Trust ยท Security

Security at Iedeo

How we secure customer data, code, infrastructure, and the AI models we deploy. Updated quarterly with our security posture.

Last updated: May 19, 2026 ยท Security contact: [email protected] ยท security.txt

1. Application security

  • Encryption in transit: TLS 1.3 with HSTS preload for all customer-facing endpoints
  • Encryption at rest: AES-256 for databases, object storage, backups
  • Customer-managed keys (CMK): available via AWS KMS for enterprise customers
  • Input validation: server-side validation on every endpoint; prepared statements for SQL; parameterized queries for vector / search
  • Output encoding: context-aware encoding (HTML, JSON, SQL) to prevent injection at sink
  • Authentication: SSO via SAML or OIDC for enterprise customers; MFA required for all Iedeo personnel
  • Authorization: Role-based access control (RBAC) with documented role definitions and quarterly review
  • Session management: Short-lived JWTs with rotation; secure, HTTP-only cookies; CSRF tokens on state-changing endpoints

2. Infrastructure security

  • Cloud: AWS, Azure, GCP โ€” primary AWS. Per-customer VPC isolation for enterprise tenants.
  • Network: private subnets for data services; VPC endpoints for AWS APIs; no public ingress for databases or LLM endpoints
  • Secrets management: AWS Secrets Manager or HashiCorp Vault; no secrets in code or environment files
  • Infrastructure as code: Terraform or CloudFormation; peer-reviewed in pull requests; CI-validated before apply
  • Patching: base images rebuilt and deployed within 7 days of upstream critical CVE
  • Logging and monitoring: centralized logging (CloudWatch / Datadog); alerting on anomalous access, error spikes, latency regressions
  • Backup and disaster recovery: daily incremental, weekly full; tested quarterly; RPO 24 hours, RTO 4 hours for most workloads

3. AI / LLM security

AI applications introduce specific attack surfaces. We design every deployment with the OWASP LLM Top 10 in mind:

  • Prompt injection: input filtering + structured output enforcement + privileged-tool isolation
  • Insecure output handling: output sanitisation before passing to downstream systems
  • Training data poisoning: only authenticated training datasets; provenance tracked per record
  • Model denial of service: rate limits, cost ceilings per tenant, circuit breakers on hallucination loops
  • Supply chain vulnerabilities: model checksum verification, dependency scanning, signed model artifacts
  • Sensitive information disclosure: PII redaction in prompts and logs; per-tenant data isolation
  • Insecure plugin design: tool calls scoped per agent; explicit permission for state-changing actions; audit log on every tool invocation
  • Excessive agency: human approval gates for high-impact actions during pilots; principle of least privilege for tool scopes
  • Overreliance: confidence scores surfaced to users; clear escalation paths to human
  • Model theft: rate limits, fingerprinting, watermarking, contract terms forbidding extraction

4. Personnel security

  • Background checks on all personnel with customer data access
  • Confidentiality agreements with HIPAA-equivalent obligations for personnel handling PHI
  • Annual security training โ€” phishing, secure development, AI-specific risks
  • Workstation security: full-disk encryption, password manager required, MFA on all internal accounts
  • Termination procedures: immediate access revocation, asset return checklist

5. Secure software development lifecycle

  • Threat modelling for every new customer-facing feature (STRIDE)
  • Mandatory peer code review with security checklist
  • SAST in CI: ESLint security rules, Bandit (Python), Semgrep custom rules
  • SCA in CI: dependency vulnerability scanning, license compliance checks
  • Container image scanning before deploy
  • Annual external penetration test; internal scans quarterly
  • Bug bounty program planned โ€” currently invite-only with security researcher network

6. Incident response

  1. Detect โ€” alerting on anomalies, customer reports, vulnerability disclosures
  2. Triage within 1 hour of detection; severity assigned
  3. Contain โ€” isolate affected systems, revoke compromised credentials, block IPs
  4. Notify โ€” affected customers within 24 hours of confirmed incident
  5. Investigate โ€” root cause analysis with timeline of events
  6. Remediate โ€” patch, harden, validate
  7. Report โ€” written incident report within 7 days, sanitised version published in our incident log
  8. Learn โ€” blameless post-mortem; controls updated to prevent recurrence

For confirmed personal data breaches under GDPR / DPDP / HIPAA, statutory notification timelines apply (72 hours to authorities, additional notification to data subjects as required).

7. Vulnerability disclosure

If you have identified a security vulnerability in Iedeo systems, please report it responsibly.

  • Contact: [email protected] โ€” please include reproduction steps
  • Encryption: PGP key available at /.well-known/pgp-key.txt (placeholder โ€” generated key live by Q2 2026)
  • Response SLA: acknowledge within 1 business day; triage within 3 business days; remediation timeline based on severity
  • Safe harbour: Good-faith research is welcomed. We will not pursue legal action against researchers who follow responsible disclosure: report privately, allow reasonable time to remediate (typically 90 days), do not exfiltrate customer data beyond proof of vulnerability.
  • Recognition: Researchers credited (with consent) on our hall-of-fame; eligible vulnerabilities receive a bounty payment.
  • Out of scope: denial-of-service attacks against production, social engineering of Iedeo personnel, physical security tests.

8. Compliance & audits

  • SOC 2: Type I targeted Q3 2026, Type II Q1 2027. Architecture aligned to Trust Services Criteria today.
  • ISO 27001: under consideration for 2027.
  • HIPAA: architectural alignment for US healthcare deployments; we sign BAAs. See HIPAA Architecture.
  • GDPR / UK GDPR / DPDP: Active compliance per engagement. See GDPR.
  • External penetration test: annual (last: Dec 2025; next: Sep 2026). Reports under NDA.
  • Internal vulnerability scans: quarterly; remediation tracked to closure.

9. Sub-processors

A current list of sub-processors with access to customer data is maintained as part of our GDPR documentation. Customers receive 30 days advance notice of any change, with the right to object.

Procurement reviewing Iedeo?

Email [email protected] for our full vendor security packet โ€” architecture diagrams, sub-processor list, BCP/DR plan, latest pen-test summary, and audit-log samples.

Request Security Packet