Security & Responsible Disclosure

Psychpedia Establishment (Commercial Registration: 7053485384, Kingdom of Saudi Arabia) operates a continuous security program aligned with NCA (National Cybersecurity Authority) Essential Cybersecurity Controls and international best practices including the OWASP Top 10 and ISO 27001 principles.

Our security posture is built on three pillars: preventive controls (secure-by-default configuration, input validation, role-based access control), detective controls (real-time monitoring, anomaly detection, dependency scanning), and responsive controls (defined incident-response procedures, timely patching, breach notification obligations under the Saudi PDPL).

We follow a coordinated vulnerability disclosure model. If you discover a potential security vulnerability in Psychpedia, please disclose it to us privately before making any public disclosure. We commit to working with you in good faith to understand, verify, and remediate the issue promptly.

We ask that you:

• Report findings to security@psychpedia.com before any public disclosure.
• Give us reasonable time to respond and remediate before disclosing publicly.
• Avoid accessing, modifying, or deleting user data beyond what is necessary to demonstrate the vulnerability.
• Avoid automated scanning at a scale that could degrade service availability.
• Not exploit a vulnerability beyond the minimum necessary to confirm its existence.

To report a security vulnerability, email security@psychpedia.com with the following details:

1. Description: A clear description of the vulnerability and its potential impact.
2. Reproduction steps: Step-by-step instructions to reproduce the issue.
3. Affected component: URL, endpoint, or feature where the vulnerability exists.
4. Evidence: Screenshots, HTTP request/response captures, or a proof-of-concept — avoid sharing actual user data.
5. Suggested severity: Your assessment (Critical / High / Medium / Low / Informational).
6. Your contact details: So we can follow up with you.

We are committed to the following response timelines for valid security reports:

Timelines are best-effort targets and may vary based on issue complexity. We will communicate any delays proactively.

Psychpedia will not pursue legal action against security researchers who discover and report vulnerabilities in good faith in accordance with this policy. We consider good-faith research to include:

• Acting in accordance with all guidelines set out in this disclosure policy.
• Not accessing, modifying, or exfiltrating user data beyond what is strictly necessary to demonstrate the vulnerability.
• Not performing actions that could degrade platform availability (DoS).
• Reporting findings promptly and not exploiting them for personal gain.
• Not disclosing vulnerability details publicly before we have had a reasonable opportunity to remediate.

This safe harbor applies only to security research conducted in accordance with this policy and does not extend to malicious actors, unauthorized access for personal gain, or conduct that violates applicable law beyond the minimum necessary for research purposes.

Psychpedia does not store, process, or transmit cardholder data on its own systems. All payment card transactions are handled exclusively by Moyasar, our PCI-compliant payment processor. Psychpedia receives only non-sensitive payment metadata (subscription status, last-four digits, card brand, billing address) necessary for subscription management.

Our production environment is designed with defence-in-depth principles: