# πŸ” SECURITY.md _Nature In Pots Community – Data & Platform Security Policy_ --- ## πŸ”’ Overview This document outlines the security practices, encryption policies, and recovery procedures used by the **Nature In Pots Community** platform. Our goal is to maintain the privacy and integrity of user data while offering secure collaboration, recovery, and administrative tooling where appropriate. --- ## βœ… Security Principles We follow a simple core policy: > **Your data is yours.** You choose who sees it, how it's stored, and what happens to it. To support this, we implement: - **End-to-End Encryption (E2EE)** for sensitive records. - **User-controlled privacy flags** and public visibility toggles. - **Role-based access control** for owners, groups, vendors, and admins. - **Optional key escrow** to allow secure, auditable recovery when necessary. - **Strict audit trails** for all user and admin actions. - **Granular ownership transfers** that preserve privacy unless explicitly permitted. --- ## πŸ§‘β€πŸŒΎ User Data Encryption When a user creates or imports plants, grow logs, health reports, media, or related records, the following options apply for encryption and recovery: ### πŸ” Option 1: Maximum Privacy Mode (No Escrow) - Data is encrypted with a user-owned key never shared with the server. - Only the user can decrypt or transfer ownership. - If the key is lost, **data is unrecoverable**. Even admins cannot assist. ### πŸ—οΈ Option 2: Recovery-Enabled Mode (Escrow) - A securely wrapped recovery key is stored using *key escrow*. - Admins may **transfer ownership** of encrypted records to a new user (e.g., due to account inactivity or verified reassignment), but cannot read or decrypt the data. - All access and recovery actions are **audited** and must be explicitly justified. Users are prompted to choose between these options on signup and may change their preference at any time from **Account Settings β†’ Privacy Options**. #### TL;DR (Explain Like I’m 5) - **Full Privacy Mode**: Only you have the key to your secret garden. Lose it = locked out forever. - **Recovery Mode (Default)**: Still private, but we keep a spare key in a vault. We can give your garden to a new gardener if needed, but we still can’t peek inside. --- ## πŸ§‘β€πŸ€β€πŸ§‘ Groups, Vendors, and Collectives A "collective identity" (e.g., vendor, grow group, brand) may be created and owned by one or more users. - Each collective has its own permission rules. - Permissions include: `read`, `edit`, `propose changes`, `submit grow logs`, `mark as sold`, and `manage members`. - Collective-owned content inherits the encryption mode of the creator or the designated owner. All actions taken under a collective identity are tagged with the acting user and timestamped. --- ## πŸ” Ownership & Record Transfers Records (plants, logs, vendors, mixes, etc.) can be transferred between: - Individuals ↔ Individuals - Individuals ↔ Vendors / Groups - Vendors ↔ Vendors **Transfer rules:** | Encryption Mode | Owner Action Required | Admin Recovery Allowed | |------------------|------------------------|-------------------------| | No Escrow | βœ… Yes | ❌ No | | Escrow Enabled | 🚫 Optional (if owner inactive) | βœ… Yes | All transfers are logged with before/after states and include initiator ID, reason, and timestamp. --- ## πŸͺ΅ Audit Logging All significant actions are audit-logged: - Logins, failed logins, and 2FA attempts - Data modifications (create, edit, delete) - Media uploads - Grow log entries - Transfers and permission changes - Escrow-based recoveries Logs are not publicly accessible but may be disclosed to the user on request or subpoena. --- ## ⚠️ Admin Privileges & Limitations Admins can: - Approve or remove public content - Recover records **only** under escrow-enabled mode - View metadata (timestamps, image hashes, plant IDs) - **Not** decrypt user content in maximum privacy mode - **Not** alter audit trails or impersonate users --- ## πŸ§ͺ Developer Guidelines ### Secret Management - All crypto secrets must be kept in `.env` or secure vaults. - Never commit user-generated keys or tokens to Git. ### Input Sanitization - All user inputs are escaped before rendering. - Media uploads are validated and stripped of EXIF/GPS metadata. ### TLS & HTTPS - All public and private routes must use HTTPS. - Local dev servers use self-signed certs or SSL proxy. --- ## πŸ›‘οΈ Future Features (Planned) - βœ… Invite-only registration support - βœ… Per-record expiration and auto-archival - πŸ”’ Self-destructing records (for sensitive notes) - 🧬 Cryptographic signatures on propagation history - 🧾 Printable audit exports per plant/vendor --- ## πŸ“ž Contact & Reporting Security Issues If you find a vulnerability or need to report a breach: - Email: [security@natureinpots.com](mailto:security@natureinpots.com) - PGP Key: Coming soon - Please include reproduction steps and affected data --- _This document is maintained by the Nature In Pots security team. Last updated: {{ current_year }}._