Security Addendum

1. Shared Responsibility

Reserv.Now is responsible for platform security controls in hosted infrastructure and managed service components. Customer is responsible for account governance, endpoint hardening, user lifecycle controls, and lawful use.

This shared responsibility model means that the overall security posture depends on both parties fulfilling their respective obligations.

2. Organizational Security Controls

• role-based access control and least-privilege internal access;
• change controls for production deployments and schema changes;
• operational logging for security and reliability events;
• incident response and post-incident remediation workflow;
• periodic review of access permissions and service configurations;
• secure development lifecycle practices including code review and dependency management.

3. Authentication and Access

Access to administrative functions is restricted to authorized personnel. Customer account controls (owner/admin/staff permissions) are enforced by application role boundaries and Row Level Security (RLS) at the database layer.

End-user authentication uses email-based one-time passcodes (OTP), eliminating stored password risks. Session tokens are issued with limited lifetimes and are revocable.

4. Encryption

• In transit: all data transmitted between clients and the Service is protected using TLS 1.2 or higher. HTTP Strict Transport Security (HSTS) is enforced with a minimum 2-year max-age;
• At rest: all persistent data (database, backups, file storage) is encrypted using AES-256 or equivalent through managed infrastructure encryption;
• Secrets management: API keys, tokens, and credentials are stored in environment-level secret stores, never in source code or client-accessible locations.

5. Infrastructure Security

The Service is deployed on managed cloud infrastructure with the following controls:

• application hosting via Vercel (edge network with automatic DDoS mitigation);
• database and authentication via Supabase (managed PostgreSQL with RLS enforcement);
• security response headers including X-Frame-Options, X-Content-Type-Options, Referrer-Policy, and Permissions-Policy;
• rate limiting on public-facing API endpoints to prevent abuse.

6. Vulnerability and Patch Management

Reserv.Now applies risk-based remediation for vulnerabilities and dependency updates. Critical vulnerabilities are prioritized for expedited mitigation.

• Critical/High severity: remediation target within 7 days of identification;
• Medium severity: remediation target within 30 days;
• Low severity: addressed in next scheduled maintenance cycle.

7. Monitoring, Detection, and Logging

Service telemetry, logs, and audit trails are used for anomaly detection, abuse prevention, debugging, and compliance operations.

• application and API request logs (retained up to 24 months);
• authentication and access event logs;
• billing and subscription change audit trails;
• error tracking and performance monitoring;
• cron job execution and health-check logs.

8. Incident Response

Reserv.Now maintains incident response procedures covering triage, containment, investigation, communication, and recovery.

For confirmed incidents materially impacting customer data confidentiality, integrity, or availability:

• initial notification to affected customers within 72 hours of confirmed breach identification;
• notification will include: nature of the incident, data categories affected, estimated scope, and remedial actions taken or planned;
• follow-up communication as the investigation progresses, including root cause analysis where available;
• notification timelines may be extended where required by law enforcement or legal constraints.

9. Backups and Resilience

Production workloads rely on managed infrastructure resiliency features and backup mechanisms:

• automated daily database backups with point-in-time recovery capability;
• backup data encrypted at rest and stored in geographically separated locations;
• backup retention period: up to 30 days;
• recovery timelines depend on incident type, data volume, and platform constraints.

10. Data Deletion and Account Termination

Upon account termination or deletion request:

• active application data is marked for deletion within 30 days of the termination effective date;
• data may persist in encrypted backups for up to 30 additional days before automatic purge;
• certain data may be retained longer where required by law, regulation, or legitimate business interest (such as billing records for tax compliance);
• data export may be requested prior to termination by contacting support@reserv.now.

11. Subprocessors

Reserv.Now uses subprocessors for infrastructure, data storage, email, monitoring, and payment operations. Subprocessors are selected for operational and security posture.

A current list of subprocessors is maintained in the Privacy Policy (Section 7). Material changes to subprocessors will be communicated with reasonable advance notice.

12. Security Assessments and Audit Rights

Reserv.Now will provide reasonable cooperation with customer security assessments, subject to the following:

• customers may request a summary of Reserv.Now's security posture and controls (no more than once per year);
• penetration testing of Reserv.Now systems requires prior written authorization and a mutually agreed scope and timeline;
• where independently audited security reports or certifications become available, they will be provided upon request under NDA.

13. Customer Security Obligations

• enforce strong account credential practices and role hygiene;
• keep endpoint devices and browsers updated and secured;
• promptly revoke access for staff members who leave the organization;
• report suspected compromise promptly to security@reserv.now;
• avoid uploading malware or unlawful content;
• not share OTP codes, session tokens, or account credentials with unauthorized parties.

14. Legal Context

For DIFC-regulated processing, parties should align with DIFC Data Protection Law No. 5 of 2020 (as amended) and applicable regulations. Where operations fall outside DIFC, applicable UAE federal data protection requirements (Federal Decree-Law No. 45 of 2021) may also apply.

15. Limitations

No system can guarantee absolute security. This addendum summarizes control posture and does not create warranties beyond governing contract terms. Security measures are continuously evaluated and updated as threats, technologies, and regulatory requirements evolve.

16. Contact

Security inquiries and incident reports: security@reserv.now