Controls
Here are the controls implemented at undefined to ensure compliance, as a part of our security program.
Product security (5)
Production System User Review
CTO conducts quarterly reviews of access rights to ensure they remain appropriate per the Access Management Process Policy
Situational Awareness For Incidents
Entity maintains a record of information security incidents, investigations, and response plans executed according to the Incident Response Policy.
Vulnerability Remediation Process
Entity remediates vulnerabilities based on CVSS score: Critical (8.0+): Immediate action, High (7.5+): Within 30 days, Medium (6.0+): Within 60 days per the Patch and Vulnerability Management Policy
Centralized Management of Flaw Remediation Processes
Entity tracks all vulnerabilities and remediates them per the Patch and Vulnerability Management Policy with CTO oversight
Change Management Process
Entity has established procedures for planning, testing, and approving changes to the AI voice agent platform per the Change Management Policy with CTO approval
Data security (9)
Identify Validation
Entity ensures logical access provisioning to critical systems requires approval from authorized cofounders on individual need or predefined role basis
Termination of Employment
Entity ensures logical access is revoked within one business day of employment termination per the HR Engagement Process Policy
Production Databases Access Restriction
Entity ensures access to production databases is restricted to cofounders and designated engineers who require such access per the Access Control Policy
Multi-factor Authentication
Entity requires MFA using SMS and authenticator apps for all staff members with access to critical systems
User Privileges Reviews
CTO and cofounders periodically review access to critical systems quarterly to ensure access remains appropriate per documented access matrix
Encrypting Data At Rest
Entity encrypts all production databases storing customer voice recordings and scripts using AWS RDS encryption
Data Classification and Handling
Entity classifies customer data, voice recordings, and scripts per the Information Classification Policy with appropriate protection controls
Data Retention and Purging
Entity deletes customer data within 30 days of service termination and purges archived data per the Data Backup and Retention Policy
Backup Testing and Verification
Entity conducts annual test restorations of AWS RDS backups to verify data recovery capabilities per documented procedures
Network security (9)
Impact Analysis
Entity evaluates potential impacts and risks when implementing changes per the Change Management Policy
Limit Network Connections
Entity ensures production databases access is protected from public internet access using AWS security groups and VPCs
External System Connections
Production hosts are protected by AWS firewall with deny-by-default rule configured on the cloud provider
Transmission Confidentiality
Entity uses HTTPS with TLS encryption to keep transmitted data confidential for all API and customer communications
Anomalous Behavior
Entity's infrastructure is configured to review and analyze audit events to detect anomalous activity using AWS CloudTrail
Data Used in Testing
Entity ensures customer data used in non-production environments requires same level of protection as production per the Data Backup and Retention Policy
Centralized Collection of Security Event Logs
Entity's infrastructure is configured to generate audit events for actions of interest related to security across AWS and integrated systems
VPN and Remote Access
Entity requires employees to use secure VPN connections when accessing company resources from remote locations per the Physical and Environmental Security Policy
Network Access Controls
Entity implements appropriate network access controls for AWS infrastructure per the Information Security Policy
App security (4)
Secure System Modification
Entity has procedures to govern changes to the AI voice agent platform with CTO approval per the Change Management Policy
Conspicuous Link To Privacy Notice
Entity displays current information about its AI voice agent services and privacy practices on its website, accessible to customers and prospects
Unauthorized Activities Detection
Entity uses AWS CloudTrail monitoring to detect and alert on unauthorized access or changes to production systems per the Incident Response Policy
Secure Development Practices
Entity follows secure coding standards including input validation, least privilege principles, and data sanitization per the Secure Development Practices Policy
Endpoint security (6)
Malicious Code Protection (Anti-Malware)
Entity ensures endpoints with access to critical servers are protected by CrowdStrike Falcon Go anti-malware software per the Anti-Malware Policy
Full Device or Container-based Encryption
Entity requires all personal devices used for company business have full-disk encryption enabled
Endpoint Security Validation
Entity performs security and privacy compliance checks on software versions and patches of remote devices prior to establishing internal connection per the Endpoint Security Policy
Session Lock
Entity ensures endpoints with access to critical servers are configured to auto-screen-lock after 5 minutes of inactivity
Password/Authentication Requirements
Entity requires endpoints to be secured with strong passwords and biometric authentication where available per the Endpoint Security Policy
Operating System Updates
Entity requires endpoints to have current operating system security updates installed within specified timeframes per the Endpoint Security Policy
Corporate security (10)
Code of Business Conduct
Entity has a documented Code of Conduct Policy to define behavioral standards and acceptable business conduct
Roles & Responsibilities
Entity has established procedures per the ISMS Roles and Responsibilities Policy to communicate roles and responsibilities to staff
New Hire Policy Acknowledgement
Entity has established procedures for new staff to acknowledge applicable company policies as part of onboarding per the HR Engagement Process Policy
Security & Privacy Awareness
Entity provides mandatory security awareness training to staff relevant to their job function per the HR Engagement Process Policy
Assigned Cybersecurity & Privacy Responsibilities
CTO is assigned as Information Security Officer to centrally manage, coordinate, and maintain cybersecurity program per the ISMS Roles and Responsibilities Policy
Risk Assessment
Each risk is assessed using consequence and likelihood scoring per the Cyber Risk Assessment Policy with CTO oversight
Incident Reporting Assistance
Entity provides information to customers on how to report failures or security incidents related to the AI voice agent platform
Third-Party Criticality Assessments
Entity performs formal vendor risk assessment per the Vendor Management Policy to identify vendors critical to systems security
Segregates Roles and Responsibilities
Entity's cofounders segregate responsibilities across the organization with engineers restricted from financial and HR systems per the Access Control Policy
Management Review of Risks
CTO and cofounders review and approve the Risk Assessment Report annually per the Cyber Risk Assessment Policy
