Eddy AI trust page

Purpose: The policy aims to ensure the proper and effective use of cryptography to protect the confidentiality, authenticity, and integrity of information.

Scope: The policy applies to all information systems developed and/or controlled by Document360 that store or transmit confidential data.

Policy Owner: The CEO is responsible for the policy.

Effective Date: The policy becomes effective on March 1, 2024.

Risk Evaluation: Document360 evaluates risks and implements cryptographic controls to mitigate them where appropriate.

Encryption Standards: Strong cryptography with associated key management processes and procedures must be implemented and documented in accordance with industry standards, including NIST SP 800-57. We have a partial implementation of the NIST AI Risk Management Framework.

Key Management: Access to keys and secrets is tightly controlled, and there are specific recommendations for the usage of cryptographic keys, including key types, algorithms, and key lengths for various domains such as web certificates, web ciphers, and endpoint storage.

Exceptions: Requests for exceptions to the policy must be submitted to the CEO for approval and must be documented.

Violations & Enforcement: Known violations should be reported to the CEO and may result in disciplinary action, including termination of employment.

Data at Rest: Confidential data at rest must be encrypted using symmetric encryption with AES-256 bit for a maximum period of 1 year.

Passwords: Passwords must be hashed using one-way hash functions like Bcrypt, PBKDF2, scrypt, or Argon2, with a 256-bit key and a 10K stretch, including a unique cryptographic salt and pepper.

Purpose and Scope: The document aims to provide a plan for managing information security incidents and events, covering all such occurrences within the company.

Definitions: It clarifies the difference between a security event (an observable occurrence relevant to data security) and a security incident (an event that results in loss or damage to data security).

Reporting and Documentation: Employees are instructed to report any suspected incidents immediately using specific communication channels, and all incidents must be documented.

Severity Levels: Incidents are categorized into S1 (Critical), S2 (High), and S3/S4 (Medium/Low) severity levels, with clear guidelines for escalation and response.

Incident Response Team: Engineer managers leads the incident response effort, with a designated "War Room" for centralized response. Regular meetings are held to update the incident ticket, document indicators of compromise, and perform other response activities.

Root Cause Analysis: For critical incidents, a root cause analysis is performed, documented, and reviewed by the Director of Engineering, who decides on the need for a post-mortem meeting.

Response Process: The response process includes triage, investigation, containment, eradication, recovery, and hardening, with a focus on lessons learned and long-term improvements.

Physical Security: The document addresses the physical security of affected systems, including isolation and backup procedures.

Breach Determination and Reporting: Only the Product Owner can determine if an incident constitutes a breach. The company shall promptly notify all relevant parties in accordance with policies and regulatory requirements.

External Communications: The company cooperates with customers, data controllers, and authorities as needed, with legal and executive staff determining the approach.

Roles and Responsibilities: The document outlines the specific responsibilities of incident responder roles.

Special Considerations: It includes handling internal issues, compromised communications, and root account compromises.

Incident Status and Summary: A detailed template is provided for documenting incident details, including date, time, location, personnel involved, type of information involved, indicators of compromise, root cause, and actions taken.

Policy Owner and Effective Date: The Product Owner is the policy owner, and the plan becomes effective on March 1, 2024.

Objective: To establish clear roles and responsibilities for protecting electronic information systems and related equipment.

Policy Owner and Effective Date: The CEO is the policy owner, and the plan becomes effective on March 1, 2024.

Applicability

• Applies to all Document360 infrastructure, network segments, systems, employees, and contractors involved in security and IT functions.

Audience

• All employees and contractors involved in the Information Security Program.

• Includes partners, affiliates, temporary employees, trainees, guests, and volunteers.

Roles and Responsibilities

1. Executive Leadership:

• Approves capital expenditures for security programs.

• Oversees execution and communication of information security and privacy risk management.

• Ensures compliance with laws and standards (e.g., GDPR, CCPA, SOC 2, ISO 27001).

• Reviews vendor service contracts and oversees third-party risk management.

2. Director of Engineering:

• Oversees information security in software development.

• Implements and monitors security controls for development and IT processes.

• Conducts IT risk assessments and communicates risks to leadership.

3. VP of Customer Support:

• Manages information security tools and processes in customer environments.

• Ensures compliance with data retention and deletion policies.

4. System Owners:

• Maintain confidentiality, integrity, and availability of information systems.

• Approve access and change requests for their systems.

5. Employees, Contractors, Temporary Workers:

• Act responsibly to protect health, safety, and information resources.

• Identify areas for improved risk management practices.

• Report incidents and adhere to company policies.

6. Chief People Officer

• Ensures employees and contractors are qualified and competent.

• Oversees background checks, policy presentation, and Code of Conduct adherence.

• Evaluates employee performance and provides security training.

Policy Compliance

• Compliance measured through reports, audits, and feedback.

• Exceptions must be pre-approved by the CEO.

• Non-compliance can lead to disciplinary actions, including termination.

Document Control

• Version: 1.0

• Date: February 3, 2024

Policy Owner and Effective Date: The CEO is the policy owner, and the plan becomes effective on March 1, 2024.

Purpose: To ensure that information security is designed and implemented within the development lifecycle for applications and information systems.

Scope: Applies to all Document360 applications and information systems that are business critical and/or process, store, or transmit Confidential data.

Secure-by-Design Principles:

• Minimize attack surface area.

• Establish secure defaults.

• Apply the principle of Least Privilege.

• Implement defense in depth.

• Fail securely.

• Avoid security by obscurity.

• Keep security simple.

Privacy-by-Design Principles:

• Proactive, preventative approach.

• Privacy as the default setting.

• Privacy embedded into design.

• Full functionality without compromising privacy.

• End-to-End Security.

• Full lifecycle protection.

Development Environment: Logical or physical segregation of environments: Production, Test/Staging, Development.

System Acceptance Testing: Establish acceptance testing programs and criteria for new information systems, upgrades, and new versions. Complete a Release Checklist before deploying code.

Protection of Test Data: Test data must be selected carefully, protected, and controlled. Confidential customer data must be protected and not used for testing without explicit permission.

Change Control Procedures: Ensure development, testing, and deployment of changes are not performed by a single individual without approval and oversight.

Software Version Control: All software is version controlled, with access restricted based on role.

Policy Compliance: Measured through reports, audits, and feedback. Non-compliance may result in disciplinary action, up to and including termination.

Policy Owner: The CEO is responsible for the policy.

Effective Date: The policy becomes effective on March 1, 2024.

Purpose: The policy aims to establish and maintain a safe and inclusive environment for all staff members.

Scope: This policy applies to all staff members across all professional settings within the organization.

Culture: The organizational culture promoted by this policy emphasizes respect, collaboration, and consideration among all employees.

Expected Behavior: Staff members are expected to actively participate in creating a respectful and collaborative workplace environment.

Unacceptable Behavior: Any form of harassment, violence, discrimination, or inappropriate conduct is strictly prohibited.

Weapons Policy: The policy prohibits the possession of weapons on company premises, with strict consequences for violations.

Consequences: Non-compliance with this policy will result in immediate corrective actions, including disciplinary measures and the requirement to report violations.

Responsibility: The CEO holds the responsibility for ensuring that all staff members adhere to and uphold the principles outlined in this policy.

Policy Owner: The CEO is responsible for the policy.

Effective Date: The policy becomes effective on March 1, 2024.

Purpose: The purpose of this policy is to restrict access to information and systems to authorized individuals in accordance with business objectives.

Scope: This policy applies to all systems operated by Document360 that handle confidential data for employees and external parties with network access.

Access Control and User Management Summary:

Identifying Users: Access privileges are allocated based on specific job roles and competencies required to perform tasks.

Maintaining Authorization: All allocations of privileged access are documented and maintained to ensure accountability.

Enforcing Security Measures: Multi-factor authentication (MFA) is mandatory for privileged access to enhance security. Generic administrative IDs are prohibited to prevent unauthorized usage.

Adopting Protocols: Time-bound access permissions are granted to limit exposure and reduce security risks.

Logging and Auditing: All privileged logins and activities are logged and audited to monitor for unauthorized access or misuse.

User Access Reviews: Regular reviews ensure that distinct and appropriate identities are maintained for those with privileged access.

Access Control Policy: Access is restricted to authorized parties only, ensuring that information remains protected.

Password Management: Secure log-on procedures and password policies are implemented to safeguard against unauthorized access.

User Access Provisioning: Access permissions are granted based on documented business requirements and validated needs.

Violations & Enforcement: Violations of this policy are reported and subject to enforcement measures to maintain compliance and security.

Policy Owner: The CEO is responsible for the policy.

Effective Date: The policy becomes effective on March 1, 2024.

Purpose: To ensure information is classified, protected, retained, and securely disposed of based on its importance to the organization.

Scope: Applies to all data, information, and information systems of Document360.

Data Classification: Confidential: Highly sensitive data needing the highest protection levels. Examples include customer data, PII, company financials, strategic plans, and technical reports.

Restricted: Proprietary information requiring thorough protection. Default classification for all company information unless otherwise stated. Examples include internal policies, legal documents, contracts, and emails.

Public: Information intended for public consumption and can be freely distributed. Examples include marketing materials and product descriptions.

Data Handling:

Confidential Data:

• Restricted access to specific employees or departments.

• Must be encrypted at rest and in transit.

• Should not be stored on personal devices or removable media.

• Requires secure storage and disposal.

Restricted Data:

• Access restricted to users with a need-to-know basis.

• Requires management approval for external transfer.

• Secure storage and disposal are mandatory.

Public Data: No special protection or handling controls required.

Data Retention and Disposal:

• Data retained as long as needed for business, regulatory, or contractual requirements.

• Confidential and restricted data securely deleted when no longer needed.

• PII deleted or de-identified when no longer needed for business purposes.

Annual Data Review: Management reviews data retention requirements annually to ensure compliance with the policy.

Legal Requirements: Data associated with legal holds or lawsuits is exempt from standard policy requirements and retained per legal counsel’s stipulations.

Policy Compliance: Compliance measured through business tool reports and audits.

Exceptions: Any exceptions to the policy require CEO approval.

Violations & Enforcement: Known policy violations should be reported to the CEO and can result in disciplinary actions, including termination of employment.

Policy Owner: The CEO is responsible for the policy.

Effective Date: The policy becomes effective on March 1, 2024.

Purpose and Scope:

• Ensure the secure operation of information processing systems and facilities.

• Applies to all critical Document360 information systems and third-party entities with network access.

Documented Operating Procedures:

Technical and administrative procedures must be documented and accessible to relevant users.

Change Management:

• Significant changes must be documented, tested, reviewed, and approved before deployment.

• Emergency changes require retrospective review and authorization.

Capacity Management:

• Monitor and adjust processing resources and system storage to meet performance requirements.

• Include human resource capacity in planning and annual risk assessments.

Data Leakage Prevention:

• Identify and classify information per the Data Management Policy.

• Train users on proper handling of sensitive information.

• Use Data Loss Prevention (DLP) tools based on risk assessment.

Web Filtering:

• Implement DNS and IP blocking to restrict access to risky websites.

• Block websites with malicious content or command and control servers unless necessary for business.

Separation of Environments:

• Strictly segregate development, staging, and production environments.

• Do not use confidential production customer data in development or test environments without approval.

Systems and Network Configuration:

• Follow configuration and hardening standards to maintain system and network security.

• Review production network access configuration rules annually.

Protection from Malware:

• Implement detection, prevention, and recovery controls for malware.

• Utilize anti-malware and threat detection software on all company endpoints and emails.

Information Backup: Design and implement backup processes for systems and data, ensuring customer data recovery per SLAs.

Logging and Monitoring: Implement logging and monitoring to detect and respond to security incidents.

Control of Operational Software: Manage the installation and use of operational software according to established rules.

Threat Intelligence: Collect and analyze information security threats to produce actionable intelligence.

Technical Vulnerability Management: Identify, assess, and address technical vulnerabilities in a timely manner.

Restrictions on Software Installation: Establish rules for software installation to ensure security and compliance.

Information Systems Audit Considerations: Plan and agree on audit requirements to minimize disruptions to business processes.

Systems Security Assessment and Requirements: Include security requirements in the acquisition or significant changes to systems.

Data Masking: Implement data masking techniques to protect PII and sensitive data based on risk assessment.

Policy Owner: The CEO is responsible for the Data Retention Policy.

Effective Date: The policy becomes effective on March 1, 2024.

Purpose: This policy outlines how data is stored, analyzed, and deleted within Document360, ensuring transparency and user control over retained information.

Scope: This policy applies to all customers using Document360, including both public and private knowledge base projects.

Data Collection:

• For public sites: No user-level data is collected.

• For private projects: We collect user-level data including the identity of the user submitting a prompt, timestamps, and other user information available within Document360.

Data Usage: Document360 stores all prompts/questions entered in the Eddy AI Chatbot to perform the following analyses:

• Topical Analysis: Clustering of questions/prompts using in-house algorithms and OpenAI APIs.

• Citation Analysis: Identifying the most cited articles.

• Metrics: Displaying depth metrics and tracking answered vs. unanswered questions.

Customization: This policy is not customizable by the customer, but customers have the right to request deletion of their data at any time during the contract period.

Data Retention and Deletion:

• All collected data is retained within your Document360 project.

• Data is permanently deleted when the knowledge base project is deleted.

• You may request deletion of this data at any point during your contract with Document360.

Responsibility: The CEO is responsible for ensuring the implementation and compliance of this policy across all customer accounts and projects.