This Cybersecurity Policy establishes the security controls, standards, and responsibilities for Data King LLC and its Chatter AI platform. It applies to all systems, personnel, and third-party vendors involved in the development, operation, and maintenance of the Chatter AI application.
| Tier | Classification | Examples |
|---|---|---|
| Tier 1 | Confidential | Brokerage API keys, JWT signing secrets, database credentials |
| Tier 2 | Sensitive | User PII (email, name), trade history, billing records |
| Tier 3 | Internal | Application logs, performance metrics |
| Tier 4 | Public | Terms of Use, Privacy Policy, marketing content |
Tier 1 data is stored exclusively in Google Cloud Secret Manager, never logged, and never transmitted in plain text. Tier 2 data is stored in Google Cloud SQL with AES-256 encryption at rest and transmitted only over TLS 1.2+.
All end-user access requires JWT authentication. Passwords are hashed with bcrypt; plaintext passwords are never stored. Google Cloud Console access is restricted to the Founder with 2FA enforced. All production infrastructure runs under least-privilege IAM service accounts. The database has no public IP — accessible only via private VPC from Cloud Run services.
Dependencies are audited via npm audit before each production deployment. Critical/high CVEs are remediated within 7 days. The platform runs on Google Cloud Run (serverless), so the underlying OS and runtime are automatically patched by Google. Container images are scanned via Google Cloud Artifact Analysis.
| Severity | Description | Response Time |
|---|---|---|
| Critical | Data breach, unauthorized account access | < 1 hour |
| High | Full service outage, suspected intrusion | < 4 hours |
| Medium | Partial degradation, auth anomalies | < 24 hours |
| Low | Performance issues, non-security bugs | < 72 hours |
RTO: 4 hours. RPO: 24 hours. Database automated daily backups with 7-day retention. Cloud Run services redeploy from Artifact Registry in under 10 minutes. Affected users notified within 72 hours of confirmed breach.
Chatter AI operates exclusively on Google Cloud Platform. No physical servers or data centers are maintained by Data King LLC. Google's data centers hold ISO 27001, SOC 2 Type II, and FedRAMP certifications. Developer workstations use full-disk encryption and 2FA for all cloud access.
| Vendor | Service | Certifications |
|---|---|---|
| Google LLC | Cloud Run, Cloud SQL, Secret Manager | ISO 27001, SOC 2 Type II, FedRAMP |
| Alpaca Securities LLC | Brokerage API | FINRA, SIPC |
| Stripe Inc. | Payment processing | PCI DSS Level 1, SOC 2 |
| Apple / Google | App distribution, IAP | ISO 27001 |
No third-party vendors are granted direct database access. All integrations are API-based with scoped credentials stored in Secret Manager.
Reviewed annually or following a significant security incident. Policy Owner: Carl D Hays III, Founder — carl@data-king.ai. Next Review: April 28, 2027.