{ "version": "2026-06-06", "owner": "FamilyCase.AI Security", "objective": "Define launch security controls for FamilyCase.AI website, private AI messaging, Platform integration, auth entry points, demo forms, and future upload workflows.", "threat_categories": [ { "name": "Data leakage", "mitigations": [ "tenant isolation", "RBAC", "encryption in transit", "encryption at rest", "audit logs", "analytics field masking", "no public model training" ] }, { "name": "Unauthorized access", "mitigations": [ "MFA", "session controls", "IP monitoring", "default deny authorization", "admin approval workflow", "account disablement" ] }, { "name": "Malicious uploads", "mitigations": [ "virus scanning", "sandboxing", "content validation", "file type restrictions", "size limits", "quarantine workflow" ] }, { "name": "AI misuse", "mitigations": [ "output monitoring", "rate limits", "abuse detection", "human review requirements", "source citations", "confidence indicators", "legal advice disclaimer" ] } ], "website_security_headers": [ "Content-Security-Policy", "Strict-Transport-Security", "X-Content-Type-Options", "X-Frame-Options", "Referrer-Policy", "Permissions-Policy" ], "forbidden_behavior": [ "Do not submit customer case materials to public consumer AI tools.", "Do not use customer case materials to train public AI models.", "Do not collect privileged case facts in marketing forms.", "Do not hardcode secrets in the website.", "Do not enable uploads without scanning, sandboxing, and content validation.", "Do not publish fake testimonials, reviews, certifications, or benchmarks." ], "required_reviews": [ "security review", "legal review", "accessibility review", "analytics privacy review", "Platform claim review", "executive signoff" ], "evidence_files": [ "/auth-contract.json", "/monitoring-contract.json", "/platform-api-contracts.json", "/openapi.json", "/cms-content-model.json", "/measurement-contract.json", "/.well-known/security.txt" ] }