privilege by default.
Just-In-Time Elevation: Time-bound role elevation with auditable logs.
Key & Secret Management: Google-managed KMS; periodic rotation; no secrets in code.
Account Lifecycle: Prompt provisioning/deprovisioning; quarterly entitlement reviews.
User Authentication: Firebase Authentication (passwords/federated); optional MFA.
Session Controls: Secure, HttpOnly, SameSite cookies; short-lived tokens; refresh-token rotation.
Abuse & Rate Limiting: Adaptive throttling to prevent brute force and credential stuffing.
In Transit: TLS 1.2+ (prefer TLS 1.3); HSTS on web properties.
At Rest: AES-256 via Google-managed encryption for databases, buckets, and backups.
Key Management: Google KMS with role separation, periodic rotation, strict audit trails.
Code Reviews & SAST: Mandatory peer reviews; static analysis in CI (GitHub Actions).
Dependency Hygiene (SCA): Automated scans; pinned versions; rapid patching.
Build Integrity: Signed artifacts where applicable; SBOM generation.
Runtime Protections: WAF/CDN and bot management; L7 DDoS protections.
Secrets Handling: Vault/KMS; encrypted env vars; secret scanning in repos.
Security Testing: Unit/integration, DAST for critical flows, periodic pentests, AI red-teaming.
Content-Security-Policy (CSP): strict directives.
X-Content-Type-Options: nosniff.
X-Frame-Options: DENY or CSP frame-ancestors none.
Referrer-Policy: strict-origin-when-cross-origin.
Permissions-Policy: limit sensors/camera/mic/geo.
Strict-Transport-Security (HSTS): includeSubDomains; preload (when ready).
CORS/CORP: restrictive defaults with explicit allowlists.
Collect only data necessary for specified purposes; document lawful bases and purposes.
Retention: Data retained until verified user erasure request or legal requirement; prompt deletion upon verification.
Data Residency: Host/process in compliant regions; document cross-border mechanisms.
Data Subject Rights: Access, correction, deletion, portability; statutory timeframes.
Children’s Data: Verified parental/guardian consent; additional restrictions per DPDP Rules.
Centralized Logging: Structured logs with PII redaction; Firebase logs aggregated to SIEM.
Time Sync & Integrity: NTP-synchronized timestamps; tamper-evident storage.
Detection & Telemetry: Alerts for auth anomalies, privilege changes, exfil indicators.
Availability Monitoring: Synthetic checks; SLO/SLA tracking; canary releases.
Serverless on Firebase: Hardened configs; deny-by-default access using IAM/service accounts.
Patch Management: Rapid patching for critical CVEs; scheduled updates; library upgrades.
Backup & DR: Encrypted, versioned backups; tested recovery procedures.
RPO ≤ 4 hours; RTO ≤ 8 hours.
DDoS Protection: Cloud edge mitigations at L3/L4/L7.
Discovery: Automated scanners (SAST/SCA/DAST), manual reviews, pentests, responsible disclosure.
Prioritization: CVSS-based with exploitability, asset criticality, user impact.
Remediation SLAs: Critical 72h; High 7d; Medium 30d; Low best effort.
Verification: Regression testing and closure reviews; RCA for repeated issues.
Ticketing: Email to ceo@plugai.world auto-generates tracking tickets.
Model Endpoint Security: Auth/rate limits; request validation; abuse monitoring.
Data Governance for Training: Document sources/licensing/consents; filter sensitive/copyrighted content.
PII Handling: Avoid training on PII unless necessary/lawful; anonymize/pseudonymize.
Output Safety: Moderation, jailbreak/prompt injection detection, policy filters.
Adversarial Testing: Red-teaming for injection/exfiltration/inversion/poisoning.
Change Management: Versioning, rollback, audit trails, reproducible builds.
Preparation: Playbooks, roles, comms templates; annual tabletops.
Identification & Triage: Alert classification, severity scoring, incident declaration.
Containment: Short-term isolation and filtering; long-term hardening.
Eradication & Recovery: Patch, restore from clean backups, integrity validation, heightened monitoring.
Post-Incident: RCA, lessons learned, control improvements, stakeholder updates.
Notifications: Users and authorities per law; India DPDPA timelines; CERT-In within 6 hours where applicable.
Report vulnerabilities to ceo@plugai.world (PGP key to be published).
Safe Harbor: Non-malicious testing; avoid privacy violations/service disruption/data destruction.
Bug Bounty: To be announced; scope and rewards will be published.
Response Targets: Acknowledge within 72h; triage updates within 7d; remediate per SLAs.
Continuity Planning: Documented BCP; critical functions and alternate workflows.
DR Strategy: Multi-zone/region Firebase deployments where applicable; failover plans; periodic recovery drills.
Objectives: RPO ≤ 4 hours; RTO ≤ 8 hours.
Microsoft — productivity, collaboration, and security tooling.
Google Firebase — serverless hosting, Authentication, Firestore/Storage, analytics.
GitHub — source control, CI/CD, issue tracking.
Note: We maintain a current list of sub-processors and DPAs. The list will be updated as services are added/removed.
Hardening Standards: Provider best practices and CIS benchmarks tailored to serverless.
Default-Deny: Unused services disabled; least-privilege IAM.
Configuration Management: Version-controlled configs; peer review; environment parity; change approvals.
Secrets & Keys: Stored in vaults/KMS; audited access; enforced rotation.
Background checks where lawful/appropriate for sensitive roles.
Security onboarding and annual refreshers (phishing, data protection, secure coding).
Acceptable Use: Device security, remote work, and data handling policies.
Device Management: EDR, full-disk encryption, screen locks, secure Wi-Fi.
Privacy Policy: https://plugai.world/privacy_policy.html
Cookie Notice: https://plugai.world/privacy_policy.html
Do Not Track / Opt-Out: Honored where feasible; preferences persisted.
Versioning: Change log maintained.
Review Cycle: Annual or upon major changes to services, laws, or threat landscape.
Approval: By CISO and executive leadership.
CISO: ceo@plugai.world
Security: ceo@plugai.world
Privacy (DPO): ceo@plugai.world
Support: ceo@plugai.world
28 Nov 2025 — Initial comprehensive publication; Firebase architecture; DPDPA references; standard RPO/RTO and remediation SLAs.