This document is a brief overview of the standard operating procedures (SOP) of Apricot AI LLC related to privacy policy, specifically pertaining to Mindgrasp.ai. For the upcoming beta release, integration with many other services - including corporate API services, university authentication, and use with private tutoring institutions is crucial. However, with these goals in consideration, it is also necessary for all data - internal and external - to be secured and validated on both ends. The following sections cover a multitude of measures taken on all facets of operation of Mindgrasp. User Security There are three core subsystems that store user data: Google Firebase (Decentralized Database) Stripe (Payment Integration) Amazon Web Services (Hosting) Firebase stores app-related data for each user, including metadata such as user statistics. Default authentication is secured end-to-end by the service, with database rules configured such that only properly authenticated users may access data they are given permission for. This has been tested extensively, and basic user and password security rules have been implemented into the app itself (for example, we require a sufficiently strong password and a verifiable email address to sign up). Because of these configured server-side rules, it is virtually impossible to access user data unless authenticated. Additionally, Mindgrasp supports oAuth from any third-party authentication service (such as Duo, SSO, Gmail, etc.), ensuring an additional factor of security. Stripe is the web API service that allows Mindgrasp to bill customers and manage subscriptions. The Stripe API uses Transport Layer Security (TLS) to serve its frontend interface script and has endpoints encrypted in AES-256 from both sides. Mindgrasp’s billing interface also maintains PCI compliance as a shared responsibility with the Stripe API. Section 3 discusses this in detail. Refund Policy: Due to Mindgrasp's product offering consisting only of non-tangible, irrevocable goods, we do not offer refunds for any purchases/subscriptions that occur after the trial period has ended unless a user is able to provide proof of cancellation before the end of the trial period. All users that start a trial are authorizing Mindgrasp to charge them at the conclusion of their free trial if they have not cancelled their subscription during the trial period. Amazon Web Services (AWS) Elastic Beanstalk hosts our application server. Like any secure web service, any inbound and outbound communication also uses TLS, and includes server logging tools for additional security monitoring. Any data stored on the server is only limited to anonymous metadata used just for load testing. Denial-of-service attacks (DOS, DDOS) are handled on the platform automatically by the built-in load balancing software on the server. Payment Security and PCI Compliance Payment security is our utmost priority for Mindgrasp. In addition to the data protection measures listed in Section 2, we ensure that no credit card or payment data is stored on-server. Any saved payment methods is handled through the browser securely, with no information saved to our databases. This ensures PCI compliance from our end. PCI Compliance, officially compliance with the Payment Card Industry data security standard, is a set of standardized rules that requires businesses to handle payment information in a secure manner. While there are over 78 unique requirements and upwards of 400 tests, there are 12 key objectives included: Implement firewalls to protect data Appropriate password protection Protect cardholder data Encryption of transmitted cardholder data Utilize antivirus software Update software and maintain security systems Restrict access to cardholder data Unique IDs assigned to those with access to data Restrict physical access to data Create and monitor access logs Test security systems on a regular basis Create a policy that is documented and that can be followed Apricot AI ensures that all 12 of these objectives are being met, and aims to be certified professionally in the following months. API Endpoint Protection All machine learning endpoints are secured using TLS in conjunction with end-to-end encryption on both client and server-side operations. Authentication is cross-validated on the server side to ensure that users are signed in and are authorized to use their API. No user data is exchanged other than user input.In addition, the user input itself is sanitized from attacks such as SQL injection, and filters out unauthorized material using complex natural language processing rules. Saved user input will only be private to individual users and is inaccessible by other external users. Further Developments External Integration As Mindgrasp develops its functionality, we plan to integrate with external authentication services, including institutional Single Sign-On (SSO) systems such as such the one University of Maryland uses for its students. Both Mindgrasp’s data services and the UMD authentication system are closed systems, meaning that student data will be protected on both fronts and will only be used to authenticate/verify real users. Antivirus and Local Security To protect malware from infecting our servers, we use several antivirus and anti-malware services to detect threats early and prevent them from affecting user data.
