How we treat security.

Source code is managed in private repositories with branch protections, mandatory reviews and automated checks before deployment.

We follow least-privilege access for our infrastructure. Production access is limited, audited and uses MFA.

Secrets are stored in encrypted secret managers (cloud-native or HashiCorp Vault) and never committed to source control.

Customer data is stored in regions chosen with you and encrypted at rest and in transit (TLS 1.2 or higher).

Backups are taken on schedules agreed with the customer, and tested for restorability.

We work with you to define data retention windows that meet your regulatory obligations.

We follow OWASP guidance for web applications and APIs.

Dependencies are scanned regularly for known vulnerabilities, and we patch them on a defined cadence.

For AI features, we apply prompt-injection mitigations, output validation and human-in-the-loop checkpoints where relevant.

For hardware deployments and AMCs, devices are provisioned with hardened firmware where supported.

Remote-access tooling is restricted to named operators and logged.

If a security incident affects you, we notify the customer point of contact promptly (within hours of confirmation), share what we know, and work with you on remediation.

We perform a post-incident review and share corrective actions.

If you believe you have found a vulnerability in this site or in a product we host for you, please contact us at sugowinnovation@gmail.com with a detailed description and steps to reproduce.

We commit to an acknowledgement within one business day and to keeping you informed throughout the remediation process. We will not pursue legal action against good-faith researchers.