NakafaNakafa
Sign inSign up

Security Policy

Last updated: January 26, 2026

This Security Policy describes the security measures PT. Nakafa Tekno Kreatif ("Nakafa," "we," "us," or "our") uses, and the measures we expect users to take, to help protect the confidentiality, integrity, and availability of the Services and related data.

For information about how we collect and use Personal Data, please review our Privacy Policy.

Scope

This Security Policy applies to the Services operated by Nakafa, including websites and applications hosted and supported through third-party providers.

This Security Policy does not cover the security practices of third parties you interact with directly outside the Services, even if those third parties are linked from the Services.

Security model and responsibilities

Security is a shared responsibility:

  • We are responsible for security measures within our control, including application design, access controls, monitoring, and incident response processes.
  • You are responsible for maintaining the security of your devices, accounts, and any credentials you use to access the Services.

Technical and organizational measures

We maintain a security program designed to reduce risk. Measures include the following categories.

Encryption in transit

We use HTTPS/TLS for data transmitted between your browser or client and the Services.

Access controls

We restrict access to production systems and data to authorized personnel and service accounts. We use access control practices designed to limit access based on job function and operational need.

Data storage and processing

We store and process data using managed infrastructure providers. Storage and processing protections depend on the provider and service configuration. We use provider security features and operational controls designed to protect stored data from unauthorized access.

Logging and monitoring

We collect logs and events necessary to operate and secure the Services. We use these logs to:

  • Detect abuse, suspicious activity, and operational incidents.
  • Debug reliability issues and respond to outages.
  • Investigate and remediate suspected security incidents.

Secure development and change management

We maintain development and deployment practices designed to reduce the risk of vulnerabilities, including reviewing changes, applying updates, and responding to security advisories for dependencies.

Third-party service security

The Services rely on third-party services. Their security practices and controls are important to the overall security of the Services. Our core third-party services include:

  • Vercel (hosting and delivery)
  • Convex (database and backend infrastructure)
  • Polar (payments and subscription management)
  • Resend (email delivery)
  • PostHog and Vercel Analytics (analytics)
  • Vercel AI Gateway (AI request routing)

Each third party may process data as part of providing the Services. For details about categories of data shared and purposes, review our Privacy Policy.

Vulnerability reporting

We encourage responsible disclosure of security vulnerabilities.

If you believe you have found a security vulnerability, contact us at nakafaai@gmail.com with the subject line “Security Report”.

To help us triage and respond, include:

  • A clear description of the issue and the affected area of the Services.
  • Steps to reproduce the issue.
  • Any proof-of-concept code or screenshots (if safe to share).
  • Your contact information for follow-up.

Do not include sensitive Personal Data in your report. Do not exploit the vulnerability beyond what is necessary to demonstrate it. Do not attempt to access data that is not your own.

Incident response and breach notifications

We maintain an incident response process designed to:

  • Contain and mitigate suspected incidents.
  • Assess scope and impact.
  • Restore service integrity and availability.
  • Notify affected users and relevant authorities when required by applicable law.

Notification timelines vary by jurisdiction and the nature of the incident. For example, if a security incident qualifies as a personal data breach under GDPR and notification is required, notification obligations may include reporting to a supervisory authority without undue delay and, where applicable, within 72 hours of becoming aware of the breach.

Account and user security

You can help protect your account by:

  • Using strong, unique credentials and keeping them confidential.
  • Keeping your devices and browsers updated.
  • Logging out of shared devices.
  • Reporting suspected compromise or unauthorized access promptly.

We may use security controls designed to reduce account compromise risk, such as tracking account sessions and device activity, and applying access restrictions when suspicious activity is detected.

Security updates

We may update this Security Policy from time to time to reflect changes in our security practices or legal requirements. Updates will be posted on this page with a revised “Last updated” date.

Contact

PT. Nakafa Tekno Kreatif
Taman Sukahati Permai H6
Kabupaten Bogor, Indonesia
Email: nakafaai@gmail.com