Security Policy

Last updated: March 21, 2026

This legal document is available in English only. Translated versions are provided for convenience and are not legally binding.

1. Our Commitment to Security

At lnk24co Inc. ("lnk24co," "we," "us," or "our"), security is a foundational priority. We are committed to protecting the confidentiality, integrity, and availability of our customers' data and our platform. This Security Policy describes the technical and organizational measures we implement to safeguard your information when you use our link shortening platform and related services (the "Services").

2. Infrastructure Security

Our production infrastructure is designed for high availability, resilience, and security:

• Cloud Hosting: Our Services are hosted on enterprise-grade cloud infrastructure in geographically distributed regions. Our cloud providers maintain SOC 2 Type II compliance with physical security controls including biometric access, 24/7 surveillance, and environmental protections.
• Encryption at Rest: All data stored in our databases, object storage, and backups is encrypted using AES-256 encryption with keys managed through dedicated key management services with automatic rotation.
• Encryption in Transit: All communications between clients and our servers are encrypted using TLS 1.2 or higher (TLS 1.3 preferred). We enforce HTTPS across all endpoints and use HSTS headers with a minimum one-year max-age.
• Network Isolation: All production systems reside in private network segments with strict segmentation. External access is restricted to load balancers, and internal services communicate over private networks that are not accessible from the public internet.
• Firewall Rules: Ingress and egress traffic is controlled by stateful firewalls with default-deny rules. Only explicitly allowed traffic patterns are permitted.
• DDoS Protection: Our infrastructure is protected by enterprise-grade DDoS mitigation services that provide automatic detection and absorption of volumetric, protocol, and application-layer attacks.

3. Application Security

We follow industry best practices to secure our application layer, adhering to the OWASP Top 10 and beyond:

• Input Validation: All user-supplied input is validated and sanitized on both the client and server side to prevent injection attacks.
• Output Encoding: All dynamic content rendered in the browser is properly encoded to prevent cross-site scripting (XSS) attacks.
• CSRF Protection: All state-changing operations are protected against cross-site request forgery using synchronizer tokens and SameSite cookie attributes.
• SQL Injection Prevention: All database queries use parameterized statements or ORM-generated queries. Raw SQL interpolation is prohibited by policy and enforced through code review and static analysis.
• XSS Protection: We employ a defense-in-depth approach including Content Security Policy (CSP) headers, automatic output encoding, and DOM sanitization.
• Content Security Policy: Strict CSP headers are deployed across all pages to restrict the sources of scripts, styles, images, and other resources, mitigating XSS and data injection attacks.
• Rate Limiting: API endpoints and authentication flows are protected by rate limiting to prevent brute-force attacks, abuse, and resource exhaustion.

4. Authentication & Access

We implement robust authentication and access control mechanisms:

• Password Hashing: User passwords are hashed using bcrypt with an appropriate work factor. Plaintext passwords are never stored or logged.
• JWT with Expiration: Authentication tokens are issued as signed JSON Web Tokens (JWTs) with short expiration times. Refresh tokens are rotated on use and can be revoked individually.
• Multi-Factor Authentication (MFA): Users may enable optional MFA using TOTP-based authenticator apps or hardware security keys (FIDO2/WebAuthn) for an additional layer of account protection.
• Role-Based Access Control (RBAC): Access to resources and features is governed by role-based permissions. Users are granted the minimum level of access required for their role within a workspace or organization.
• API Key Management: API keys can be created with scoped permissions and expiration dates. Keys can be rotated or revoked at any time through the dashboard. All API key usage is logged.

5. Data Protection

We take a privacy-first approach to data handling:

• Minimal Data Collection: We collect only the data necessary to provide and improve our Services. We do not collect or store data beyond what is required for the functionality you use.
• Data Encryption: All personal data and sensitive information is encrypted at rest using AES-256 and in transit using TLS 1.2+.
• Regular Backups: Automated daily backups are performed with point-in-time recovery capability. Backups are encrypted and stored in a geographically separate region from the primary data.
• Retention Policies: Data is retained only for as long as necessary to fulfill the purposes for which it was collected or as required by applicable law. Retention periods are defined for each data category and enforced automatically.
• Secure Deletion: When data is deleted, whether by user request or policy enforcement, it is permanently and irreversibly removed from all primary storage systems and backups within a reasonable timeframe.

6. Web Tools Security

For browser-based tools offered through our Services (such as QR code generation and link previews), we apply the following security principles:

• All processing is performed client-side within the user's browser. Data entered into web tools is not transmitted to our servers.
• No inputs or outputs from web tools are logged, stored, or tracked by our systems.
• Cryptographic operations within web tools use the Web Crypto API, a browser-native interface that provides access to cryptographically-strong random number generation and standard cryptographic algorithms without requiring third-party libraries.

7. Incident Response

We maintain a documented incident response plan that is tested and updated regularly. Our incident response process follows four stages:

1. Detection & Containment: Security incidents are identified through automated monitoring, alerting, and anomaly detection. Upon detection, the affected systems or components are immediately isolated to prevent further impact.
2. Eradication: The root cause of the incident is identified and eliminated. Compromised credentials are rotated, malicious artifacts are removed, and affected systems are rebuilt from known-good images where necessary.
3. Recovery: Affected services are restored from verified backups and returned to normal operation with enhanced monitoring in place.
4. Notification: Affected customers and relevant supervisory authorities will be notified within 72 hours of confirmation of a personal data breach, in compliance with the GDPR and other applicable data protection regulations.

All significant incidents undergo a blameless post-incident review. Findings are documented, root causes are analyzed, and remediation actions are tracked to completion. Incident response procedures are tested through tabletop exercises at least twice per year.

8. Vulnerability Disclosure & Bug Bounty

We welcome and encourage responsible security research. If you discover a security vulnerability in our Services, please report it to us through our responsible disclosure program.

How to Report

• Email: [email protected]
• PGP Key: Available at lnk24co.com/.well-known/security.txt

What to Include

• A detailed description of the vulnerability and its potential impact
• Step-by-step instructions to reproduce the issue
• Any proof-of-concept code, screenshots, or video recordings
• Your contact information for follow-up communication
• The affected URL(s), endpoint(s), or component(s)

Scope

In scope:

• *.lnk24co.com (all subdomains)
• The lnk24co API
• The lnk24co web application and dashboard

Out of scope:

• Social engineering attacks (e.g., phishing) against lnk24co employees or users
• Denial-of-service (DDoS) attacks
• Third-party services, integrations, or websites not operated by lnk24co
• Vulnerabilities in software or infrastructure not maintained by lnk24co

Response Timeline

• Acknowledgement: We will acknowledge receipt of your report within 48 hours.
• Triage: We will provide an initial assessment and severity classification within 5 business days.
• Updates: We will keep you informed of our progress toward remediation at reasonable intervals.

Safe Harbor

We will not pursue legal action against security researchers who report vulnerabilities in good faith and comply with this policy. We consider good-faith security research to be authorized activity and will not initiate legal proceedings against researchers who act in accordance with this disclosure program. We ask that researchers do not publicly disclose vulnerabilities until we have had a reasonable opportunity to address them, and that they do not access, modify, or delete data belonging to other users during their research.

9. Compliance

We maintain compliance with the following standards and regulatory frameworks:

• GDPR: We comply with the General Data Protection Regulation (EU 2016/679) and have implemented appropriate technical and organizational measures. See our Data Processing Agreement for details.
• CCPA/CPRA: We comply with the California Consumer Privacy Act and the California Privacy Rights Act. See our Privacy Policy for details on your California privacy rights.
• SOC 2 Type II (Planned): We are working toward SOC 2 Type II certification covering the Trust Services Criteria for Security, Availability, and Confidentiality. Audit timeline and reports will be made available to enterprise customers upon completion.
• Penetration Testing: Independent third-party penetration tests are conducted at least annually. Executive summaries are available to enterprise customers under NDA upon request.

10. Third-Party Security

We take a rigorous approach to evaluating and managing the security posture of our third-party vendors and partners:

• Vendor Assessment: All third-party vendors with access to customer data or critical infrastructure undergo a security assessment prior to engagement, including review of their security certifications, policies, and incident history.
• Sub-Processor Agreements: Vendors that process personal data on our behalf are bound by data processing agreements that require them to maintain security measures at least as protective as our own.
• Regular Review: Third-party relationships are reviewed at least annually to ensure continued compliance with our security requirements. Vendors that fail to meet our standards are remediated or replaced.

11. Employee Security

We maintain rigorous security practices for all employees and contractors:

• Background Checks: Background checks are conducted for all employees and contractors with access to customer data or production systems.
• Security Training: Security awareness training is mandatory for all employees upon hire and annually thereafter, covering topics such as phishing, social engineering, secure coding practices, and data handling.
• Least Privilege: All access to production systems and customer data is granted on a need-to-know basis. Access reviews are conducted quarterly, and access is promptly revoked upon role changes or termination.
• Confidentiality: All employees and contractors are required to sign non-disclosure agreements (NDAs) and are bound by data protection obligations as a condition of their engagement.

12. Disclaimer

While we implement commercially reasonable security measures to protect our Services and your data, no method of electronic transmission or storage is 100% secure. We cannot guarantee the absolute security of your information.

TO THE MAXIMUM EXTENT PERMITTED BY APPLICABLE LAW, LNK24CO INC. DISCLAIMS ALL LIABILITY FOR ANY UNAUTHORIZED ACCESS TO, OR ALTERATION, THEFT, LOSS, OR DESTRUCTION OF, DATA ARISING FROM CIRCUMSTANCES BEYOND OUR REASONABLE CONTROL, INCLUDING BUT NOT LIMITED TO BREACHES RESULTING FROM ZERO-DAY VULNERABILITIES, ADVANCED PERSISTENT THREATS, OR FORCE MAJEURE EVENTS, DESPITE OUR IMPLEMENTATION OF THE SECURITY MEASURES DESCRIBED IN THIS POLICY.

13. Contact

If you have questions about our security practices, need to report a security concern, or wish to request compliance documentation, please contact us at:

• Security Team: [email protected]
• Data Protection Officer: [email protected]
• Address: lnk24co Inc., 123 Link Street, Suite 400, San Francisco, CA 94105, United States

14. Last Updated

This Security Policy was last updated on March 21, 2026. We may update this policy from time to time to reflect changes in our security practices, technology, or legal requirements. Material changes will be communicated through our website and, where appropriate, via email notification.