diff --git a/SECURITY.md b/SECURITY.md
new file mode 100644
index 0000000..5556d0b
--- /dev/null
+++ b/SECURITY.md
@@ -0,0 +1,32 @@
+# Security Policy
+
+This document outlines our procedures for reporting vulnerabilities and the security practices for **divine-thegraph-token-api**.
+
+## Supported Versions
+
+We actively maintain only the latest released version. Please upgrade to the newest release to receive security updates.
+
+## Reporting a Vulnerability
+
+If you believe you have found a security issue, please contact us before disclosing it publicly.
+
+- Create a [security advisory](https://github.com/codebydivine/token-api/security/advisories) on GitHub.
+- Or email **security@divine.sh** (PGP available on request).
+
+We aim to respond within **3 business days**. During this time please keep the details confidential. We will work with you to validate and address the issue as quickly as possible.
+
+## Security Practices
+
+The project uses GitHub's security features:
+
+- **Dependabot** for dependency updates and vulnerability alerts.
+- **CodeQL** analysis and static scans on every push.
+- **Bandit**, **Safety**, and **Trivy** scans during CI workflows.
+
+## Disclosure Policy
+
+We request a 90‑day period to remediate validated vulnerabilities before any public disclosure. After a fix is released we will credit you in the release notes if desired.
+
+## Thank You
+
+We appreciate the community's help in keeping this project secure.