12. Security Measures & Vulnerability Disclosure

12.1 Commitment to Security

GEOReport is committed to maintaining appropriate technical, organizational, and administrative safeguards designed to protect the confidentiality, integrity, and availability of the Services and any data processed therein, including Personal Data.

12.2 Implemented Measures

Without limitation, GEOReport applies industry-standard security practices, including:

a) Encryption of data at rest and in transit using current cryptographic standards;

b) Access controls and role-based permissions to restrict data access to authorized personnel only;

c) Multi-factor authentication (MFA) for internal administrative access;

d) Segregation of environments (development, testing, and production) to prevent cross-contamination;

e) Logging and monitoring of system activity for detection of anomalies or unauthorized access;

f) Regular vulnerability scanning and patch management to mitigate emerging threats;

g) Business continuity and disaster recovery plans, including geographically redundant backups.

12.3 User Security Responsibilities

While GEOReport implements safeguards, Users are responsible for:

a) Maintaining the security of their endpoints, devices, and networks;

b) Enforcing strong password practices and MFA for their Accounts;

c) Ensuring proper access management of Authorized Users (onboarding, offboarding, and role assignment);

d) Promptly notitying GEOReport of any suspected compromise, breach, or misuse.

12.4 Incident Response & Breach Notification

In the event GEOReport becomes aware of a Personal Data Breach (as defined under GDPR) that is likely to result in a risk to the rights and freedoms of natural persons, GEOReport will:

a) Notify the User without undue delay, including known details about the nature of the breach, categories of data affected, and steps taken or planned for remediation;

b) Cooperate in good faith with the User’s reasonable requests to investigate and mitigate the impact of the incident;

c) Assist the User in fulfilling its regulatory obligations (e.g., GDPR Articles 33–34), where the User is the Controller.

12.5 Vulnerability Disclosure Program

GEOReport encourages responsible reporting of security vulnerabilities. Researchers and Users may submit findings to security@georeport.ai.

a) Submissions must be made in good faith, without exploitation of the vulnerability beyond the extent necessary to demonstrate its existence.

b) You must not access or exfiltrate data belonging to other Users, disrupt operations, or violate applicable laws during testing.

c) GEOReport will acknowledge valid submissions, investigate promptly, and may credit researchers at our discretion.

12.6 Disclaimer

While GEOReport takes reasonable steps to protect data and ensure security, no system is completely immune from compromise. GEOReport does not guarantee that the Services will be free from vulnerabilities, disruptions, or unauthorized access, but commits to diligent remediation of discovered risks.