Published: October 28, 2024
Security Information Page
At CUJO AI, safeguarding data and maintaining the highest standards of security is our top priority. Our commitment to protecting our clients and their information is integral to our operations and our mission. Below is an overview of our security practices, policies, and measures.
Security and Privacy Principles at CUJO AI
Our policies are based on the following foundational principles:
- Security
- Availability
- Confidentiality
- Processing Integrity
- Privacy
CUJO AI maintains SOC 2 Type II attestation and ISO 27001 compliance certification. Our SOC 2 Type II report and ISO 27001 certificate are available in our Trust Center.
CUJO AI maintains compliance with GDPR, CCPA and other applicable data privacy laws.
Data Protection
Data at rest
All data stores with customer data are encrypted at rest by using strong encryption algorithms and keys that are specific to each environment. CUJO AI uses either AWS-managed Key Management System (KMS) service keys or application service-specific customer-managed KMS keys.
Data in transit
CUJO AI uses TLS 1.3 everywhere data is transmitted over potentially insecure networks. Server TLS keys and certificates are managed by AWS ACM.
Sensitive credentials
Encryption keys are managed via the AWS KMS or, in certain cases, with the AWS Secrets Manager. KMS stores key material in Hardware Security Modules (HSMs), which prevent direct access by any individuals, including employees of Amazon and CUJO AI. The keys stored in HSMs are used for data encryption and decryption via Amazon’s KMS APIs.
Application secrets that would not feasibly be used from AWS KMS are stored securely in the AWS Secrets Manager, which encrypts all data at rest. Access to these values is strictly limited, similarly to the access to perform encryption and decryption operations with KMS managed keys.
Product Security
Secure software development life cycle (SDLC)
We follow our SDLC process to develop secure software and test it before deploying to production.
SDLC covers 3 main layers: portfolio, program and execution. Secure SDLC adds security activities at each software development stage as follows:
- Plan and Analyze + Risk Assessment
- Design + Threat Modeling, Design Review
- Develop + Static analysis + Code Review + Secure Supply chain
- Test + Security Testing + Dynamic analysis
- Release/Launch + Security Review and Secure Config
- Maintain and Retire + Continuous monitoring
Penetration testing
Penetration testing on the CUJO AI infrastructure and source code is conducted annually or whenever required. Tests include both automated and manual analysis of GitHub repositories and AWS-hosted domains. The focus areas for testing are confidentiality, integrity, availability, and privacy of the services. In includes black-box testing of web services and a thorough source code review. This comprehensive approach aims to identify and mitigate security vulnerabilities effectively.
Vulnerability scanning
Vulnerability scanning is performed at key stages of our Secure Software Development Lifecycle (SSDLC):
- Static analysis (SAST) testing of source code (as well as pull requests) on a daily basis.
- Software composition analysis (SCA) to identify known vulnerabilities in our software supply chain.
- Malicious dependency scanning on a daily basis, including pull requests and code builds, to prevent the introduction of malware into our software supply chain.
- Dynamic analysis (DAST) of running applications. It can help identify vulnerabilities in running applications and test possible execution paths of the code.
- Periodic network vulnerability scanning as a part of Penetration Testing.
- Internal network & workstation scanning on a bi-daily basis to identify vulnerable applications.
Enterprise Security
Endpoint protection
All corporate devices are managed centrally and equipped with mobile device management (MDM) software, anti-malware protection, endpoint detection and response software. Endpoint security alerts are monitored with 24/7/365 coverage. We use MDM software to enforce the endpoints use secure configurations, such as disk encryption, screen locks, and software updates.
Secure remote access
All remote connections to our internal systems must pass through an encrypted Virtual Private Network (VPN). The VPN ensures that all data transmitted between the user’s device and our network is encrypted, safeguarding sensitive information from interception. Access to production environments requires approved encrypted access.
Security education
We provide regular training to our staff on security and privacy awareness, including how to recognize phishing attempts and avoid risky online behavior. This human layer of defense helps prevent security breaches originating from compromised user credentials and malware infections.
Identity and access management
CUJO AI uses a state-of-the-art cloud-based identity and access management (IAM) solution to control and monitor user access to critical systems, ensuring that only authorized personnel can access sensitive data through strict authentication protocols, role-based permissions, and continuous security monitoring.
Data Privacy
We protect our customers’ and partners’ personal information and do operate appropriate privacy protection controls as detailed in our publicly accessible Privacy Policy.
CUJO AI is a member of the Data Privacy Framework and fully meets all the requirements set by both the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework.
Vendor security
CUJO AI operates multiple robust vendor security controls driven by a tandem of third-party risk management and supplier management policies that require signing standardized mutual non-disclosure agreements, thoughtful vendor security verification prior engagement and regular security posture reviews along all partnership period, defining vendors’ and CUJO AI’s authorities/responsibilities for information security and personal information protection.