Alephic
Code of Conduct
Cookies
Privacy
Responsible AI
Security Commitment

Security Commitment

Last Updated: May 15, 2025

At Alephic, trust is earned through transparency, rigor, and continuous improvement. In alignment with SOC 2 Type 2: Information & Communication, we publicly communicate our comprehensive security commitments, controls, and assurance programs below. This statement represents our comprehensive security commitment for the custom AI-powered tools we build and maintain for our clients.

1. Governance & Oversight

  • Security Leadership: Our executive leadership team sponsors and directs our information security program.
  • Policy Lifecycle: Formal review and approval of all security policies and procedures, such as Access Management, Incident Response, and Change Management, occur at least annually or following significant organizational or threat landscape changes.
  • Metrics & Reporting: Our Information Security Team reviews security performance metrics, including vulnerabilities, incidents, and training completion, quarterly.

2. Asset Management & Classification

  • Inventory: All systems, applications, and data stores are inventoried and assigned an owner.
  • Data Classification: We classify data by sensitivity (Public, Internal, Confidential, Restricted) and apply controls accordingly.
  • Asset Handling: Procedures for data labeling, storage, transmission, and disposal follow our Data Handling Standard.

3. Access Management

  • Least Privilege: Access rights are granted strictly on a need-to-know basis, enforced via Role-Based Access Control (RBAC).
  • Authentication: Multi-Factor Authentication (MFA) is mandatory for all interactive and service accounts.
  • Credential Vaulting: All credentials, API keys, and secrets are centrally managed, rotated regularly, and audited in our secure vault.

4. Infrastructure & Network Security

  • Network Segmentation: Client environments and corporate systems are logically isolated using firewalls and VPC segmentation.
  • Encryption in Transit & At Rest: TLS 1.2+ for all network communications; AES-256 encryption for data at rest across all storage systems.
  • Endpoint Security: Host-based intrusion detection and automated patch management ensure all servers and workstations remain up to date.

5. Secure Development & Change Management

  • Secure Coding Standards: Development adheres to OWASP Top 10 guidelines; static and dynamic analysis run on every build.
  • Peer Reviews & Approvals: Every code change requires peer review and sign‑off from the Security team before merging.
  • Change Control: Documented change requests, impact analysis, client notifications for major changes, and rollback procedures for production deployments.

6. Vendor & Third-Party Risk

  • Due Diligence: Vendors are classified by risk and vetted against SOC 2, ISO 27001, or equivalent reports.
  • Contractual Security Clauses: Standardized security and privacy provisions embedded in all vendor agreements.
  • Continuous Monitoring: Annual reassessment of vendor security posture and immediate review following any material security incident.

7. Vulnerability Management & Testing

  • GitHub Advanced Security: Integrated SAST, dependency, and secret scanning via GitHub Advanced Security in our CI/CD pipelines, with high-priority findings triaged and remediated within 30 days of detection.
  • Bug Bounty: Continuous incentive-based program for responsibly disclosing security vulnerabilities.

8. Monitoring, Logging & Alerting

  • Centralized Logging: Aggregation of all system, application, and access logs in a tamper-evident SIEM, retained per our Data Retention Policy.
  • 24/7 Monitoring & Alerting: Real-time threat detection via automated alerts against defined thresholds and anomaly patterns.
  • Incident Triage: Alerts trigger predefined playbooks and automatic notifications to our Incident Response team.

9. Incident Response & Business Continuity

  • Incident Response Plan: Documented roles, communication channels, and escalation paths for security incidents and breaches.
  • Exercises & Drills: Annual tabletop exercises and periodic live simulations to validate response effectiveness.
  • Backup & Recovery: Automated backups in geographically diverse regions, RTO ≤ 1 business day, RPO near-zero via continuous replication.

10. Security Awareness & Training

  • Onboarding Training: Comprehensive security and privacy training for all new hires, including contractors.
  • Ongoing Education: Quarterly security awareness modules and annual phishing simulations with targeted follow-up training.
  • Policy Attestations: Annual reaffirmation of security policies by all employees.

11. Privacy & Data Protection

  • Privacy by Design: We integrate data privacy principles into all development lifecycles and adhere to GDPR, CCPA, and other applicable regulations.
  • Data Minimization: Collection and retention of personal data limited to what is strictly necessary for service delivery.
  • Subject Rights: Processes to support data subject requests (access, correction, deletion) within regulatory timelines.

12. Physical & Environmental Security

  • Data Centers: Client data and applications hosted in Tier III+ data centers with 24/7 surveillance, access controls, and environmental controls.
  • Device Management: Encryption, inventory, and secure disposal of end-user devices per our Asset Disposal Standard.

13. Transparency & Communication

  • Security Commitment URL: This full policy is published at https://alephic.com/policies/security-commitment for clients, auditors, and stakeholders.
  • Updates & Notifications: Material changes, audit results, and policy revisions are communicated to clients via email and posted on the Security Commitment page.

For questions, feedback, or audit requests regarding our security program, please contact security@alephic.com.

Changelog

  • May 15, 2025: first version.
About
Company
Writing
Events
SaaS
Policies
Security Commitment | Alephic Policies