# Security Policy
# https://securitytxt.org/ (RFC 9116)

Contact: mailto:security@ocolta.com
Expires: 2027-02-07T00:00:00.000Z
Preferred-Languages: en
Canonical: https://ocolta.com/.well-known/security.txt

# Policy
We take security seriously. If you discover a vulnerability, please report it responsibly.

# Scope
- ocolta.com and all subdomains
- API endpoints at api.ocolta.com
- Document upload and processing systems

# Out of Scope
- Social engineering attacks
- Denial of service attacks
- Spam or phishing unrelated to our platform

# Response
We aim to acknowledge reports within 48 hours and provide a fix timeline within 7 days.

# Recognition
We credit researchers who report valid vulnerabilities (with permission).