EaseApps Security Policy

Last Updated: July 14, 2025
Operating Company: FireLaunch LLC

1. Introduction

EaseApps is a platform service operated by FireLaunch LLC that enables users to publish and utilize mini-applications developed by developers. We prioritize the protection of all users, developers, and data on our platform. This policy outlines our commitment to security and the measures we implement to provide a safe service for all users.

2. Core Security Principles

2.1 Zero Trust Security Model

• Verify all access and implement access control based on the principle of least privilege
• Treat all communications as untrusted, whether internal or external
• Implement multi-layered defense through continuous monitoring and authentication

2.2 Data Minimization Principle

• Collect and store only the minimum necessary data
• Clearly limit collection purposes and prohibit use for any other purposes
• Appropriate deletion and lifecycle management of unnecessary data

2.3 Transparency and Accountability

• Continuous improvement and disclosure of security measures
• Rapid response and appropriate notification in case of incidents
• Regular security audits and assessments

3. Technical Security Measures

3.1 Infrastructure Security

Firebase Security

• Authentication: Multi-factor authentication (MFA) support through Firebase Authentication
• Database: Fine-grained access control through Firestore Security Rules
• Storage: Secure management and encryption of Firebase Storage
• Hosting: HTTPS enforcement and secure delivery through Firebase Hosting

Encryption

• Data Transmission: Use of TLS 1.3 or higher for all communications
• Data Storage: Encryption at rest in Firestore (AES-256)
• Sensitive Information: Proper management of environment variables and service account keys

3.2 Application Security

Input Validation and Sanitization

• Strict validation of all user inputs
• Protection against XSS, SQL injection, and other attacks
• Safety checks for YAML definition files

API Security

• Authentication via Firebase ID Tokens
• Rate limiting and DDoS attack protection
• API access log monitoring and analysis

Content Security Policy (CSP)

• Strict CSP headers to prevent XSS attacks
• Resource loading only from trusted sources
• Restriction of inline script execution

3.3 Payment Security

Stripe Integration

• PCI DSS compliant payment processing
• No storage of card information (delegated to Stripe)
• Webhook signature verification to prevent tampering
• Encryption and secure transmission of payment data

Fraud Prevention

• Detection of abnormal payment patterns
• Chargeback and fraud protection measures
• Regular payment system audits

4. Application Review and Content Security

4.1 App Publication Review

Automated Security Checks

• Detection of malicious code patterns
• Scanning for known vulnerable libraries
• Resource usage limit verification

Manual Review

• Application behavior verification
• Security policy compliance confirmation
• Verification of proper user data handling

4.2 Continuous Monitoring

Runtime Protection

• Detection of abnormal behavior during application execution
• Monitoring and limiting resource consumption
• Detection and defense against unauthorized access attempts

Threat Intelligence

• Collection and analysis of new threat information
• Rapid application of security patches
• Regular updates to incident response plans

5. Privacy and Data Protection

5.1 Personal Information Handling

Data Classification

• Personal Identifiable Information: Encryption and strict access control
• Usage Statistics Data: Anonymization and pseudonymization processing
• Application Data: Usage restrictions and retention period settings

Access Control

• Access permission only for minimum necessary personnel for business purposes
• Recording and auditing of all access logs
• Regular review of access permissions

5.2 Data Localization

• Clear specification of data storage locations (primarily Japan and Asia-Pacific region)
• Appropriate protection measures for cross-jurisdictional data transfers
• Compliance with data protection laws of each country (GDPR, Personal Information Protection Act, etc.)

5.3 User Rights Protection

• Guarantee of data portability rights
• Implementation of deletion rights (right to be forgotten)
• Ensuring transparency in data usage purposes

6. Incident Response

6.1 Incident Response Structure

24-Hour Monitoring

• Continuous anomaly detection through security monitoring systems
• Automatic alert systems and emergency response procedures
• Immediate incident response team mobilization structure

Response Flow

1. Detection: Initial response through automatic monitoring systems or reports
2. Analysis: Impact scope identification and urgency assessment
3. Containment: Immediate measures to prevent damage escalation
4. Eradication: Root cause removal and restoration to normal state
5. Recovery: Complete system recovery and enhanced monitoring
6. Lessons Learned: Post-incident analysis and recurrence prevention planning

6.2 Information Disclosure

User Notification

• For incidents affecting personal data: Notification within 72 hours
• System failures or service outages: Real-time status updates
• Critical security updates: Advance notification and application schedule publication

Authority Reporting

• Appropriate reporting to authorities based on legal requirements
• Necessary notifications to Personal Information Protection Committee and other relevant bodies
• Information sharing with industry organizations and related entities

7. Third-Party Service Integration Security

7.1 Vendor Management

Security Assessment

• Security evaluation of all third-party service providers
• Requirement for regular security audits
• Specification of security requirements in Service Level Agreements (SLA)

Key Partners

• Firebase/Google Cloud: ISO 27001, SOC 2 compliant
• Stripe: PCI DSS Level 1 certified
• Vercel/CDN: Appropriate security configuration and monitoring

7.2 API Integration Security

• Proper authentication and encryption in communications with third-party APIs
• Secure management of API keys and secrets
• Regular review of external service dependencies

8. Developer Security Guidelines

8.1 App Development Security

Secure Coding

• Mandatory implementation of input validation
• Prohibition of hardcoding sensitive information
• Recommendation to use latest security libraries

Data Handling

• Request for minimum necessary data access
• Appropriate encryption of user data
• Prohibition of recording sensitive information in logs

8.2 Vulnerability Management

Vulnerability Reporting System

• Vulnerability reporting contact for security researchers
• Promotion of Responsible Disclosure
• Appropriate rewards and recognition for reporters

Security Updates

• Regular provision of security patches
• Rapid update distribution based on urgency
• Immediate notification system for developers

9. Compliance and Certification

9.1 Legal Compliance

Domestic Laws

• Personal Information Protection Act: Appropriate handling of personal information
• Unauthorized Computer Access Law: System protection measures
• Cybersecurity Basic Act: Consideration for national security

International Standards

• GDPR: Protection of EU resident data
• CCPA: Response to California Consumer Privacy Act
• ISO 27001: Information Security Management System

9.2 Industry Standards

• OWASP: Compliance with Web Application Security Guidelines
• NIST: Adoption of Cybersecurity Framework
• CIS Controls: Implementation of Critical Security Controls

10. Security Education and Awareness

10.1 Internal Education

Regular Training

• Security awareness training for all employees
• Specialized security training for developers
• Regular sharing of latest threat trends

Phishing Protection

• Regular simulated phishing training
• Security incident response training
• Fostering security culture and continuous improvement

10.2 User Education

Security Guides

• Guidance on secure password setup methods
• Recommendation to enable multi-factor authentication
• How to identify phishing scams

Developer Resources

• Secure app development guidelines
• Best practices for vulnerability countermeasures
• Introduction to security tools and verification methods

11. Auditing and Continuous Improvement

11.1 Regular Audits

Internal Audits

• Quarterly security framework reviews
• Annual comprehensive security assessments
• Regular updates to security policies

External Audits

• Security audits by independent third parties
• Regular penetration testing
• Maintenance of security certifications and accreditations

11.2 Continuous Improvement

Metrics Management

• Tracking security incident occurrence rates
• Measuring and improving vulnerability response times
• User security satisfaction surveys

Response to Technological Innovation

• Security evaluation when introducing new technologies
• Consideration of introducing AI and machine learning for threat detection
• Phased implementation of Zero Trust architecture

12. Contact Information

Security Inquiries

• General Security Questions: Please contact us through the support form
• Vulnerability Reports: security@easeapps.com (dedicated contact)
• Emergency Contact: 24-hour emergency contact system established

Bug Bounty Program

We encourage responsible vulnerability disclosure and appropriately recognize security researchers who contribute to improving our security.

Company Information

FireLaunch LLC
Website: https://firelaunch.net/

---

Important Notes

• This policy is regularly reviewed and may be updated
• Important changes will be notified to users in advance
• The latest version of the policy is always available on this website

Disclaimer While we sincerely implement the measures described in this policy, we do not guarantee the complete elimination of all security risks. We also ask users to implement appropriate security measures.