Skip to main content
Clap IdeasLegal Centre

Security & Responsible Disclosure Policy

Version:
1.0-draft
Effective:
Last updated:
Review status:
Draft — pending counsel review

Plain-language summary

  • We protect your data with sensible measures, such as encryption in transit, access controls, and audit logging.
  • No system is ever perfectly secure, so we do not promise that. We describe what we do without over-promising.
  • If you find a security bug, please tell us at security@clapideas.com before sharing it publicly.
  • We aim to acknowledge, look into, and fix valid reports. We do not promise fixed timelines, and we do not run a paid bug bounty at this time.
  • If you test in good faith and follow this policy, we will not pursue you. There are clear rules about what testing is not allowed.
  • This is a draft and is not legal advice; counsel is reviewing it. Full program details and contacts are published on formal launch.

1. How we protect your data

We use technical and organisational measures that are appropriate to the risk. At a high level, these include:

  • Encryption in transit— we use TLS/HTTPS for traffic between your device and the platform.
  • Strong credential handling— passwords are hashed with Argon2id, and we never store plain-text passwords. Sessions use secure, HTTP-only cookies.
  • Access controls and least privilege— people and systems get only the access they need, and sensitive actions are restricted by role.
  • Audit logging— we log sensitive actions so we can investigate and stay accountable.
  • Dependency scanning— we scan our software dependencies for known vulnerabilities and update them.
  • Monitoring with privacy in mind— we monitor for errors and anomalies, and our error monitoring scrubs personal data so it is not sent into reports.

These measures reduce risk; they do not remove it. We keep our practices under review and improve them over time. This section describes our approach and is not a warranty of any specific outcome. For how this fits a processor relationship, see our Privacy Policy.

2. Reporting a vulnerability

If you believe you have found a security vulnerability, please tell us privately first, so we can fix it before it can be misused. Email security@clapideas.com.

To help us act quickly, please include, where you can:

  • A clear description of the issue and why you think it is a security problem.
  • The steps to reproduce it, including the URL, endpoint, or feature affected.
  • Any proof-of-concept code, requests, or screenshots that show the issue.
  • The potential impact, as you see it.
  • How we can reach you for follow-up questions.

Please report promptly and give us a reasonable chance to fix the issue before any public disclosure. We will work with you on timing and will credit you if you would like, once the issue is resolved.

3. What you can expect from us

When you send a valid report in good faith, we aim to:

  • Acknowledge that we received your report.
  • Triageit — confirm whether it is a real issue and judge how serious it is.
  • Fix confirmed issues as part of our normal security work, prioritised by risk.
  • Keep you informed at reasonable points and let you know when the issue is resolved.

We do not promise specific response or fix timelines, and we do not offer monetary rewards or a bug bounty at this time. If we set up a formal program with defined timelines or rewards, we will publish the details on formal launch.

4. Good-faith safe harbour

We support good-faith security research. If you make a genuine, good-faith effort to follow this policy, then:

  • We will treat your research as authorised under our terms.
  • We will not pursue or support legal action against you for that research, including under computer-misuse rules, to the extent we lawfully can.
  • We will work with you in good faith to understand and resolve the issue quickly.

This safe harbour applies only to your dealings with Clap Ideas. It cannot waive third-party rights, and it does not apply if you break the rules in section 5. If you are unsure whether something is allowed, ask us first at security@clapideas.com.

5. Prohibited testing

To keep users and their data safe, the following are not allowed, even during research:

  • No data exfiltration— do not access, download, copy, alter, or keep personal data or other people’s data. If you come across such data, stop and tell us.
  • No service disruption— no denial-of-service attacks, load or stress testing, or anything that could degrade or interrupt the service.
  • No social engineering— do not target our staff, contractors, or users by phishing, pretexting, or similar tricks, and do not test our physical premises.
  • No privacy violations— do not view, expose, or interact with other people’s accounts or content without permission. Use only test accounts you control.
  • Stay within scope— test only systems that clearly belong to Clap Ideas. Do not test third-party services we rely on; report those to the relevant vendor.
  • No automated mass scanning— avoid aggressive automated scans or high-volume requests that could harm performance.
  • No public disclosure before a fix— do not reveal a vulnerability publicly until we have had a fair chance to address it and have agreed on timing with you.

Breaking these rules takes your activity outside the safe harbour and may breach our Acceptable Use Policy and applicable law.

6. Future security program

As the platform launches, we will publish up-to-date security contact details, the scope of systems in and out of bounds, and the terms of any formal disclosure program, including whether timelines or rewards apply. Until then, please use security@clapideas.com and treat this policy as a working draft.

Read this policy with our Privacy Policy, our API & Developer Terms, and our Acceptable Use Policy. To report a security issue, email security@clapideas.com.

Change history is tracked by document version; see the Legal Centre.

Questions about this policy? legal@clapideas.com

CLAPPE Inc.
Suite C, 16644 - 71 St
Edmonton, AB T5Z 0N5, Canada

We provide support and legal contact by email only; we do not offer telephone support.

View all legal documents