Utopia Tech
▸ Effective 2026

Security Posture.

Security is foundational to our service delivery. This page describes the controls we implement across our infrastructure, application, and operational processes.

01

Infrastructure Security

  • Production workloads run in cloud regions with encrypted-at-rest storage and TLS-in-transit (TLS 1.2+).
  • Network access is restricted via security groups and firewall rules; only required ports are exposed publicly.
  • Operating systems and packages are patched on a defined cadence; critical security patches within 72 hours of vendor release.
02

Application Security

  • Authentication via OIDC (Auth0). Session tokens are short-lived; refresh tokens rotate.
  • Role-based access control: admin / editor / moderator / user.
  • All third-party API credentials encrypted at rest using Fernet symmetric encryption with keys managed outside the database.
  • Input validation on all user-submitted data; parameterized queries throughout (no raw SQL with user input).
  • Content Security Policy, X-Frame-Options DENY, HSTS preload (production), and modern security headers enforced.
03

Data Protection

  • Customer data segregation maintained per engagement.
  • Daily encrypted database backups with 30-day retention; tested restore procedure.
  • Data export and deletion endpoints available on request (CCPA-compliant).
04

Operational Security

  • Append-only audit log of administrative actions.
  • Account lockout policy: 5 failed login attempts trigger a 15-minute lock.
  • Rate limiting per IP and per authenticated user on all API endpoints.
  • Fail2ban monitors SSH and HTTP access logs for abuse patterns.
05

Vulnerability Disclosure

  • We welcome reports from the security research community.
  • To report a vulnerability, email security@utopiats.com with subject prefix"[SECURITY]" and include reproduction steps. We will acknowledge within 2 business days.
  • We commit to good-faith triage of submitted reports and will not pursue legal action for research conducted in line with this policy.
06

Incident Response

We maintain an incident response plan with defined severity tiers, notification timelines, and post-incident reviews. Affected customers will be notified per applicable law and contractual commitments.

07

Compliance

Engagement-specific compliance frameworks (HIPAA, SOC 2, PCI-DSS) are addressed under your Statement of Work and governed by separate Business Associate Agreements where applicable.

▸ Questions?

Direct legal or compliance inquiries to our team.

Email info@utopiats.com. For data-subject requests under CCPA / GDPR, use the contact form and select "Support".

Submit Inquiry
Skip to main content