NarrateKit
Security White Paper

NarrateKit Security Overview

Comprehensive security measures protecting your content and data

Last updated: January 2025 | Version: 2.1

Executive Summary

NarrateKit is an AI-powered content creation platform that handles sensitive brand information, creative assets, and strategic content. We implement enterprise-grade security measures to protect your data at every level of our infrastructure.

Key Security Highlights

  • End-to-end encryption for all data transmission and storage
  • SOC 2 Type II compliance framework (in progress)
  • Zero-trust architecture with multi-factor authentication
  • Regular third-party security audits and penetration testing
  • GDPR and CCPA compliant data handling practices

Infrastructure Security

Cloud Infrastructure

  • Hosting: Supabase (built on AWS infrastructure) with enterprise-grade SLA
  • CDN: Global content delivery with DDoS protection
  • Load Balancing: Distributed architecture with automatic failover
  • Monitoring: 24/7 infrastructure monitoring and alerting

Network Security

  • TLS 1.3: All connections encrypted with latest TLS standards
  • HSTS: HTTP Strict Transport Security enforced
  • Firewall: Web Application Firewall (WAF) with custom rules
  • Rate Limiting: API rate limiting to prevent abuse
  • IP Whitelisting: Available for enterprise customers

Data Protection

Encryption

  • At Rest: AES-256 encryption for all stored data
  • In Transit: TLS 1.3 for all data transmission
  • Application Level: Sensitive fields encrypted with unique keys
  • Key Management: Automated key rotation every 90 days
  • Database: PostgreSQL with row-level security (RLS)

Data Isolation

  • Multi-Tenancy: Logical data separation per customer
  • AI Models: Brand-specific training data never cross-contaminated
  • Access Controls: Role-based permissions with principle of least privilege
  • Data Residency: Customer choice of data storage regions

Access Control & Authentication

User Authentication

  • Multi-Factor Authentication (MFA): Required for all accounts
  • SSO Integration: Support for Google, Microsoft, and SAML providers
  • Session Management: Secure session tokens with automatic expiration
  • Password Policy: Strong password requirements with breach detection

Authorization Framework

Brand Users

  • • Campaign management
  • • Document upload
  • • Creator invitations
  • • Analytics access

Creator Users

  • • Assigned campaigns
  • • AI chat access
  • • Content generation
  • • Read-only documents

Admin Users

  • • System management
  • • Viral content library
  • • User administration
  • • Security monitoring

AI & Model Security

AI Data Handling

  • Data Isolation: Each customer's training data is kept completely separate
  • Model Security: Custom fine-tuned models per brand to prevent data leakage
  • Input Sanitization: All user inputs validated and sanitized before processing
  • Output Filtering: AI responses filtered for sensitive information
  • Audit Trail: Complete logging of all AI interactions and model usage

Third-Party AI Services

Azure OpenAI Integration

  • • Your data is NOT used to train OpenAI's general models
  • • All API calls are encrypted and logged
  • • Data processing agreements in place with Microsoft
  • • Enterprise-grade Azure OpenAI service with enhanced security

Monitoring & Incident Response

Security Monitoring

  • 24/7 Monitoring: Continuous monitoring of all systems and applications
  • Anomaly Detection: AI-powered detection of unusual access patterns
  • Threat Intelligence: Integration with security threat feeds
  • Vulnerability Scanning: Automated daily scans of all systems
  • Log Analysis: Centralized logging with real-time analysis

Incident Response Plan

Response Timeline

  • 0-15 minutes: Automated detection and alert
  • 15-30 minutes: Security team activation
  • 30-60 minutes: Containment and assessment
  • 1-4 hours: Customer notification (if affected)
  • 24-48 hours: Full incident report and remediation

Compliance & Certifications

Current Compliance

  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • PIPEDA (Personal Information Protection Act)

In Progress

  • SOC 2 Type II (Expected Q2 2025)
  • ISO 27001 (Planned 2025)
  • HIPAA (For healthcare customers)

Security Practices

Development Security

  • Secure SDLC: Security integrated throughout development lifecycle
  • Code Reviews: Mandatory security-focused code reviews
  • Dependency Scanning: Automated scanning for vulnerable dependencies
  • Static Analysis: Automated code security analysis
  • Penetration Testing: Quarterly third-party security assessments

Employee Security

  • Background Checks: Comprehensive screening for all employees
  • Security Training: Regular security awareness training
  • Access Reviews: Quarterly access permission reviews
  • Incident Training: Regular incident response drills

Reporting Security Issues

Responsible Disclosure

We welcome security researchers and users to report potential vulnerabilities. We commit to:

  • Acknowledge reports within 24 hours
  • Provide initial assessment within 72 hours
  • Keep reporters informed throughout the process
  • Credit security researchers (with permission)

Security Contact:

security@narratekit.com

PGP Key: Available on request | Response time: <24 hours

Questions & Contact

For security questions, compliance requests, or to report security issues:

  • Security Team: security@narratekit.com
  • Compliance: compliance@narratekit.com
  • Privacy Officer: privacy@narratekit.com
  • General Inquiries: support@narratekit.com

Enterprise Customers: Additional security documentation, compliance reports, and security questionnaire responses are available upon request through your account manager.