Security policy

Last updated: 2026-05-08 · Version 1.3

1. Information security management

AI Warden operates an information security programme aligned to ISO/IEC 27001:2022 and the Trust Services Criteria for SOC 2. Certification is in progress; current status is published on the Security overview.

2. Governance & ownership

• The CEO is the executive owner of information security.
• A named Security Lead owns the programme day-to-day, reports monthly to the leadership team, and quarterly to the board.
• Risk register and policy library are reviewed at least annually and after material change.

3. People

• Background checks proportionate to role and jurisdiction, including criminal record, employment verification, and right-to-work checks.
• Mandatory security and privacy training at onboarding and annually thereafter, with role-specific training for engineering, security, and customer-facing teams.
• Confidentiality obligations in every employment contract; obligations survive termination.

4. Access control

• Identity-rooted, least-privilege access. No standing local accounts on production systems.
• Multi-factor authentication mandatory for all employee accounts; phishing-resistant factors for privileged access.
• Quarterly access reviews; off-boarding within one business day; emergency revocation within one hour.
• Privileged actions require four-eyes approval and are recorded in the immutable audit log.

5. Cryptography

• TLS 1.3 in transit. AES-256 at rest with customer-managed keys via KMS or HSM.
• Per-tenant key separation. Annual key-rotation drills; emergency rotation tested twice a year.
• Crypto inventory maintained; any deprecated algorithm is replaced before its sunset date.

6. Software development lifecycle

• Two-person review on every change. Mainline-only branching with signed merges.
• SAST and dependency scanning on every commit; container images signed with cosign; SBOM published per release.
• Secure-by-default settings; secrets never in source; secret scanning on push and in CI.

7. Vulnerability management

• Continuous dependency scanning; vendor advisories triaged within one business day.
• Critical vulnerabilities remediated within 7 days, high within 30 days, medium within 90 days.
• Annual external penetration test plus quarterly third-party red-team against the LLM and MCP firewalls.
• Coordinated disclosure programme with credit and a 14-day high-severity SLA.

8. Logging & monitoring

• Hash-chained audit log for every administrative and data-affecting action.
• Tamper-evident export to customer-controlled SIEM where applicable.
• 24/7 alerting with on-call rotation; investigated within published SLAs.

9. Resilience & backup

• RPO 15 minutes, RTO 60 minutes for the multi-tenant offering. Self-hosted commitments per Order Form.
• Encrypted, geographically separated backups. Restore tested at least quarterly.
• Disaster-recovery plan reviewed annually; chaos exercises against staging twice a year.

10. Incident response

• Documented incident-response plan with severity matrix and named roles.
• Customer notification of confirmed personal data breaches within 72 hours; security incidents per Order Form.
• Post-incident review and remediation plan published to affected customers.

11. Third-party risk

• All sub-processors are security-reviewed before onboarding and annually thereafter.
• Current sub-processors and their purposes are listed in the DPA.
• Sub-processor change notifications at least 30 days before they take effect.

12. Physical security

AI Warden production systems run in cloud data centres operated by sub-processors meeting equivalent ISO 27001, SOC 2, or higher controls. AI Warden does not operate any physical data-centre footprint of its own.

13. Compliance

This policy supports and does not displace contractual obligations under the DPA or the Master Subscription Agreement. In case of conflict, the contractual obligation prevails.

14. Contact

Security enquiries: security@aiwarden.com · PGP key on /.well-known/pgp.txt.