Aureum Logo
Aureum Intelligence.
Security

Security Policy

Effective: January 1, 2026Updated: January 1, 2026

1. Introduction

This Security Policy establishes the comprehensive security framework that Aureum Intelligence LLC ("Aureum," "we," "us," or "our") implements to protect customer data, maintain the integrity of our enterprise AI security platform, and ensure compliance with applicable regulatory requirements including HIPAA, GDPR, CCPA, and industry best practices.

As an enterprise AI security provider, Aureum Intelligence recognizes that trust and security are foundational to our mission. This policy outlines our commitment to protecting information assets through technical, administrative, and physical safeguards.

2. Scope

This Security Policy applies to:

  • All Aureum Intelligence employees, contractors, consultants, and temporary staff
  • All information systems, networks, and infrastructure supporting the Aureum platform
  • All customer data processed, stored, or transmitted through Aureum services
  • All third-party vendors and service providers with access to Aureum systems
  • All Aureum-owned or managed devices and endpoints

3. Security Framework

3.1 Security Principles

Aureum Intelligence adheres to the following core security principles:

  • Confidentiality: Information is accessible only to authorized individuals
  • Integrity: Data is accurate, complete, and protected from unauthorized modification
  • Availability: Systems and data are accessible when needed by authorized users
  • Accountability: All actions are traceable to responsible individuals
  • Least Privilege: Users and systems have minimum necessary access rights

3.2 Compliance Framework

Our security program is aligned with the following standards and frameworks:

  • NIST Cybersecurity Framework (CSF)
  • ISO 27001 Information Security Management
  • HIPAA Security Rule (for healthcare customers)
  • SOC 2 Type II controls
  • GDPR Article 32 security requirements
  • CCPA/CPRA security obligations

4. Access Controls

4.1 Authentication

  • Multi-Factor Authentication (MFA): Required for all employee and customer access to Aureum systems
  • Strong Password Policy: Minimum 12 characters with complexity requirements; passwords are not subject to forced periodic rotation per NIST SP 800-63B guidelines, but must be changed immediately upon evidence of compromise
  • Single Sign-On (SSO): Supported for enterprise customers via SAML 2.0 and OIDC
  • Session Management: Automatic timeout after 30 minutes of inactivity

4.2 Authorization

  • Role-Based Access Control (RBAC): Access granted based on job function and need-to-know
  • Privileged Access Management (PAM): Elevated access requires approval and monitoring
  • Access Reviews: Quarterly review of all access permissions
  • Just-In-Time Access: Temporary elevated access with automatic expiration

4.3 Identity Management

  • Centralized identity provisioning and deprovisioning
  • Integration with customer identity providers for enterprise deployments
  • Automated account lifecycle management
  • Regular identity audits and reconciliation

5. Data Protection

5.1 Encryption

Data StateEncryption StandardKey Management
Data at RestAES-256AWS KMS / HSM
Data in TransitTLS 1.3+Public CA certificates
Data in UseConfidential ComputingHardware-based enclaves
  • Key Rotation: All encryption keys rotated every 90 days
  • Key Storage: Hardware Security Modules (HSMs) for master keys
  • Customer Keys: Bring Your Own Key (BYOK) options available for enterprise customers

5.2 Data Classification

  • Public: Information intended for public consumption
  • Internal: Internal business information
  • Confidential: Customer data, proprietary information
  • Restricted: Highly sensitive data (PHI, PII, financial data)

5.3 Data Masking and Anonymization

  • Production data never used in non-production environments without masking
  • PII and PHI automatically masked in logs and diagnostics
  • Differential privacy techniques applied to analytics data

6. Infrastructure Security

6.1 Network Security

  • Firewall Protection: Next-generation firewalls at all network boundaries
  • Network Segmentation: Isolation of production, development, and management networks
  • Intrusion Detection/Prevention (IDS/IPS): Real-time threat monitoring
  • DDoS Protection: Cloud-based mitigation services
  • Private Network Options: VPC peering and dedicated connections available

6.2 Endpoint Security

  • Device Management: Mobile Device Management (MDM) for all company devices
  • Endpoint Detection and Response (EDR): 24/7 monitoring and threat hunting
  • Patch Management: Critical patches applied within 72 hours
  • Anti-Malware: Real-time protection on all endpoints

6.3 Cloud Security

  • Shared Responsibility Model: Clear delineation of security responsibilities
  • Cloud Security Posture Management (CSPM): Continuous configuration monitoring
  • Infrastructure as Code (IaC): Security policies embedded in deployment pipelines
  • Zero Trust Architecture: Never trust, always verify

7. Application Security

7.1 Secure Development Lifecycle (SDL)

  • Security Requirements: Defined during project planning
  • Threat Modeling: Conducted for all new features and architectures
  • Secure Coding Standards: OWASP Top 10 mitigation requirements
  • Code Review: Security-focused peer review for all changes
  • Static Application Security Testing (SAST): Automated scanning in CI/CD
  • Dynamic Application Security Testing (DAST): Regular penetration testing

7.2 Vulnerability Management

  • Vulnerability Scanning: Weekly automated scans of all systems
  • Patch Prioritization: Based on CVSS score and exploit availability
  • Bug Bounty Program: Third-party security researchers can report vulnerabilities
  • Responsible Disclosure: 90-day disclosure policy for reported vulnerabilities

7.3 API Security

  • Authentication: OAuth 2.0 and API key authentication
  • Rate Limiting: Protection against abuse and denial of service
  • Input Validation: All inputs validated and sanitized
  • API Gateway: Centralized security controls and monitoring

7.4 AI and Machine Learning Security

  • Prompt Injection Mitigation: Input sanitization, output filtering, and context-boundary enforcement to prevent prompt injection attacks against AI agents
  • Model Integrity: Verification of model provenance and integrity checks to prevent model poisoning or unauthorized modification
  • Adversarial Input Detection: Monitoring for adversarial inputs designed to manipulate AI model behavior or bypass safety controls
  • Output Validation: Guardrails and post-processing validation on AI-generated outputs to detect and prevent harmful or unintended content
  • Data Isolation: Strict separation between customer data and model training pipelines; customer data is never used to train or improve AI models

8. Security Monitoring and Incident Response

8.1 Security Operations Center (SOC)

  • 24/7 Monitoring: Continuous surveillance of all systems and networks
  • Security Information and Event Management (SIEM): Centralized log collection and correlation
  • Threat Intelligence: Integration with global threat feeds
  • Anomaly Detection: Machine learning-based behavioral analysis

8.2 Log Management

  • Log Collection: All systems generate comprehensive audit logs
  • Log Retention: Minimum 365 days for security-relevant logs
  • Log Integrity: Write-once, read-many (WORM) storage for critical logs
  • Log Analysis: Automated correlation and alerting

8.3 Incident Response

Incident LevelResponse TimeEscalation
Critical (Data Breach)15 minutesCISO + Executive Team
High (System Compromise)1 hourSecurity Team Lead
Medium (Policy Violation)4 hoursSecurity Analyst
Low (Informational)24 hoursSecurity Operations
  • Incident Response Plan: Tested annually through tabletop exercises
  • Communication Plan: Defined procedures for internal and external notifications
  • Forensic Capability: Internal and third-party forensic resources on call
  • Post-Incident Review: Root cause analysis and lessons learned documented

8.4 Data Breach Notification

  • Regulatory Notification: Within 72 hours of breach confirmation (GDPR requirement)
  • Customer Notification: Within 24 hours of confirmed data breach affecting customer data
  • Public Disclosure: Coordinated with legal and communications teams
  • Notification Content: Nature of breach, data affected, remediation steps, contact information

9. Business Continuity and Disaster Recovery

9.1 Backup and Recovery

  • Backup Frequency: Real-time replication for critical systems, daily for others
  • Backup Retention: 30 days minimum, with annual archives retained for 7 years
  • Backup Testing: Quarterly restore tests to verify integrity
  • Geographic Redundancy: Data replicated across multiple geographic regions

9.2 Disaster Recovery

  • Recovery Time Objective (RTO): 4 hours for critical systems
  • Recovery Point Objective (RPO): 1 hour maximum data loss
  • Failover Testing: Annual disaster recovery exercises
  • Alternative Sites: Warm standby facilities in separate geographic regions

9.3 Business Continuity Planning

  • Business Impact Analysis: Conducted annually for all critical functions
  • Continuity Plans: Documented and tested for all business units
  • Emergency Response: Clear procedures for various emergency scenarios
  • Crisis Management: Executive team trained in crisis communication

10. Third-Party Security

10.1 Vendor Risk Management

  • Vendor Assessment: Security review before onboarding
  • Due Diligence: Questionnaire and documentation review
  • Contractual Requirements: Security obligations in all vendor contracts
  • Ongoing Monitoring: Annual reassessment of critical vendors

10.2 Subprocessor Management

  • Subprocessor List: Maintained and published for customer review
  • Notification: 30-day notice for new subprocessors
  • Right to Object: Customers may object to new subprocessors
  • Flow-Down Obligations: All security requirements extended to subprocessors

10.3 Cloud Service Providers

  • Primary Providers: AWS, Azure, Google Cloud Platform
  • Certifications: All providers maintain SOC 2, ISO 27001, HIPAA compliance
  • Shared Responsibility: Clear delineation of security responsibilities
  • Exit Strategy: Data portability and migration procedures documented

11. Physical Security

11.1 Data Center Security

  • Access Control: Badge access, biometric verification, security personnel
  • Environmental Controls: Temperature, humidity, fire suppression
  • Surveillance: 24/7 video monitoring with 90-day retention
  • Physical Barriers: Fencing, bollards, controlled entry points

11.2 Office Security

  • Access Control: Badge access to all facilities
  • Visitor Management: All visitors logged and escorted
  • Clean Desk Policy: Sensitive information secured when not in use
  • Secure Disposal: Shredding and secure disposal of physical media

12. Security Training and Awareness

12.1 Employee Training

  • Onboarding: Security awareness training within first week
  • Annual Training: Mandatory security training for all employees
  • Role-Based Training: Additional training for developers, administrators, and security staff
  • Phishing Simulations: Monthly phishing tests with targeted training

12.2 Security Culture

  • Security Champions: Embedded in each development team
  • Open Communication: Encouraged reporting of security concerns
  • Recognition: Rewards for identifying security issues
  • Continuous Learning: Access to security training resources and certifications

13. Compliance and Auditing

13.1 Internal Audits

  • Annual Audit: Comprehensive internal security audit
  • Control Testing: Regular testing of security controls
  • Gap Analysis: Identification and remediation of control gaps
  • Management Review: Quarterly security metrics to executive team

13.2 External Audits

  • SOC 2 Type II: Annual third-party audit
  • ISO 27001: Certification maintained and renewed
  • HIPAA Audit: Regular compliance assessments
  • Customer Audits: Reasonable accommodation for customer security reviews

13.3 Certifications

  • SOC 2 Type II: Available upon request
  • ISO 27001: Security controls aligned with ISO 27001; formal certification in progress (expected completion noted in follow-up roadmap)
  • HIPAA Compliance: Business Associate Agreements available
  • FedRAMP: Exploring authorization for government customers

14. Security Governance

14.1 Security Organization

  • Chief Information Security Officer (CISO): Executive security leadership
  • Security Team: Dedicated security engineers and analysts
  • Security Committee: Cross-functional governance body
  • Board Reporting: Quarterly security updates to Board of Directors

14.2 Policies and Procedures

  • Policy Framework: Comprehensive security policy documentation
  • Regular Review: All policies reviewed annually
  • Change Management: Formal process for policy updates
  • Accessibility: All policies available to employees and customers

14.3 Risk Management

  • Risk Assessment: Annual enterprise-wide risk assessment
  • Risk Register: Documented risks with mitigation strategies
  • Risk Appetite: Defined tolerance levels approved by executive team
  • Risk Treatment: Systematic approach to risk reduction

15. Policy Enforcement

15.1 Violations

  • Reporting: All employees required to report security violations
  • Investigation: All reported violations investigated promptly
  • Disciplinary Action: Progressive discipline for policy violations
  • Legal Action: Criminal activity referred to law enforcement

15.2 Exceptions

  • Exception Process: Formal request and approval required
  • Risk Acceptance: Exceptions require documented risk acceptance
  • Time Limit: All exceptions have expiration dates
  • Review: Exceptions reviewed quarterly

16. Customer Security Responsibilities

Customers are responsible for the following within their use of the Aureum platform:

  • Credential Management: Safeguarding login credentials, API keys, and access tokens; revoking access promptly when personnel changes occur
  • User Access Control: Configuring and maintaining appropriate role-based access within the platform for their authorized users
  • Data Classification: Accurately classifying data uploaded to or processed through the platform according to their internal policies
  • Incident Reporting: Promptly reporting suspected security incidents, unauthorized access, or credential compromise to security@aureumintelligence.com
  • Endpoint Security: Maintaining the security of devices used to access the platform, including operating system patches, endpoint protection, and disk encryption
  • Compliance: Ensuring that their use of the platform complies with applicable laws, regulations, and their own organizational security policies
  • Integration Security: Securing credentials, tokens, and connections for third-party systems integrated with the platform

17. Contact Information

Security Incident Reporting

  • Email: security@aureumintelligence.com
  • PGP Key: Available at https://aureumintelligence.com/security/pgp-key
  • Security.txt: https://aureumintelligence.com/.well-known/security.txt

Privacy and Compliance

  • Privacy Officer: privacy@aureumintelligence.com
  • Compliance Team: compliance@aureumintelligence.com
  • Business Associate Agreements: baa@aureumintelligence.com

18. Document Control

VersionDateAuthorChanges
1.0January 1, 2026Security TeamInitial Release

19. Acknowledgment

By using Aureum Intelligence services, customers acknowledge that they have reviewed and understand this Security Policy. Aureum Intelligence reserves the right to update this policy as needed to reflect changes in technology, regulations, or business requirements. Customers will be notified of material changes with at least 30 days' notice.

Aureum Intelligence LLC 5256 Bethel Reed Park, Suite 3 Columbus, Ohio 43220 https://aureumintelligence.com

This document is proprietary to Aureum Intelligence LLC and may contain confidential information. Unauthorized distribution is prohibited.