Date published: December 5, 2024

Security and Privacy Principles at CUJO AI

At CUJO AI, we are committed to maintaining the highest standards of security and privacy. Our policies are based on the following foundational principles:

• Security
• Availability
• Confidentiality
• Processing Integrity
• Privacy

CUJO AI maintains SOC 2 Type II attestation and ISO 27001 compliance certification. Our SOC 2 Type II report and ISO 27001 certificate are available in our Trust Center. We also comply with GDPR, CCPA, and other applicable US data privacy laws.

Data Protection

Data at rest

All customer data stores are encrypted using strong encryption algorithms and keys specific to each environment. We use either managed service keys or application service-specific customer-managed keys.

Data in transit

We use TLS 1.3 for all data transmitted over potentially insecure networks. Server TLS keys and certificates are managed by a Certificate Management System.

Sensitive credentials

Encryption keys are managed via a system or, in certain cases, with a special secret manager. Key material is stored in hardware security modules to prevent direct access.

Product Security

Secure Software Development Life Cycle (SDLC)

Our SDLC process includes security activities at each stage, such as risk assessment, threat modeling, static and dynamic analysis, code review, and continuous monitoring.

Penetration Testing

We conduct annual penetration testing on our infrastructure and source code, focusing on confidentiality, integrity, availability, and privacy.

Vulnerability Scanning

Vulnerability scanning is performed at key stages of our SDLC, including static analysis, software composition analysis, malicious dependency scanning, dynamic analysis, and periodic network vulnerability scanning.

Responsible Disclosure and Bug Bounty Program

The purpose of the Responsible Disclosure Policy is to allow third party security researchers to submit information about potential weaknesses and vulnerabilities in our products, services, infrastructure and/or websites before making this information public. The purpose of the Bug Bounty Program (BBP) is to incentivize the identification and reporting of security vulnerabilities in our products, services, infrastructure and/or websites. Participants can earn rewards for responsibly disclosing vulnerabilities.

Enterprise Security

Endpoint Protection

All corporate devices are centrally managed and equipped with MDM software, anti-malware protection, and endpoint detection and response software. Endpoint security alerts are monitored 24/7/365.

Secure Remote Access

All remote connections to our internal systems must pass through an encrypted VPN, ensuring secure data transmission.

Security Education

We provide regular training to our staff on security and privacy awareness to prevent security breaches.

Identity and Access Management

We use a cloud-based IAM solution to control and monitor user access to critical systems, ensuring strict authentication protocols and role-based permissions.

Automated Incident Response

We leverage automated workflows to identify and respond to security incidents in real-time. These workflows help reduce response times and mitigate the impact of potential security breaches by ensuring swift, consistent actions across our systems.

Compliance Automation

We utilize automated tools to streamline compliance checks and reporting processes. These tools ensure that the organization consistently meets regulatory requirements while reducing manual effort and improving accuracy.

Enhanced Threat Intelligence

We deliver real-time threat intelligence feeds to inform customers about the latest threats and vulnerabilities. This proactive approach helps organizations stay ahead of emerging risks and strengthens their overall security posture.

Data Privacy

We protect our customers’ and partners’ personal information and operate appropriate privacy protection controls as detailed in our publicly accessible Privacy Policy. CUJO AI is a member of the Data Privacy Framework and meets all requirements set by the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework.

Vendor Security

We operate robust vendor security controls driven by third-party risk management and supplier management policies, including regular security posture reviews and standardized mutual non-disclosure agreements.