Security & Compliance

At Dope Menus, LLC ("Company," "we," "us," or "our"), security and compliance are foundational to everything we do. This Security & Compliance page outlines the technical and organizational measures we implement to protect your data, ensure platform integrity, and maintain compliance with applicable regulations governing Michigan's licensed cannabis industry.

We understand that cannabis businesses operate in a highly regulated environment with stringent security and compliance requirements. Our B2B collaborative platform (the "Platform" or "Services") is designed with security-first principles to safeguard sensitive business data, maintain regulatory compliance, and provide you with the tools needed to operate safely and legally.

IMPORTANT NOTICE: While we implement comprehensive security measures and maintain high standards, NO SYSTEM IS COMPLETELY SECURE. You acknowledge the inherent risks of electronic data transmission and storage. This document outlines our security practices but does not constitute a guarantee or warranty of absolute security.

2.1 Architecture and Design Principles

Our Platform is built on modern, secure cloud infrastructure using security-first design principles:

• Defense in Depth: Multiple layers of security controls to protect against various threat vectors
• Zero Trust Architecture: No implicit trust; continuous verification of users, devices, and network connections
• Least Privilege Principle: Users and systems are granted minimum necessary access rights
• Secure by Default: Security features are enabled by default, not opt-in
• Privacy by Design: Data protection considerations integrated into system architecture from the outset
• Separation of Concerns: Logical and physical isolation of components to limit blast radius of potential breaches

2.2 Cloud Infrastructure Providers

We leverage enterprise-grade cloud infrastructure from industry-leading providers:

• Amazon Web Services (AWS): Primary cloud hosting with SOC 2, ISO 27001, PCI DSS certifications
• Google Cloud Platform: Secondary infrastructure with redundancy and failover capabilities
• Vercel: Edge network and content delivery for performance and security
• Cloudflare: DDoS protection, Web Application Firewall (WAF), and CDN services

All infrastructure providers maintain their own comprehensive security programs, compliance certifications, and undergo regular third-party audits.

2.3 Data Center Security

Our cloud providers operate geographically distributed, physically secure data centers with:

• 24/7 physical security monitoring and access controls
• Multi-factor authentication for physical access
• Environmental controls (fire suppression, climate control, power redundancy)
• Biometric access controls and video surveillance
• Regular security audits and compliance assessments

3.1 Data Encryption in Transit

ALL data transmitted between your devices and our servers is encrypted using industry-standard protocols:

• TLS/SSL Encryption: TLS 1.2 or higher for all connections
• Perfect Forward Secrecy: Each session uses unique encryption keys
• Strong Cipher Suites: Only modern, secure encryption algorithms (AES-256, ChaCha20)
• Certificate Pinning: Protection against man-in-the-middle attacks
• HTTPS Enforced: All HTTP requests automatically redirected to HTTPS
• HSTS Headers: HTTP Strict Transport Security to prevent protocol downgrade attacks

3.2 Data Encryption at Rest

Data stored on our systems is encrypted to protect against unauthorized access:

• Database Encryption: AES-256 encryption for all database storage
• File Storage Encryption: Server-side encryption for all file uploads and documents
• Backup Encryption: All backups encrypted with AES-256 or equivalent
• Key Management: Secure key storage using Hardware Security Modules (HSMs) or cloud KMS
• Key Rotation: Regular rotation of encryption keys according to best practices

3.3 Password Security

User passwords are protected using industry-leading hashing algorithms:

• Bcrypt or Argon2: Adaptive hashing algorithms resistant to brute force attacks
• Salt and Pepper: Unique salts per password plus global pepper for additional protection
• Strong Password Requirements: Minimum length, complexity, and common password blacklist
• Password Breach Detection: Checking against known compromised password databases
• No Plain-Text Storage: Passwords are NEVER stored in plain text or reversible formats

3.4 Encryption Standards Compliance

Our encryption practices comply with or exceed:

• NIST (National Institute of Standards and Technology) guidelines
• FIPS 140-2 validated cryptographic modules where applicable
• GDPR and CCPA encryption requirements for personal data
• PCI DSS encryption standards for payment data

4.1 Multi-Factor Authentication (MFA)

We provide and encourage Multi-Factor Authentication for all user accounts:

• Available MFA Methods: Time-based One-Time Passwords (TOTP), SMS codes, authentication apps
• MFA Enforcement: Optional for standard users, required for administrators
• Backup Codes: Recovery codes provided in case of device loss
• Device Trust: Option to trust specific devices for reduced MFA prompts

4.2 Role-Based Access Control (RBAC)

Access permissions are managed through granular role-based controls:

• Predefined Roles: Owner, Administrator, Manager, User, Read-Only
• Custom Permissions: Fine-grained permissions for specific features and data
• Least Privilege: Users granted minimum necessary access for their role
• Separation of Duties: Critical operations require multiple approvals where appropriate
• Temporary Access: Time-limited access grants for contractors or temporary staff

4.3 Session Management

User sessions are managed securely to prevent unauthorized access:

• Session Timeout: Automatic logout after period of inactivity
• Concurrent Session Limits: Detection and management of multiple simultaneous logins
• Secure Session Tokens: Cryptographically secure, unpredictable session identifiers
• Token Rotation: Session tokens rotated periodically and on privilege elevation
• Logout Everywhere: Users can remotely terminate all active sessions

4.4 API Security

API access is secured through robust authentication and authorization mechanisms:

• API Keys: Unique, revocable API keys for programmatic access
• OAuth 2.0: Industry-standard authorization framework for third-party integrations
• Rate Limiting: API call limits to prevent abuse and DoS attacks
• IP Whitelisting: Optional restriction of API access to specific IP addresses
• Scoped Access: API keys with limited permissions for specific resources

5.1 Web Application Firewall (WAF)

Cloudflare WAF protects against common web application attacks:

• SQL injection prevention
• Cross-Site Scripting (XSS) protection
• Cross-Site Request Forgery (CSRF) prevention
• XML External Entity (XXE) attack mitigation
• Command injection blocking
• Directory traversal prevention
• OWASP Top 10 vulnerability protection

5.2 DDoS Protection

Cloudflare provides enterprise-grade DDoS mitigation:

• Automatic detection and mitigation of DDoS attacks
• Global Anycast network to absorb and disperse attack traffic
• Layer 3, 4, and 7 DDoS protection
• Bot management and mitigation
• Rate limiting and challenge pages for suspicious traffic

5.3 Secure Development Practices

We follow secure software development lifecycle (SDLC) practices:

• Secure Coding Standards: Adherence to OWASP guidelines and industry best practices
• Code Reviews: Mandatory peer review of all code changes
• Static Analysis: Automated security scanning of source code for vulnerabilities
• Dynamic Testing: Runtime security testing in staging environments
• Dependency Scanning: Regular scanning of third-party libraries for known vulnerabilities
• Security Training: Developers receive ongoing secure coding training

5.4 Vulnerability Management

We maintain a proactive vulnerability management program:

• Continuous vulnerability scanning of infrastructure and applications
• Patch management process with prioritization based on risk
• Critical vulnerabilities patched within 24-48 hours
• Regular review and remediation of identified vulnerabilities
• Tracking and verification of vulnerability remediation

6.1 Security Monitoring

We employ comprehensive security monitoring to detect and respond to threats:

• Security Information and Event Management (SIEM): Centralized logging and analysis
• Intrusion Detection Systems (IDS): Real-time detection of suspicious activities
• Anomaly Detection: Machine learning-based identification of unusual patterns
• Failed Login Monitoring: Detection of brute force and credential stuffing attacks
• Audit Logging: Comprehensive logging of security-relevant events
• 24/7 Monitoring: Continuous surveillance of security alerts and incidents

6.2 Incident Response Plan

We maintain a documented incident response plan that includes:

• Incident Classification: Severity levels and escalation procedures
• Response Team: Designated security incident response team with defined roles
• Containment: Procedures to isolate and contain security incidents
• Eradication: Steps to eliminate threats and vulnerabilities
• Recovery: Restoration of services and systems to normal operation
• Post-Incident Review: Analysis and lessons learned from each incident
• Communication Plan: Customer notification procedures for data breaches

6.3 Incident Response Timeline

Our target incident response timelines:

• Critical Incidents: Initial response within 1 hour, containment within 4 hours
• High Priority: Initial response within 4 hours, containment within 24 hours
• Medium Priority: Initial response within 24 hours
• Customer Notification: Within 72 hours for personal data breaches (GDPR requirement)

6.4 Threat Intelligence

We leverage threat intelligence to stay ahead of emerging threats:

• Subscriptions to threat intelligence feeds and security advisories
• Participation in industry security working groups and information sharing
• Monitoring of vulnerability databases (CVE, NVD, vendor advisories)
• Integration of threat intelligence into security monitoring systems

7.1 Penetration Testing

We conduct regular penetration testing by qualified third-party security firms:

• Frequency: Annual or semi-annual full-scope penetration tests
• Scope: Web application, APIs, infrastructure, and cloud environment
• Methodology: OWASP Testing Guide, PTES (Penetration Testing Execution Standard)
• Remediation: Critical findings addressed within 30 days, high priority within 90 days
• Retesting: Verification of remediation for critical and high findings

7.2 Security Audits

Regular security audits assess our security posture:

• Configuration audits of servers, databases, and cloud resources
• Access control reviews and user permission audits
• Policy and procedure compliance audits
• Third-party security assessments and vendor reviews

7.3 Vulnerability Assessments

Continuous and periodic vulnerability assessments include:

• Weekly automated vulnerability scans of infrastructure
• Monthly scans of web applications and APIs
• Quarterly network vulnerability assessments
• Ad-hoc scanning after major changes or updates

7.4 Bug Bounty and Responsible Disclosure

We welcome responsible disclosure of security vulnerabilities:

• Responsible disclosure policy for security researchers
• Dedicated security contact email (security@dopemenus.com)
• Acknowledgment and response to security reports within 5 business days
• Safe harbor for good-faith security research

See Section 12 for full vulnerability disclosure program details.

8.1 Backup Strategy

We maintain comprehensive data backup procedures:

• Backup Frequency: Continuous real-time replication plus daily snapshots
• Backup Types: Full, incremental, and differential backups
• Retention Period: Daily backups for 30 days, weekly for 90 days, monthly for 1 year
• Geographic Distribution: Backups stored in multiple geographic regions
• Encryption: All backups encrypted at rest (AES-256)
• Testing: Regular restoration tests to verify backup integrity

8.2 Disaster Recovery Plan

Our disaster recovery plan ensures business continuity:

• Recovery Time Objective (RTO): Target restoration time of 4-8 hours for critical services
• Recovery Point Objective (RPO): Maximum data loss of 1 hour for transactional data
• Failover Procedures: Automated and manual failover to backup systems
• Geographic Redundancy: Multi-region deployment with automatic failover
• Regular DR Drills: Quarterly disaster recovery exercises and testing

8.3 High Availability

Platform architecture includes high availability features:

• Load-balanced application servers across multiple availability zones
• Database replication and automatic failover
• CDN caching for static content and DDoS resilience
• Auto-scaling to handle traffic spikes
• 99.9% uptime target (excluding scheduled maintenance)

9.1 Employee Screening

All employees with access to customer data undergo:

• Background checks (where legally permitted)
• Reference verification
• Verification of identity and employment eligibility
• Signing of confidentiality and acceptable use agreements

9.2 Security Awareness Training

Comprehensive security training program for all personnel:

• Onboarding Training: Security fundamentals for all new employees
• Annual Training: Mandatory refresher training at least annually
• Role-Specific Training: Advanced security training for developers, ops team, support
• Phishing Simulations: Regular simulated phishing campaigns to test awareness
• Incident Response Training: Tabletop exercises and incident simulations

9.3 Access Management

Employee access to systems and data is strictly controlled:

• Principle of least privilege for all employee access
• Multi-factor authentication required for all employee accounts
• Regular access reviews (quarterly) and recertification
• Immediate revocation of access upon termination
• Just-in-time privileged access for sensitive operations

9.4 Confidentiality and Data Handling

All employees are bound by strict confidentiality obligations:

• Signed confidentiality and non-disclosure agreements (NDAs)
• Training on proper handling of sensitive and confidential information
• Prohibition on accessing customer data without business justification
• Data minimization - access only to data necessary for job functions
• Logging and auditing of all access to sensitive data

10.1 Michigan Cannabis Regulatory Compliance

We provide tools and features to support your compliance with Michigan cannabis laws:

• License Verification: Validation of Michigan Cannabis Regulatory Agency (CRA) licenses
• Metrc Integration: Seed-to-sale tracking integration with Michigan's Metrc system
• Audit Trails: Comprehensive logging for regulatory audits and inspections
• Record Retention: Data retention policies aligned with Michigan requirements (typically 7 years)
• Reporting Tools: Export and reporting functionality for regulatory filings

10.2 Metrc Integration Security

Our Metrc integration is designed with security and data integrity:

• Secure API credentials storage using encrypted key management
• Encrypted transmission of all Metrc data
• Data validation and integrity checks before Metrc submission
• Audit logging of all Metrc transactions and updates
• Error handling and reconciliation for failed submissions

10.3 Age Verification and Access Control

Platform features support age verification and access restrictions:

• Age verification (21+) for all user registrations
• License verification to ensure all users represent licensed businesses
• Access restrictions to prevent unlicensed access
• Compliance with Michigan cannabis advertising restrictions

10.4 Regulatory Reporting and Cooperation

We cooperate with regulatory authorities as required:

• Response to lawful requests from Michigan CRA
• Cooperation with regulatory investigations and audits
• Reporting of suspected violations or unlicensed activity
• Compliance with subpoenas, court orders, and legal process

11.1 Current Compliance Status

We strive to maintain industry-standard compliance certifications:

• SOC 2 Type II: Service Organization Control audit for security, availability, and confidentiality (in progress or planned)
• ISO 27001: Information Security Management System certification (planned)
• GDPR Compliance: General Data Protection Regulation compliance framework
• CCPA Compliance: California Consumer Privacy Act compliance measures

Note: Compliance status may vary based on business maturity and resources. Contact us for current certification status.

11.2 Framework Alignment

Our security practices align with recognized frameworks:

• NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover
• CIS Controls: Center for Internet Security Critical Security Controls
• OWASP: Open Web Application Security Project Top 10 and testing guide
• Cloud Security Alliance: Cloud Controls Matrix (CCM)

11.3 Third-Party Audits

We undergo regular third-party security assessments:

• Annual or semi-annual penetration testing by qualified firms
• Security audits and compliance assessments
• SOC 2 audits by licensed CPA firms (when applicable)
• Vendor security assessments and due diligence

11.4 Compliance Documentation

Upon request and under appropriate confidentiality agreements, we may provide:

• SOC 2 Type II reports (when available)
• Security questionnaires and assessments
• Penetration test summaries (redacted for sensitivity)
• Compliance documentation and attestations

12.1 Security Contact Information

For security-related inquiries, incident reports, or vulnerability disclosures, contact:

Dope Menus, LLC
Security Team
Email: security@dopemenus.com
B2B Collaborative Platform for Michigan's Cannabis Industry

For urgent security incidents, please mark your email subject line as "URGENT SECURITY INCIDENT" for priority handling.

12.2 Responsible Vulnerability Disclosure Program

We welcome responsible disclosure of security vulnerabilities. If you discover a security issue, please:

• Email security@dopemenus.com with details of the vulnerability
• Provide sufficient information to reproduce the issue
• Allow reasonable time for remediation before public disclosure
• Avoid accessing, modifying, or deleting data belonging to others
• Do not perform testing that could impact availability or data integrity

12.3 Disclosure Response Timeline

• Acknowledgment: Within 5 business days of report receipt
• Initial Assessment: Within 10 business days
• Remediation: Critical vulnerabilities within 30 days, high within 90 days
• Coordinated Disclosure: Public disclosure coordinated with researcher after remediation

12.4 Safe Harbor

We will not pursue legal action against security researchers who:

• Act in good faith and follow this responsible disclosure policy
• Report vulnerabilities responsibly and do not exploit them maliciously
• Do not access, modify, or delete data belonging to others
• Avoid degrading the user experience, disrupting systems, or destroying data

13.1 Security Limitations

WHILE WE IMPLEMENT COMPREHENSIVE SECURITY MEASURES, WE CANNOT GUARANTEE ABSOLUTE SECURITY:

• No system is completely immune to cyberattacks or security breaches
• Determined attackers with sufficient resources may exploit unknown vulnerabilities
• Social engineering and phishing attacks target users directly
• Insider threats and compromised credentials can bypass technical controls
• Zero-day vulnerabilities may exist in software or infrastructure

You acknowledge and accept the inherent risks of electronic data transmission, storage, and processing. See our Terms of Service for complete disclaimers and limitations of liability.

13.2 Your Security Responsibilities

Platform security is a shared responsibility. You are responsible for:

• Account Security: Maintaining confidentiality of passwords and credentials
• Strong Passwords: Using strong, unique passwords and enabling MFA
• Device Security: Securing devices used to access the Platform
• Network Security: Using secure networks (avoiding public WiFi for sensitive operations)
• User Training: Training your employees on security best practices
• Incident Reporting: Promptly reporting suspicious activity or security incidents
• Compliance: Ensuring your use of the Platform complies with applicable laws and regulations

13.3 No Warranty of Security

WE PROVIDE THE PLATFORM "AS IS" WITHOUT WARRANTIES REGARDING SECURITY. While we implement industry-standard security measures, we do not warrant or guarantee that the Platform will be free from security vulnerabilities, that your data will never be compromised, or that unauthorized access will never occur. You use the Platform at your own risk.