Security & Compliance

Last reviewed: 2026-05-26 · Version 1.0

Data we hold

The Service mirrors and operates static informational pages of your website. We hold:

• Customer Materials — copies of the pages, images, fonts, and text you ask us to mirror, plus any brand or domain authorizations and corporate documents you provide.
• Operational logs — request URLs, IP addresses, timestamps, response codes, error traces. Used for monitoring, debugging, and PRC regulatory compliance. Typically retained 30–90 days.
• Communications — emails, contact-form submissions, and project notes.

The Service is intended for static informational marketing content. We do not accept transmission of personal data of natural persons, payment data, health data, financial data, or biometric data through the Service unless a separate Data Processing Agreement is signed (see DPA).

Where data is stored

The Service is delivered on AWS infrastructure. Production hosting can be in:

• AWS Global — for your existing global website (which we don’t touch).
• AWS China (operated by Sinnet/NWCD) — for the China Mirror Site that we serve to mainland China visitors.
• The exact region for your project is documented in the project plan and depends on your selected ICP Deployment Path.

Marketing-site analytics (this very site) flows to PostHog Cloud in the US region.

Encryption

• In transit: all customer-facing traffic is served over HTTPS with TLS 1.2 or higher. We disable TLS 1.0 and 1.1, RC4, and known-broken ciphers. HSTS is enabled where the customer’s domain ownership permits it.
• At rest: all storage uses AWS S3 Server-Side Encryption (SSE-S3) by default; Customer Materials sit on encrypted volumes. Backups are encrypted using AWS-managed keys.
• Secrets: deployment secrets and API tokens are stored in AWS Secrets Manager (or equivalent China-region secret stores when running on AWS China), never in source control. Access is logged.

Access controls

• Production access is limited to engineers working on your project. Access is granted on a least-privilege basis.
• All production access requires multi-factor authentication.
• Access to the AWS root account is restricted, MFA-protected, and audited.
• Customer-side credentials (e.g., DNS provider tokens, CMS credentials) are accepted only via secure exchange and stored in our secret store; they are not retained beyond the engagement unless explicitly required.

Network

• Origin compute runs in private VPC subnets with security-group egress controls.
• Public traffic is fronted by AWS CloudFront (or equivalent in China) with WAF rules enabled for OWASP Top 10 categories.
• Administrative endpoints are not public.

Monitoring & incident response

• We monitor uptime and synthetic page checks for every production property we operate. On-call notification goes to the on-shift engineer via email; severe incidents are paged.
• Audit logs of access to production are retained.
• If we become aware of a security incident affecting your Customer Materials, we will (a) investigate, (b) take containment steps, and (c) notify you in writing without undue delay. We aim to give an initial notification within seventy-two (72) hours of confirming a material incident, and to follow up with a fuller post-incident report.

Backups & continuity

• Mirror site assets are versioned in source control and re-buildable at any time from the source.
• Operational logs and analytics are backed up to durable AWS storage tiers.
• For long-running customer engagements, recovery objectives are documented in the project plan and adapted to the customer’s actual content-update cadence.

Vulnerability management

• OS images are updated on a defined cadence; security patches are tracked.
• Application dependencies are pinned and reviewed before upgrade.
• We do not currently run a public bug-bounty program. Coordinated disclosure: please email chinasiteready@autoinfra.cn with the subject “Security disclosure”. We acknowledge in writing within 5 business days.

Compliance posture — honest version

• We are not currently SOC 2 or ISO 27001 certified. Independent third-party certification is on our medium-term roadmap; we don’t set a hard date because we will only do it once we believe we can pass cleanly.
• We do file ICP records under PRC requirements for any China-region deployment, when applicable. See How it works § ICP-compliant deployment for the path options and our role.
• We respond in good faith to security questionnaires (including the standard SIG / CAIQ formats) at no additional charge for current and active customers.
• We can sign a mutual NDA before any deeper diligence call.

Penetration testing

We do not currently engage an external penetration tester on a fixed schedule. For larger engagements, we are happy to coordinate with a customer’s preferred third-party tester at the customer’s expense, scoped to the China Mirror Site we operate. Internal tests using standard scanners are run periodically.

Service providers we rely on

We aim to keep our list of external service providers small and well-known. As of today: AWS (Global and AWS China for hosting and CDN), PostHog (analytics for our marketing site only), and standard operational tools. Customers can request the current list and locations as part of due-diligence before signing.

Data Processing Agreement

For customers who require a DPA before signing, our standard DPA is available at DPA. We can also accept a customer’s preferred DPA template on a case-by-case basis.

Contact

Security and compliance inquiries: chinasiteready@autoinfra.cn. We typically respond within five business days.