5.1 KiB
🔐 SECURITY.md
Nature In Pots Community – Data & Platform Security Policy
🔒 Overview
This document outlines the security practices, encryption policies, and recovery procedures used by the Nature In Pots Community platform. Our goal is to maintain the privacy and integrity of user data while offering secure collaboration, recovery, and administrative tooling where appropriate.
✅ Security Principles
We follow a simple core policy:
Your data is yours. You choose who sees it, how it's stored, and what happens to it.
To support this, we implement:
- End-to-End Encryption (E2EE) for sensitive records.
- User-controlled privacy flags and public visibility toggles.
- Role-based access control for owners, groups, vendors, and admins.
- Optional key escrow to allow secure, auditable recovery when necessary.
- Strict audit trails for all user and admin actions.
- Granular ownership transfers that preserve privacy unless explicitly permitted.
🧑🌾 User Data Encryption
When a user creates or imports plants, grow logs, health reports, media, or related records, the following options apply for encryption and recovery:
🔐 Option 1: Maximum Privacy Mode (No Escrow)
- Data is encrypted with a user-owned key never shared with the server.
- Only the user can decrypt or transfer ownership.
- If the key is lost, data is unrecoverable. Even admins cannot assist.
🗝️ Option 2: Recovery-Enabled Mode (Escrow)
- A securely wrapped recovery key is stored using key escrow.
- Admins may transfer ownership of encrypted records to a new user (e.g., due to account inactivity or verified reassignment), but cannot read or decrypt the data.
- All access and recovery actions are audited and must be explicitly justified.
Users are prompted to choose between these options on signup and may change their preference at any time from Account Settings → Privacy Options.
TL;DR (Explain Like I’m 5)
- Full Privacy Mode: Only you have the key to your secret garden. Lose it = locked out forever.
- Recovery Mode (Default): Still private, but we keep a spare key in a vault. We can give your garden to a new gardener if needed, but we still can’t peek inside.
🧑🤝🧑 Groups, Vendors, and Collectives
A "collective identity" (e.g., vendor, grow group, brand) may be created and owned by one or more users.
- Each collective has its own permission rules.
- Permissions include:
read,edit,propose changes,submit grow logs,mark as sold, andmanage members. - Collective-owned content inherits the encryption mode of the creator or the designated owner.
All actions taken under a collective identity are tagged with the acting user and timestamped.
🔁 Ownership & Record Transfers
Records (plants, logs, vendors, mixes, etc.) can be transferred between:
- Individuals ↔ Individuals
- Individuals ↔ Vendors / Groups
- Vendors ↔ Vendors
Transfer rules:
| Encryption Mode | Owner Action Required | Admin Recovery Allowed |
|---|---|---|
| No Escrow | ✅ Yes | ❌ No |
| Escrow Enabled | 🚫 Optional (if owner inactive) | ✅ Yes |
All transfers are logged with before/after states and include initiator ID, reason, and timestamp.
🪵 Audit Logging
All significant actions are audit-logged:
- Logins, failed logins, and 2FA attempts
- Data modifications (create, edit, delete)
- Media uploads
- Grow log entries
- Transfers and permission changes
- Escrow-based recoveries
Logs are not publicly accessible but may be disclosed to the user on request or subpoena.
⚠️ Admin Privileges & Limitations
Admins can:
- Approve or remove public content
- Recover records only under escrow-enabled mode
- View metadata (timestamps, image hashes, plant IDs)
- Not decrypt user content in maximum privacy mode
- Not alter audit trails or impersonate users
🧪 Developer Guidelines
Secret Management
- All crypto secrets must be kept in
.envor secure vaults. - Never commit user-generated keys or tokens to Git.
Input Sanitization
- All user inputs are escaped before rendering.
- Media uploads are validated and stripped of EXIF/GPS metadata.
TLS & HTTPS
- All public and private routes must use HTTPS.
- Local dev servers use self-signed certs or SSL proxy.
🛡️ Future Features (Planned)
- ✅ Invite-only registration support
- ✅ Per-record expiration and auto-archival
- 🔒 Self-destructing records (for sensitive notes)
- 🧬 Cryptographic signatures on propagation history
- 🧾 Printable audit exports per plant/vendor
📞 Contact & Reporting Security Issues
If you find a vulnerability or need to report a breach:
- Email: security@natureinpots.com
- PGP Key: Coming soon
- Please include reproduction steps and affected data
This document is maintained by the Nature In Pots security team. Last updated: {{ current_year }}.