Security Policy

Version 1.0 · Effective 5 March 2026 · Last updated 5 March 2026

1. Purpose

This Security Policy describes the security measures The Progress Collective uses to protect the confidentiality, integrity, and availability of the Services and customer data.

2. Scope

This policy applies to the Services, our systems and infrastructure, and to the handling of customer content and personal information.

3. Security Principles

Least privilege: access is restricted to what is required.
Defense in depth: layered technical and operational controls.
Secure by default: secure configurations and change control.
Continuous improvement: security is reviewed and enhanced over time.

4. Platform Architecture and Key Providers

The Services are operated using trusted third-party infrastructure and service providers. Depending on the feature used, data may be processed by:

Hosting and application infrastructure: Render
Database, authentication, and storage: Supabase
Payments and subscriptions: Stripe
Security and performance services: CDN / edge security providers (e.g. Cloudflare)
AI processing: third-party AI technology providers
Email communications: email delivery providers

These providers operate under contractual obligations and are required to protect data and process it only for the purposes of delivering the Services.

5. Data Protection and Encryption

Encryption in transit using HTTPS/TLS for data sent between your device and our Services.
Secure management of credentials and sensitive configuration values.
Restricted access to production systems and data.

6. Access Control

Role-based access controls and permissions management.
Authentication and session protections for user accounts.
Administrative access limited to authorised personnel with a legitimate need.

7. Logging, Monitoring, and Detection

Monitoring of platform operation and service health.
Security logging and alerting where available.
Investigation of suspicious activity and misuse.

8. Vulnerability and Patch Management

We apply updates and security patches to platform components as practicable.
We review critical security advisories relevant to our stack.
We may remediate vulnerabilities through configuration changes, updates, or feature restrictions.

9. Incident Response

We maintain procedures to respond to security incidents. Where required by law or contract, we will provide notice of a confirmed incident involving personal information or customer data.

10. Customer Responsibilities

Use strong passwords and keep account credentials confidential.
Only upload data you are authorised to provide to the Services.
Ensure outputs and generated artefacts are reviewed and approved prior to operational use.

11. Changes to This Policy

We may update this policy from time to time to reflect changes in the Services or security practices.

12. Contact

For security-related enquiries, contact:
support@theprogresscollective.com