Security Practices

SnackSafe Inc. is committed to protecting the security of the SnackSmart mobile application, website and web-platform (collectively, the “Services”) and the information processed through the Services. We maintain a written security program that is reviewed and updated periodically based on changes to the Services, our risk assessments, and evolving security threats.

We use administrative, technical, and organizational measures to help protect personal information and other data against unauthorized access, disclosure, alteration, and destruction. These measures include access controls, encryption, and monitoring, as described below. No method of transmission or storage is completely secure; however, we work to maintain safeguards appropriate to the nature of the information and the risks presented.

• Access to internal systems and production data is limited to authorized personnel based on role and business need (least privilege). Access is provisioned through a formal joiner-mover-leaver process and removed promptly when no longer required.
• We require multi-factor authentication (MFA) for staff access to systems that support the Services, including administrative access where applicable.

• We use encryption in transit (for example, TLS) to help protect data transmitted to and from the Services, and we configure supported services to use current, secure protocol versions.
• We use encryption at rest for systems that store sensitive data (such as account credentials and other confidential information), including backups where supported by our service providers and infrastructure. We manage encryption keys using appropriate access restrictions and key-management controls.

• We use logging and monitoring tools designed to help identify, investigate, and respond to suspicious activity. Logs are retained for a period that is appropriate to operational and security needs.
• We maintain processes to assess, prioritize, and remediate security vulnerabilities, including applying security updates and patches and performing periodic vulnerability scanning. We track remediation based on severity and risk.

We use service providers to support the Services (for example, cloud hosting, authentication, analytics, communications, and security providers). We evaluate service providers in a manner proportionate to risk, which may include reviewing relevant security documentation (such as SOC2 or ISO27001 reports where available), and require appropriate contractual protections (including confidentiality, data protection, and security obligations) consistent with the services provided.

Where the Services are used by children under 13, we take additional steps designed to protect children’s personal information, consistent with applicable law. These steps may include obtaining any required parental consent and limiting collection and use of children's personal information to what is reasonably necessary to provide the Services.

We maintain an incident response process designed to address and mitigate security incidents, including procedures for identification, containment, remediation, and recovery. Where required by applicable law, we will provide notices related to certain security incidents involving personal information to affected individuals and/or regulators.

If you have questions about our security practices, please contact us at:security@SnackSmart.ai