Legal

Security overview

Effective 18 May 2026. This page summarises the security posture maintained by Dina Holdings LLC and inherited by every subsidiary in the portfolio.

Governance

  • Information Security Policy maintained, reviewed annually, and applied across every venture
  • Designated security owner at the holding level with defined authority and budget
  • Annual security awareness training for every team member with recorded acknowledgement
  • Vendor risk management process with documented sub-processor inventory

Identity and access

  • Single sign-on with multi-factor authentication required for every production system
  • Role-based access control with the principle of least privilege
  • Quarterly access reviews with documented decisions
  • Onboarding and offboarding checklists with 24-hour revocation target

Encryption and data protection

  • TLS 1.2 or higher on every public endpoint
  • HTTP Strict Transport Security with a two-year max-age and preload
  • Encryption at rest for databases and object storage using vendor-managed keys
  • Row-Level Security on multi-tenant database schemas
  • Customer credentials hashed with industry-standard algorithms

Application security

  • Pull request review required for every change to production
  • Automated dependency monitoring with criticality-based patch SLAs
  • Static analysis on every push, blocking on high-severity findings
  • Runtime error monitoring with automatic alerting
  • Content Security Policy, X-Content-Type-Options, X-Frame-Options, and Referrer-Policy headers set on all responses

Infrastructure

  • Hosting on Vercel edge for static and rendered routes, Supabase for managed Postgres
  • Cloudflare in front of public endpoints for DNS, DDoS mitigation, and WAF
  • Daily encrypted backups with 30-day retention and quarterly restore drills
  • Infrastructure as code where applicable, change history retained

Monitoring and incident response

  • Centralised logging for application and access events
  • Alerting on anomaly patterns with named on-call ownership
  • Documented incident response plan with severity tiers and notification timelines
  • 72-hour confirmed-breach notification commitment to affected parties

Compliance posture

  • SOC 2 control library implemented across the holding, Type I report available on request once cohort thresholds are met
  • Privacy posture aligned with CCPA, CPRA, VCDPA, and GDPR
  • TCPA-aligned consent architecture across every outbound channel
  • Sub-processors documented at dinaholdings.com/legal/sub-processors

Report a vulnerability

We welcome responsible disclosure. Email dinaholdingsllc@gmail.com with the subject "Security Vulnerability" and include enough detail to reproduce the issue. We acknowledge within 2 business days and provide a remediation timeline within 10 business days. Our security.txt is available at /.well-known/security.txt. Researchers acting in good faith will not face legal action from Dina Holdings.

Request the security summary

Customers and prospective customers may request a one-page security summary suitable for procurement review by emailing the office.