Compliance Center

Security & Compliance Program

Policies, risk register, and vendor assessments that govern how EcoService Pro protects customer data. This page is maintained by EcoPowerHub AI LLC for prospects, auditors, and internal review. For disclosures contact engmartin@ecopowerhub.ai.

Information Security Policy

Version: 1.0 · Effective: July 14, 2026 · Owner: CEO / Security Lead Review cadence: Annual, or on material change.

1. Purpose

Define how EcoPowerHub AI LLC ("the Company") protects the confidentiality, integrity, and availability (CIA) of information assets used to build and operate EcoService Pro.

2. Scope

Applies to all employees, contractors, and systems (production, staging, development, corporate laptops) that store, process, or transmit Company or customer data.

3. Roles & responsibilities

  • CEO (Eng. Martin): Ultimate accountability, policy approval.
  • Security Lead: Runs the program; owns this policy, the risk register, and incident response.
  • Engineering: Implements controls; peer-reviews code; runs CI security checks.
  • All personnel: Complete annual security awareness training; report incidents within 24 h.

4. Guiding principles

  1. Least privilege — access is granted on need-to-know, revoked on role change.
  2. Defense in depth — RLS + auth + rate limits + audit logs are layered, not alternatives.
  3. Secure by default — new features ship with RLS, input validation, and auditing on day 1.
  4. Assume breach — every action is logged and every secret is rotatable.

5. Control domains

| Domain | Control | Reference | | --- | --- | --- | | Access control | RBAC, MFA, session expiry | access-control-policy.md | | Data protection | AES-256 at rest, TLS 1.2+ in transit, key rotation | data-privacy-policy.md | | Change management | PR review, protected main, CI must pass | .github/workflows/ | | Vulnerability mgmt | Weekly bun audit, monthly Supabase linter | Risk register R-04 | | Logging & monitoring | audit_logs, security_events, Sentry | src/lib/audit.server.ts | | Incident response | 24 h detection SLA, 72 h regulator notice | incident-response-plan.md | | Vendor management | Annual review of every sub-processor | vendors/assessments.md | | BCP / DR | Daily Supabase PITR (7 days), RPO 24 h, RTO 4 h | Risk register R-07 |

6. Acceptable use

Company systems may not be used for illegal activity, harassment, or crypto mining. Personal use is permitted in moderation and never with customer data.

7. Enforcement

Violations may result in access revocation, disciplinary action, or termination. Contractors in violation are removed from the project.

8. Exceptions

Documented in the risk register with a compensating control, an owner, and an expiry date. No open-ended exceptions.

9. Related documents

  • Access Control Policy · Data Privacy Policy · Incident Response Plan · Risk Register · Vendor Assessments

Version-controlled source of truth for this document lives in the project repository. Material changes are reviewed by the Security Lead and approved by the CEO.