Security

We apply a defense-in-depth strategy, layering multiple security controls across our infrastructure, application code, and operational processes. Security reviews are part of our development lifecycle, and we conduct regular internal audits as well as periodic third-party penetration tests.

Our security team monitors for anomalous activity around the clock and maintains runbooks for incident triage and response. We believe transparency about our security posture builds trust with our users and the broader research community.

In transit: All data transmitted between your browser or client and our servers is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints and use HSTS to prevent downgrade attacks.

At rest: Stored data, including your account information, prompts, and generated content, is encrypted at rest using AES-256. Encryption keys are managed using a dedicated key management service with strict access controls and rotation policies.

Database backups are also encrypted and stored in geographically redundant locations to ensure data availability and durability.

Artisser's infrastructure runs on leading cloud providers that maintain ISO 27001, SOC 2 Type II, and other recognized certifications. Our systems are deployed inside private virtual networks with strict ingress and egress controls. We use managed services wherever possible to reduce our attack surface and benefit from the provider's own security investments.

We isolate workloads across environments (development, staging, production) with no shared credentials or network paths between them. Automated vulnerability scanning runs continuously against our container images and infrastructure configuration.

Access to production systems is granted on a least-privilege basis. Engineers access production resources only when necessary, through audited, time-limited sessions requiring multi-factor authentication. All access is logged and reviewed regularly.

Customer data is logically separated so that no employee can access your data without a legitimate operational reason that is recorded and subject to review. We conduct background checks on team members with access to sensitive systems.

We welcome reports from security researchers who discover vulnerabilities in our systems. If you have found a potential security issue, please report it to us privately at [email protected] before disclosing it publicly. Please include a description of the vulnerability, steps to reproduce, and the potential impact.

We commit to acknowledging your report within two business days, providing regular status updates, and working with you to understand and remediate the issue as quickly as possible. We ask that you give us a reasonable amount of time to address the vulnerability before any public disclosure, and that you do not access or modify user data during your research.

We do not pursue legal action against researchers who act in good faith and comply with this responsible disclosure policy.

We maintain a documented incident response plan that defines severity levels, escalation paths, and communication protocols. In the event of a security incident that affects your data, we will notify you as required by applicable law and provide information about the nature of the incident, what data was involved, and the steps we have taken in response.

Post-incident, we conduct a thorough review to identify root causes and implement process or technical improvements to prevent recurrence.

Artisser is working toward SOC 2 Type II certification and maintains practices aligned with GDPR obligations for our European users. We work with qualified Data Protection Officers and legal counsel to ensure our data handling meets applicable regulatory requirements as we grow.

Security is a shared responsibility. We encourage you to use a strong, unique password for your Artisser account and to enable multi-factor authentication where available. Be cautious of phishing attempts: Artisser will never ask for your password via email or chat.

If you believe your account has been compromised, change your password immediately and contact us at [email protected]. You are responsible for maintaining the security of any API keys or tokens issued to your account.