Version
1.0
Legal
/
Security Overview
Security Overview
Last Updated: June 25, 2026
Sunate uses administrative, technical, and organizational measures designed to protect the confidentiality, integrity, and availability of the Services and Customer Data.
This overview is informational and does not create a warranty, certification, or service-level commitment unless an executed agreement states otherwise.
1. Security principles
Our security approach is based on:
Least privilege.
Tenant separation.
Secure defaults.
Authenticated access.
Provider safeguards.
Logging and monitoring.
Risk-based improvement.
2. Identity and access
Measures may include:
Authenticated user sessions.
Supported OAuth and identity-provider flows.
Workspace roles and permissions.
Tenant-scoped database controls.
Server-side handling of service credentials.
Access removal when users or integrations are disconnected.
Restricted production access.
Customers are responsible for selecting appropriate administrators, protecting credentials and devices, reviewing workspace membership, and removing former personnel.
3. Data protection
Measures may include:
Encryption in transit using industry-standard transport security.
Provider-supported encryption at rest.
Access controls for production systems and service accounts.
Data minimization and scoped integration permissions.
Backups and recovery capabilities appropriate to hosted services.
Logging of material actions and system events.
No storage or encryption system eliminates all risk.
Customers should avoid submitting unnecessary sensitive information and should maintain copies of records needed for business continuity.
4. Application and infrastructure security
Measures may include:
Dependency and configuration review.
Validation of supported inbound provider webhooks.
Rate limits and abuse controls.
Separation of public and server-only configuration.
Monitoring of critical workflows.
Use of established hosting, communications, database, and payment providers.
Secure software-development practices.
5. AI and integration security
AI and integration features are designed to use the permissions and context needed for a user-requested action.
Customers should:
Grant only necessary permissions.
Review external-facing actions.
Disconnect unused integrations.
Avoid placing passwords, private keys, or unnecessary secrets in prompts or files.
Train users about AI limitations and data handling.
Third-party providers maintain their own security programs. See Subprocessors.
6. Incident response
Sunate investigates suspected security events, contains identified threats, restores services, and preserves information needed for remediation.
We notify affected Customers or individuals where required by law or contract.
Reports should include:
The affected URL or feature.
Date and time.
Steps to reproduce.
Potential impact.
Contact information.
Do not access, alter, download, or disclose information beyond what is necessary to demonstrate an issue.
7. Vulnerability reporting
Send a report to support@sunate.app with the subject Security Report.
We ask researchers to:
Act in good faith.
Avoid privacy violations and service disruption.
Test only accounts and data they own or are authorized to use.
Stop if they encounter another person's data.
Give us a reasonable opportunity to investigate before public disclosure.
Not use social engineering, denial of service, spam, or physical attacks.
This statement does not authorize unlawful activity and is not a promise of payment or a formal bug-bounty program.
8. Customer responsibilities
Customers should:
Use strong, unique credentials.
Enable available account protections.
Restrict administrative access.
Review users and integrations regularly.
Protect devices and exported information.
Train users.
Maintain lawful retention and backup practices.
Notify Sunate promptly of suspected compromise.
Security questions may be sent to support@sunate.app.