^{Security Policy}
Last updated: August 12th, 2024
Autodm AI doing business as "Kleio"

1. Roles of the Parties

Kleio maintains an information security program designed to safeguard its systems, data, Kleio's Services and Customer Data (including Customer Personal Data). Kleio commits to implementing reasonable and appropriate organizational and technical security measures to protect against unauthorized or accidental access, loss, alteration, disclosure or destruction of data submitted by Customer. This Addendum describes the information security program and security standards that Kleio maintains with respect to the Services and handling of Customer Data and Customer Personal Data. Customer is responsible for reviewing the information made available by Kleio in this addendum and for making an independent determination as to whether the Security Measures meet Customer’s requirements and legal obligations under Data Protection Laws.

2. Updates to Security Measures

Customer acknowledges that the Security Measures are subject to technical progress and evolution and that Kleio may update or modify the Security Measures from time to time provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by the Customer.

3. Security Measures description

3.1. Security Measures description

• Data Hosting and Backups: Customer Data is hosted by Google Cloud Platform (”GCP”) and Redis Cloud which are SOC2, ISO 27001 and ISO 27018 compliant, and CockroachDB which is SOC2, ISO 27001 and ISO 27017 compliant. Automated backups of all Customer Data and system data is enabled, and data is backed up daily at minimum. The backups are encrypted in the same way as live production data, and are monitored and alerted.
• Encryption at rest: Customer Data is encrypted at rest using AES-256. Customer Data is encrypted when at rest in cloud storage and databases, and in backups.
• Encryption in transit: Data sent in-transit is encrypted using TLS 1.2 or greater.
• Data erasure: Kleio customers are Controllers of their data. Each customer is responsible for the information they create, use, store, process and destroy. Kleio customers have the ability to request data deletion, when data is not subject to regulatory or legal retention periodicity requirements.
• Physical security: Kleio leverages GCP to host our application, and defers all data center physical security controls to GCP which you can read more about here.

3.2. Application security

• Code analysis: Kleio performs code reviews on all software updates including threat modeling and security design.
• Credential management: Kleio assigns cryptographic keys to specific roles based on the principle of Least Privilege for access. Usage of keys is monitored and logged.
• Vulnerability & patch management: Kleio performs vulnerability scanning and package monitoring on infrastructure-related hosts and its product continuously, patching externally- and internally-facing services regularly. Issues that are discovered are triaged and resolved according to their severity within Kleio’s environment.
• Web Application Firewall (WAF): All public endpoints leverage a managed Web Application Firewall to deter attempts to exploit common vulnerabilities.

3.3. Security profile

• Data Access Level: Internal. Kleio employees will only ever access your data for the purposes of debugging/troubleshooting or recovering content with your permission.
• Third Party Dependence: Available at www.kleio.ai/sub-processor-list
• Hosting: Third-Party. Kleio is hosted on GCP, a major cloud service provider. GCP is one of Kleio’s Sub-Processors.

3.4. Employee security and access control

• Employee training: Security training is required during the employee onboarding process, and annually thereafter.
• HR security: Kleio performs background checks on employees when they are hired when required by local laws and regulations.
• Incident response: Kleio has an incident management plan which contains steps to be prepared for incident management, incident identification, containment, investigation, eradication, recovery, and follow-up/postmortem that is reviewed regularly.
• Internal assessments: Internal security audits are performed regularly.
• Incident response: Kleio has an incident management plan which contains steps to be prepared for incident management, incident identification, containment, investigation, eradication, recovery, and follow-up/postmortem that is reviewed regularly.
• Internal SSO and Password Security:
  - Multi-factor authentication (MFA) is required for all Kleio employees to log into Kleio’s principal identity provider, Google.
  - Kleio requires MFA to be enabled for any and all systems that provide the option for MFA. When MFA is not possible, Kleio maintains a stringent internal password management policy including complexity, and length.
  - Kleio requires that employees utilize a third-party password manager.
• Data access: Kleio internally leverages the principle of Least Privilege for access. Access is granted based on job function, business requirements, and a need to know basis. Access reviews are conducted regularly to ensure continued access to critical systems are still required.
• Logging and monitoring: Kleio uses a third-party system for log ingestion and automated logging and alerting capabilities. Logs are ingested from critical systems and alerting rules are utilized to ensure security event alerts are generated where/when necessary.