Security policy

Security Policy

Last updated: August 12th, 2024

1. Roles of the Parties

Autodm AI maintains an information security program designed to safeguard its systems, data, Autodm AI's Services and Customer Data (including Customer Personal Data). Autodm AI commits to implementing reasonable and appropriate organizational and technical security measures to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of data submitted by Customer. This Addendum describes the information security program and security standards that Autodm AI maintains with respect to the Services and handling of Customer Data and Customer Personal Data.Customer is responsible for reviewing the information made available by Autodm AI in this addendum and for making an independent determination as to whether the Security Measures meet Customer’s requirements and legal obligations under Data Protection Laws.

2. Updates to Security Measures

Customer acknowledges that the Security Measures are subject to technical progress and evolution and that Autodm AI may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

3. Security Measures description

3.1. Security Measures description

  • Data Hosting and Backups: Customer Data is hosted by Google Cloud Platform (”GCP”) and Redis Cloud which are SOC2, ISO 27001 and ISO 27018 compliant, and CockroachDB which is SOC2, ISO 27001 and ISO 27017 compliant. Automated backups of all Customer Data and system data is enabled, and data is backed up daily at minimum. The backups are encrypted in the same way as live production data, and are monitored and alerted.
  • Encryption at rest: Customer Data is encrypted at rest using AES-256. Customer Data is encrypted when at rest in cloud storage and databases, and in backups.
  • Encryption in transit: Data sent in-transit is encrypted using TLS 1.2 or greater.
  • Data erasure: Autodm AI customers are Controllers of their data. Each customer is responsible for the information they create, use, store, process and destroy. Autodm AI customers have the ability to request data deletion, when data is not subject to regulatory or legal retention periodicity requirements.
  • Physical security: Autodm AI leverages GCP to host our application, and defers all data center physical security controls to GCP which you can read more about here.

3.2. Application security

  • Code analysis: Autodm AI performs code reviews on all software updates including threat modeling and security design.
  • Credential management: Autodm AI assigns cryptographic keys to specific roles based on the principle of Least Privilege for access. Usage of keys is monitored and logged.
  • Vulnerability & patch management: Autodm AI performs vulnerability scanning and package monitoring on infrastructure-related hosts and its product continuously, patching externally- and internally-facing services regularly. Issues that are discovered are triaged and resolved according to their severity within Autodm AI’s environment.
  • Web Application Firewall (WAF): All public endpoints leverage a managed Web Application Firewall to deter attempts to exploit common vulnerabilities.

3.3. Security profile

  • Data Access Level: Internal. Autodm AI employees will only ever access your data for the purposes of debugging/troubleshooting or recovering content with your permission.
  • Third Party Dependence: Available at www.autodm.ai/sub-processor-list
  • Hosting: Third-Party. Autodm AI is hosted on GCP, a major cloud service provider. GCP is one of Autodm AI’s Sub-Processors.

3.4. Employee security and access control

  • Employee training: Security training is required during the employee onboarding process, and annually thereafter.
  • HR security: Autodm AI performs background checks on employees when they are hired when required by local laws and regulations.
  • Incident response: Autodm AI has an incident management plan which contains steps to be prepared for incident management, incident identification, containment, investigation, eradication, recovery, and follow-up/postmortem that is reviewed regularly.
  • Internal assessments: Internal security audits are performed regularly.
  • Incident response: Autodm AI has an incident management plan which contains steps to be prepared for incident management, incident identification, containment, investigation, eradication, recovery, and follow-up/postmortem that is reviewed regularly.
  • Internal SSO and Password Security:
     - Multi-factor authentication (MFA) is required for all Autodm AI employees to log into Autodm AI’s principal identity provider, Google.
    - Autodm AI requires MFA to be enabled for any and all systems that provide the option for MFA. When MFA is not possible, Autodm AI maintains a stringent internal password management policy including complexity, and length.
    - Autodm AI requires that employees utilize a third-party password manager.
  • Data access: Autodm AI internally leverages the principle of Least Privilege for access. Access is granted based on job function, business requirements, and a need to know basis. Access reviews are conducted regularly to ensure continued access to critical systems are still required.
  • Logging and monitoring: Autodm AI uses a third-party system for log ingestion and automated logging and alerting capabilities. Logs are ingested from critical systems and alerting rules are utilized to ensure security event alerts are generated where/when necessary.
‍‍contact@autodm.ai
HomeProductCompanyCareersNews