WedgewoodAI logo featuring green fern motif
WedgewoodAIv1.0.17

Security Policy

How WedgewoodAI protects your data across all our services and sub-domains.

Last updated: 14 June 2026

Scope

This Security Policy applies to wedgewoodai.com and all services, applications, and sub-domains operated under this domain, including:

  • caddiechat.wedgewoodai.com — CaddieChat
  • aurashop.wedgewoodai.com — AuraShop
  • aurakinai.wedgewoodai.com — AuraKin AI
  • aurabiz.wedgewoodai.com — AuraBiz AI

All services are hosted on shared infrastructure provided by Abacus.AI. Security measures apply uniformly across all sub-domains.

Our Security Measures

Encryption in Transit

HSTS + TLS

All data transmitted between your browser and our servers is encrypted using HTTPS/TLS. We enforce HTTP Strict Transport Security (HSTS) with a 1-year max-age, including all sub-domains, and are preload-ready.

Content Security Policy

CSP

We deploy a strict Content Security Policy (CSP) that controls which scripts, styles, images, and frames can load on our pages. This prevents cross-site scripting (XSS) attacks and unauthorised code injection.

Authentication & Access Control

2FA + bcrypt

Administrative access requires email/password authentication with bcrypt-hashed passwords, plus mandatory Two-Factor Authentication (TOTP) compatible with Microsoft Authenticator, Google Authenticator, and other apps.

Input Validation & Sanitisation

XSS Prevention

All user inputs are sanitised to strip HTML tags, control characters, and potential injection payloads. Data is HTML-escaped before rendering. Email addresses, field lengths, and content types are strictly validated.

Rate Limiting & Brute Force Protection

Rate Limiting

All public-facing forms and authentication endpoints implement rate limiting to prevent brute force attacks and spam. The contact form allows 5 requests per minute; admin login allows 10 attempts per 15 minutes per IP address.

Security Headers

Defence in Depth

Every response includes security headers: X-Content-Type-Options (nosniff), X-XSS-Protection, Referrer-Policy (strict-origin-when-cross-origin), Permissions-Policy (blocking camera, microphone, geolocation), Cross-Origin-Opener-Policy, and Cross-Origin-Resource-Policy.

Bot & Spam Prevention

Our contact form employs multiple layers of protection against automated abuse:

  • Honeypot fields — Hidden form fields that trap bots attempting to fill in every input
  • Math CAPTCHA — A simple arithmetic challenge that humans solve easily but blocks scripted submissions
  • Content-Type enforcement — Requests must be valid JSON to be processed
  • Field length limits — Inputs are capped at reasonable lengths (name: 200, email: 254, subject: 300, message: 5,000 characters)

Monitoring & Logging

We maintain comprehensive security logging across all services:

  • Access logging — All administrative actions, login attempts (successful and failed), and security events are logged with timestamps and IP addresses
  • Email alerts — Real-time notifications are sent to administrators on login, emergency shutdown events, and user management actions
  • Rate limit monitoring — Excessive requests are logged for review and blocked to protect service availability
  • Failed authentication tracking — Failed login attempts, invalid TOTP codes, and non-authorised email domains are all recorded

Cookie & Tracking Consent

We respect your privacy through our consent-first approach:

  • Consent-gated advertising — Google AdSense scripts and advertising cookies are only loaded after explicit user consent
  • Essential cookies only by default — Without consent, only cookies necessary for site operation are used
  • Transparent disclosure — Our Privacy Policy details every cookie type and its purpose

API Security

External API endpoints used by our applications are protected by:

  • API key authentication — All inter-service API calls require a valid API key in the request header
  • Input validation — Required fields are verified and data types are enforced
  • Application-level access control — Emergency shutdown capability allows instant access revocation per-application or globally

Infrastructure & Platform

Our services run on the Abacus.AI platform which provides:

  • Managed hosting with automatic security patches
  • Isolated application environments
  • Automated SSL/TLS certificate management
  • DDoS protection at the infrastructure level

Security Checklist

HTTPS/TLS encryption on all domains
HSTS with preload across all sub-domains
Strict Content Security Policy (CSP)
X-Content-Type-Options: nosniff
XSS Protection headers
Referrer-Policy: strict-origin
Permissions-Policy (camera/mic/geo blocked)
Cross-Origin-Opener-Policy
Cross-Origin-Resource-Policy
X-Powered-By header removed
upgrade-insecure-requests enforced
bcrypt password hashing
Two-Factor Authentication (TOTP)
JWT httpOnly/secure cookies
Admin domain restriction
Rate limiting on all public endpoints
Input sanitisation & HTML escaping
Honeypot & CAPTCHA on forms
API key authentication
Comprehensive access logging
Real-time email security alerts
Emergency app shutdown capability
Cookie consent with gated tracking
Admin panel hidden from search engines

Reporting Security Vulnerabilities

We take security seriously. If you discover a vulnerability in any of our services, we ask that you disclose it responsibly:

How to report:

Email: [email protected]

Please include:

  • A description of the vulnerability and its potential impact
  • Steps to reproduce the issue
  • The affected service or sub-domain
  • Your contact information for follow-up

Our commitment: We will acknowledge your report within 48 hours and provide an estimated timeline for resolution. We will not take legal action against security researchers who report vulnerabilities responsibly.

Security is a shared responsibility

While we implement comprehensive security measures, we encourage users to protect their accounts by using strong passwords and enabling Two-Factor Authentication when available.

Privacy PolicyContact Us