← Back to Courtasy

Security Policy

Effective Date: April 1, 2026  ·  Last Updated: April 1, 2026

AES-256 EncryptionTLS 1.2+MFA EnforcedRole-Based AccessAudit LogsAWS Infrastructure

1. Overview

Courtasy (“we,” “us,” or “our”) is committed to maintaining the security, integrity, and confidentiality of all data processed through our Platform at https://courtasy.com. This Security Policy describes the technical and organizational measures we implement to protect Customer Data and Platform infrastructure.

This policy applies to Courtasy's employees, contractors, sub-processors, and the systems that support the delivery of our services.

2. Infrastructure Security

Cloud Infrastructure

The Platform is hosted on Amazon Web Services (AWS):

  • US clients: AWS US regions
  • Indian clients: AWS infrastructure in India

AWS maintains comprehensive certifications including ISO 27001, SOC 2 Type II, and PCI DSS Level 1.

Network Security

  • All network traffic is encrypted in transit using TLS 1.2 or higher
  • Firewalls and security groups enforce strict ingress and egress rules
  • Intrusion detection systems monitor for anomalous network behavior
  • Publicly exposed endpoints are protected by rate limiting and DDoS mitigation controls

Availability & Redundancy

  • The Platform is designed for high availability with multi-zone deployment
  • Automated backups are performed daily and retained for a minimum of 30 days
  • Disaster recovery procedures are tested at least annually

3. Data Encryption

StateStandard
Data in TransitTLS 1.2+ enforced for all communications
Data at RestAES-256 encryption via AWS-managed keys
DatabaseEncrypted at the storage layer
BackupsEncrypted with the same standards as production data
Payment DataTokenized and managed by Stripe — raw card data never touches Courtasy servers

4. Access Controls

Authentication

All user authentication is handled via Clerk, which provides secure session management, multi-factor authentication (MFA), and OAuth 2.0. Customers are strongly encouraged to enforce MFA for all Authorized Users.

Internal Access

  • Access to production systems is restricted to authorized Courtasy personnel on a need-to-know, least-privilege basis
  • All production access is logged and audited
  • Privileged access is reviewed quarterly

Credentials Management

  • Secrets, API keys, and credentials are stored in dedicated secrets management systems — never in source code or unencrypted configuration files
  • Credentials are rotated periodically and immediately upon suspected compromise

5. Application Security

Secure Development Practices

  • Code changes undergo peer review and automated security testing before deployment
  • Regular dependency audits identify and remediate known vulnerabilities (CVEs)
  • Input validation and parameterized queries are enforced to prevent injection attacks
  • HTTP security headers enforced: Content Security Policy (CSP), X-Frame-Options, and Strict-Transport-Security (HSTS)
  • OWASP Top 10 vulnerabilities are considered in development and code review processes

6. Third-Party Security

We conduct due diligence on all sub-processors and require that they maintain security standards consistent with or exceeding industry norms.

ProviderRoleSecurity Certifications
AWSCloud infrastructureISO 27001, SOC 2, PCI DSS
StripePayment processingPCI DSS Level 1
ClerkAuthenticationSOC 2 Type II
ResendEmail deliverySOC 2
GoogleAnalyticsISO 27001, SOC 2

7. Organizational Security

People & Processes

  • All employees and contractors with access to Customer Data receive security awareness training upon onboarding and annually thereafter
  • Background verification is conducted for roles with access to sensitive systems
  • A formal information security policy governs internal data handling practices
  • An independent security firm conducts full penetration tests annually. Critical findings are remediated within 48 hours

8. Incident Response

Detection & Response

We maintain a documented Incident Response Plan. Upon detection of a security incident, our team follows a structured process: Identify → Contain → Eradicate → Recover → Review.

Customer Notification

In the event of a confirmed personal data breach, Courtasy will:

  • Notify affected Customers within 72 hours of becoming aware of the breach (where feasible)
  • Provide details of the nature of the breach, data affected, and steps taken
  • Publish a full incident report within 7 days
  • Notify relevant regulators as required by applicable law (including the Data Protection Board of India under the DPDP Act, 2023)

Our status page at status.courtasy.com provides real-time updates during any service incident.

9. Compliance & Audits

The Platform is designed to support Customer compliance with applicable data protection laws. We conduct internal security reviews at least annually. Customers may request a summary of our security practices or a completed security questionnaire by contacting legal@courtasy.com.

10. Responsible Disclosure

We encourage responsible disclosure of security vulnerabilities. If you discover a potential security issue, please email legal@courtasy.com with the subject line “Security Vulnerability Report.” Include a description of the issue, steps to reproduce, and potential impact. Do not publicly disclose the vulnerability until we have had reasonable opportunity to investigate and remediate.

We acknowledge valid reports within 5 business days
We provide a resolution timeline within 30 days for critical issues
We do not take legal action against researchers acting in good faith
We will acknowledge your contribution publicly if you wish

11. Changes to This Policy

We may update this Security Policy as our practices evolve. Material changes will be communicated to Customers via email or in-platform notice.

Questions about our security posture?

We're happy to complete a vendor security questionnaire or speak directly with your security team.

Contact our security team