Security Policy

1. Introduction

This Security Policy describes how Xzect Labs Private Limited approaches protection of News Studio systems and data. It supplements our Privacy Policy and Terms of Service.

2. Security Commitment

We implement reasonable administrative, technical, and organizational safeguards appropriate to the nature of our Service. No system is completely secure. We cannot guarantee that unauthorized access, disclosure, alteration, or destruction will never occur.

3. Technical & Organizational Measures

Measures may include, as applicable:

• Encryption in transit (TLS) for data transmitted over public networks;
• Encryption at rest for sensitive data where supported by infrastructure;
• Role-based access controls and least-privilege for personnel;
• Secure development practices, code review, and dependency management;
• Network segmentation, firewalls, and DDoS mitigation via cloud providers;
• Backups and disaster-recovery procedures;
• Employee confidentiality and security awareness training;
• Vendor risk review for material sub-processors.

Specific controls may vary by environment, plan, and integration. Enterprise customers may request additional documentation under NDA where available.

4. Your Responsibilities

You are responsible for:

• Strong, unique passwords and enabling multi-factor authentication where offered;
• Protecting API keys, OAuth tokens, and team invitations;
• Promptly revoking access for departed staff;
• Reviewing connected Third-Party Platform permissions;
• Reporting suspected compromise to contact@newsstudio.io immediately.

5. API Protection & Rate Limits

API and automation endpoints are protected by authentication, authorization, throttling, and abuse detection. Excessive requests may be blocked to preserve Service stability. Do not attempt to bypass limits or security controls.

6. Monitoring & Abuse Prevention

We monitor for anomalous login patterns, spam, malware links, credential stuffing, payment fraud, and policy violations using analytics, device/browser signals, IP and log data, and usage metrics. Automated systems may temporarily restrict accounts pending review.

Monitoring supports platform performance, debugging, fraud detection, and suspicious-activity prevention, as described in our Privacy Policy.

7. Trust & Safety

Security and trust & safety overlap: we may apply automated and manual review, AI safety filters, and content signals to reduce abuse. Filters are not perfect. We may remove harmful content, preserve logs for investigations, and cooperate with authorities regarding CSAM, exploitation, or credible threats.

See our Platform Usage Policy for user conduct standards and child-safety zero tolerance.

8. Audit Logging

We maintain operational logs (access, errors, publishing events) for security, debugging, and compliance. Logs are retained per our Privacy Policy and may be used in investigations.

9. Incident Response

We maintain procedures to detect, contain, and remediate security incidents. Where required by law and contract, we will notify affected customers of personal data breaches without undue delay after confirming the incident.

Notifications may include description, categories of data, likely consequences, and mitigation steps. We cooperate with regulators and customers as appropriate.

10. Vulnerability Disclosure

If you discover a potential vulnerability, report it responsibly to contact@newsstudio.io with sufficient detail to reproduce. Do not exploit, access others' data, or perform destructive testing without written authorization.

We request reasonable time to investigate and remediate before public disclosure. We do not guarantee bug bounties unless expressly published.

11. Compliance

We align security and data practices with GDPR-style privacy expectations, payment gateway fraud and data-handling requirements, Meta/Google and other API platform security expectations, international SaaS standards, and trust & safety best practices.

Formal certifications (e.g., ISO 27001, SOC 2) may be in progress or available on request where applicable. Enterprise customers may execute our DPA for processor obligations.

No security measure guarantees absolute protection; you share responsibility for account hygiene and lawful use of the Service.

12. Contact Security

Security inquiries: contact@newsstudio.io.