This page documents the security policies formally adopted by ISMS Copilot 2.0 as part of our Information Security Management System (ISMS). These policies support our compliance with ISO 27001, SOC 2, and ISO 42001 standards and reflect our commitment to responsible AI development and data protection.
These policies guide our internal operations and technical implementation. For details about how we protect your data in practice, see our Security & Data Protection Overview.
Access Control Policy
We protect access to our systems and data through strict authentication and authorization controls.
Authentication & Authorization
Multi-factor authentication (MFA) is mandatory for all users accessing critical services
Access privileges are granted following the principle of least privilege
Unique identified accounts are required for all production access, no shared credentials
Employee access privileges are reviewed quarterly to ensure alignment with current roles
Password managers are used by all team members to secure credentials and API keys
Session Management
Session duration limits and re-authentication requirements are enforced
Secure connections via TLS are required for all production access
Database access is restricted to internal networks only
Access Lifecycle
Access provisioning is checked for role fit before granting permissions
Employee offboarding follows documented procedures with account disablement within 24 hours
Emergency access is provided via break-glass accounts with mandatory logging and post-event review
Our row-level security architecture ensures complete data isolation between customer accounts, preventing unauthorized access even within our infrastructure.
Asset Management Policy
We maintain comprehensive inventory and protection of all company assets, from employee devices to proprietary knowledge bases.
Device Security
Automatic screen lock is configured on all employee devices
Encryption at rest protects sensitive data on team devices
Software updates are maintained automatically to reduce vulnerability exposure
Anti-malware software and configured firewalls protect against threats
Mobile Device Management (MDM) enforces security policies across devices
Supported operating systems only: devices must run OS/software with active vendor support
Data Handling
Removable storage devices are prohibited for company data
Secure erasure is required before any device is sold, transferred, or disposed
Approved tasks only employee devices are restricted to authorized business use
Secure physical locations are required when accessing company data remotely
Asset Inventory
Asset tracking maintains systematic inventory of all company assets including proprietary knowledge bases and source code
Annual reviews ensure inventory accuracy and relevance
Secure disposal processes protect decommissioned assets from data leakage
AI System Resources
AI lifecycle resources are identified and documented (LLM providers, RAG architecture components)
Data resources for AI systems are documented (proprietary KB)
Tooling resources are documented (Semgrep, Sentry)
Computing resources are documented (Vercel, Supabase infrastructure)
Business Continuity, Backup & Recovery Policy
We maintain resilience through documented disaster recovery procedures and automated backup systems.
Disaster Recovery
Disaster Recovery Plan (DRP) is maintained, approved by management, and updated annually
Recovery objectives define RTO (Recovery Time Objectives) and RPO (Recovery Point Objectives) for all critical systems
Annual testing validates disaster recovery procedures
Annual reviews assess business continuity and redundancy strategies, especially after major changes like AI provider additions
Backup Requirements
Continuous backups of production databases protect customer chat histories and uploaded files, point in time recovery activated
7-day retention minimum for backups
Encryption for all backups at rest and in transit via Supabase encryption
Restricted access to backup systems with comprehensive logging and monitoring
Bi-annual restoration testing validates backup integrity and recovery procedures
Annual failover validation for redundancy and multi-region recovery mechanisms
Data Management Policy
We handle data with strict controls aligned to GDPR and data protection best practices.
Data Lifecycle
Data inventory classification system categorizes all data (Public, Internal, Confidential, Secret)
Secure deletion upon formal request or after retention period expiration, supporting GDPR rights
Data minimization—only data necessary for defined purposes is collected and retained
Lawful processing grounds documented (consent, contract, legal obligation, legitimate interests)
Records of processing activities document purposes, data categories, recipients, retention periods, and security measures
Encryption & Transport
TLS 1.2 minimum (ideally 1.3) for all external HTTP services via Vercel
HSTS headers on production web applications prevent protocol downgrade attacks
AES-256 encryption at rest for all production databases via Supabase
AI Data Management
Data acquisition logging tracks source details for proprietary knowledge base content
Data provenance tracking throughout the AI lifecycle ensures traceability in our RAG architecture
Version control and access logs manage data for AI system development
Data quality checks against set criteria before use in AI systems
Approved preparation methods standardize RAG processing for consistent compliance guidance
Data Protection Rights
Data subject rights (access, deletion, correction) are fulfilled within legally required GDPR timelines
Secure disposal for decommissioned assets storing sensitive data
Backup protection—backups follow same encryption, retention, and access rules as production data
For comprehensive details on our data handling practices, see our Data Privacy & GDPR Compliance documentation.
Secure Development Policy
We build security into our development lifecycle from code commit through production deployment.
Source Code Protection
Create a dedicated branch for any new development
Protected default branches prevent force pushes to production code repositories
Pull request requirements—no direct commits to protected branches
Mandatory code review and approval before merge
Standardized commit messages improve traceability and audit capability
Security Testing
Automated tests execute for each commit and pull request before merge
Secret scanning automatically detects exposed credentials via Semgrep
Dependency vulnerability scanning on all third-party libraries via Semgrep SCA
Container image scanning before deployment (when applicable)
DAST (Dynamic Application Security Testing) on staging environments
SAST (Static Application Security Testing) via Semgrep on all code changes
Deployment blocking when critical or high-severity vulnerabilities are detected
Annual penetration testing on production systems
Development Workflow
Don't work on new features whill key bugs still affect users
Feature-specific branches for isolated development and testing
Staging environment mirrors production for pre-production testing
Local testing required before committing to shared branches
Documented SDLC (Software Development Lifecycle) guides development processes
Issue tracking system for reporting and tracking product bugs
Security scanning performs code review identifies security issues
Unit and integration tests required for all critical business logic
Security Controls
Security linters (ESLint) prevent insecure coding patterns in TypeScript
Automated deployments follow repeatable, secure procedures via Vercel
Continuous deployment pipelines for approved code changes
VCS access follows least privilege with mandatory MFA
Credential rotation procedures execute immediately upon detection of leaked credentials
Secure vaults manage secrets in CI/CD and development environments
Activity logging in Version Control Systems (GitHub audit logs)
Application Security
CORS policies properly configured to restrict unauthorized access
CSP headers (Content Security Policy) prevent XSS and injection attacks
Cookie security—HttpOnly and Secure flags via Supabase Auth
CSRF protection on all state-changing operations
Certificate pinning for critical API connections
Error message security—internal errors handled by Sentry, not exposed to users
SQL injection protection via parameterized queries and ORMs in Supabase PostgreSQL
XSS protection through input sanitization and output encoding
Input validation for type, format, length, and range before processing
Rate limiting on critical endpoints (authentication, AI queries)
Webhook security via signature verification and authentication
Data Protection in Code
No plaintext passwords—encryption at database row level
Supported dependencies only—no outdated or unsupported libraries in production
Externalized configuration—no hardcoded secrets in application code
Version-controlled migrations for database schema changes
No sensitive logging—credentials and PII never logged
Memory-safe languages (TypeScript) preferred for new development
Licensing & Compliance
Licensed software only—properly licensed, approved, and paid-for tools required
No copyleft licenses (GPL v3) to protect proprietary code
Automated license checking in CI/CD pipelines via Semgrep
Change communication to internal stakeholders and external users for major updates
Quality assurance processes for all production releases
Our Semgrep integration automatically scans every code change for vulnerabilities, exposed secrets, and license compliance issues before deployment.
Secure Infrastructure Policy
Our cloud-native infrastructure implements defense-in-depth with automated security controls.
Network Security
Web Application Firewall (WAF) protection via Vercel for all internet-facing applications
Encrypted protocols only (TLS, SSH) for all external connections
Network segmentation isolates production, staging, and development environments in serverless architecture
Firewall rules configured with least privilege (deny-by-default) via Vercel
DDoS protection enabled for internet-facing resources via Vercel
TLS 1.2 minimum for all encrypted communications
Direct TLS preferred over STARTTLS for encrypted connections
DNSSEC enabled for managed DNS zones to prevent DNS spoofing
Email authentication (DKIM, SPF, DMARC) configured for outbound email domains
Infrastructure Management
Infrastructure as Code (IaC) manages Vercel configurations for repeatability
Centralized logging via Sentry for all infrastructure components
Auto-scaling configured via Vercel to maintain availability during traffic spikes
Automated alerting for security incidents and anomalous behavior via Semgrep and Sentry
Database replication and automatic failover for critical databases via Supabase Enterprise
Root account restrictions—IAM least privilege, root not used for day-to-day operations
Audit trails enabled (Supabase logs) and monitored for compliance
Architecture documentation maintained and reviewed annually
System Hardening
Disk encryption enabled on all storage volumes at rest via Supabase
Rootless containers where applicable to reduce privilege escalation risks
Automated security patches in serverless environment
Critical patches applied within 7 days, standard patches within 30 days
Supported OS only receiving active security updates (ensured by Vercel serverless)
LTS versions for production stability
NTP synchronization for accurate log timestamps
Quarterly credential rotation for infrastructure credentials (API keys, tokens)
Access & Authentication
Secure vaults (cloud KMS) for cryptographic key storage
Bastion hosts for administrative access to production infrastructure
Least privilege access via IAM controls
VPN/SSH/cloud-native secure access required for production infrastructure
Service accounts with limited privileges for automated processes
Automated certificate management via Vercel (Let's Encrypt)
Certificate expiration monitoring with alerts at 30, 14, and 7 days before expiry
Compliance
Data residency controls for EU customers (AWS Frankfurt) to comply with GDPR
Human Resource Security Policy
We ensure security awareness and accountability across our team throughout the employee lifecycle.
Organizational Structure
Organizational chart visualizes company structure, updated quarterly
Documented roles and responsibilities clearly defined (RACI model for small team)
Job descriptions document security-related requirements for recruitment
Hiring & Onboarding
Documented recruitment procedures ensure vetted hires and reduce insider risks
Employment contracts include NDA and confidentiality clauses to protect IP
Security onboarding includes MFA setup and security policy training
Security awareness training completed by all employees
Ongoing Management
Annual performance evaluations support skill development and security awareness
Policy enforcement—employees who violate security policies face documented sanctions
Incident reporting via ticket system or support email for security concerns
Offboarding
Documented offboarding procedures ensure account disablement and access revocation (critical for super admin roles)
AI-Specific Competencies
AI personnel competencies determined and ensured through training or hiring
AI resources documentation tracks team skills and contributions
AI policy awareness—personnel understand their role in responsible AI development
Operations Security Policy
We maintain operational security through monitoring, incident response, and continuous improvement.
Infrastructure Operations
Network architecture diagram maintained and updated annually
Infrastructure change logging for audit trails and change management
NTP synchronization daily for accurate log timestamps
Quarterly server OS updates via serverless automation
Centralized log aggregation via Sentry
30-day log retention for application production logs
Threat Management
WAF protection for production applications (Vercel equivalent)
Annual penetration testing of production environment
Active threat monitoring for cloud infrastructure via Semgrep and Sentry
Real-time monitoring via Sentry for proactive response
Automated alerting for security incidents
Incident Response
Formal incident response plan for critical and security issues
Slack alerts for immediate production outage notification
Incident review history maintained in centralized repository for lessons learned
Security event sharing with relevant parties for transparency
NIS2 compliance: significant cybersecurity incidents reported to authorities (early warning within 24 hours, incident notification without undue delay, final report within one month)
Email Security
SPF, DKIM, DMARC protocols secure email servers
Security filters for spam and malware protection
Communication & Transparency
Self-service portal provides product documentation to users
Public website clearly describes features and benefits
Security reporting email for coordinated vulnerability disclosure
Trust Center details security practices and compliance certifications
Public status page communicates service status and incidents (planned)
Risk Mitigation
Cyber insurance coverage protects business operations from financial impact of security incidents
AI Operations
AI system monitoring for performance and errors, with remediation through retraining, code fixes, or updates
AI event logging at key lifecycle phases with comprehensive record keeping
Physical Security Policy
We protect physical assets and infrastructure through appropriate security controls.
Data center security relies on certified providers (Supabase/Vercel with ISO 27001, SOC 2 Type II certifications)
Threat mitigation for physical locations (fire extinguishers, etc.) as part of risk assessment
Physical security measures implemented for any physical assets
Office access control via badge or key system (if applicable)
Visitor registration in digital system for office access tracking
Risk Management Policy
We systematically identify, assess, and treat risks to our information security and AI systems.
General Risk Management
Annual risk assessments or as needed identify and evaluate security threats
DPIA (Data Protection Impact Assessments) for high-risk personal data processing activities
AI Risk Management
Annual AI risk identification for the AI management system
AI system risk assessment using likelihood and impact scoring
Risk treatment by applying controls, accepting, transferring, or avoiding risks
Impact assessments on individuals and societies with documented results for risk reviews
Planned intervals or change-triggered assessments with documented results
Risk treatment plans implemented, verified, and updated with documentation
Third-Party Policy
We assess and manage security risks from third-party vendors and service providers.
Annual vendor assessments for third-party suppliers like OpenAI and ConvertAPI
AI lifecycle responsibilities allocated among organization, partners, suppliers, customers, and third parties
Supplier review for AI alignment before using services, products, or materials
Customer needs integration into responsible AI approach
Supply chain cybersecurity risk assessment including security dependencies and mitigation measures
We developed Zero Data Retention (ZDR) agreements with AI providers such as Mistral to enhance data protection and clarify third-party responsibilities.
AI Management Policy
We govern our AI systems through a comprehensive management framework aligned to ISO 42001.
AI Management System
External and internal issues relevant to AI systems determined and documented
Interested parties identified along with their requirements
Boundaries and applicability of AI management system defined
Continual improvement of AI management system
Top management commitment demonstrated (CEO-led "practice what we preach" approach)
AI Policy Framework
Documented AI policy providing framework for objectives and improvement
Policy alignment with other organizational policies
Planned interval reviews of AI policy
Measurable AI objectives consistent with policy, monitored and updated (e.g., hallucination reduction metrics)
AI System Changes
Planned changes to AI management system executed systematically (e.g., adding new AI providers)
Resource allocation for AI management system determined and provided
Communication framework for internal and external AI system communications (includes Trust Center)
Document protection for AI management system information
AI Process Management
Requirement-based processes planned, implemented, and controlled
Performance monitoring and evaluation with evidence retention
Internal audits at planned intervals
Management reviews for AI management system suitability
Corrective actions for nonconformities with documentation
AI Impact Assessment Policy
We evaluate the potential consequences of our AI systems on individuals and society.
Annual impact assessments of AI system consequences on individuals and societies
Documented results retained for compliance and audit purposes
Individual/group impact evaluation considering user privacy and potential biases
Societal impact assessment aligned with EU AI Act and broader ethical considerations
AI System Life Cycle Policy
We manage AI systems responsibly from design through deployment and operation.
Development Objectives
Responsible AI objectives identified, documented, and integrated into RAG development
Responsibility guidelines followed in design and development to reduce hallucinations
Design & Development
Requirements specification for AI systems documented
Design documentation based on objectives and requirements
Verification and validation through regression testing before deployment
Requirements-based deployment—systems deployed only after requirements are met
Technical documentation provided to relevant parties (team and users)
Use & Information
User information determined and provided (user guides explaining limitations)
Adverse impact reporting capabilities provided for user feedback
Email notifications for AI incidents to build trust
Reporting obligations to interested parties determined and documented
Responsible use guidelines followed for AI systems
Usage objectives for responsible AI identified and documented
Intended purpose monitoring ensures compliance-focused usage
Policy Updates & Reviews
These policies are reviewed and updated regularly to maintain alignment with our evolving security posture, compliance requirements, and operational practices. Material changes are communicated to stakeholders through appropriate channels.
Our security policies reflect our commitment to "practicing what we preach" as a compliance-focused SaaS platform. We implement the same robust security controls we help our customers achieve.
Related Resources
Security & Data Protection Overview - Implementation details of our security controls
Data Privacy & GDPR Compliance - How we handle personal data and GDPR rights
Privacy Policy - Our legal privacy commitments