Security Policy

• All communication between your browser and our servers is encrypted using TLS 1.2 / 1.3 (HTTPS). Unencrypted HTTP connections are automatically redirected to HTTPS.
• Sensitive data stored in our database (such as passwords) is hashed using a modern, industry-standard algorithm. Passwords are never stored in plain text.
• Authentication tokens are generated with sufficient entropy and are invalidated upon logout.

• All user data is stored in a secured, managed database with restricted network access.
• Database access is limited to the application backend. No direct public access is permitted.
• We perform regular automated backups to protect against accidental data loss.

• Access to production infrastructure is restricted to authorized team members only, using key-based authentication.
• Internal tools and admin interfaces are not publicly exposed and require strong authentication.
• The principle of least privilege is applied: each service and team member only has access to the minimum required resources.

We collect only the data strictly necessary to operate the platform. We do not store:

• Payment card details or financial information (the platform is free during beta).
• Location data or device fingerprints.
• Third-party tracking or analytics data.

We store only your account credentials (name, email, hashed password), a session token for authentication, and the content you create within the application (projects, characters, breakdowns, etc.).

We do not sell, share, or disclose your data to any third party for commercial, advertising, or analytical purposes. Infrastructure providers we use (hosting, database) act as data processors under strict contractual obligations and are bound to the same security standards.

We have an incident response plan in place to detect, contain, and remediate security incidents:

• In the event of a data breach affecting your personal data, we will notify affected users within 72 hours of becoming aware, as required by GDPR.
• We will also notify the relevant supervisory authority as required by law.
• Post-incident reviews are conducted to prevent recurrence.

If you discover a security vulnerability in our platform, we ask that you report it responsibly by emailing support@costum.cloud. Please do not publicly disclose the issue until we have had a reasonable opportunity to address it. We take all reports seriously and will respond promptly.

Costum is currently in beta. While we apply the same security standards as a production service, we recommend not storing highly sensitive or business-critical data until the platform reaches general availability. We will communicate any significant security updates to registered users.

For security-related concerns, contact us at support@costum.cloud. For general legal enquiries, use support@costum.cloud.