SecretSource Logo

Compliance

Security

We take the security of your data seriously. This page summarises our security practices for the SecretSource platform that aggregates structured and unstructured marketing data and delivers insights via conventional interfaces and knowledge graphs.

Last updated: [2025-10-14]

1. Our security principles: WE DO NOT COLLECT YOUR DATA!

- Defence in depth: layered technical and organisational controls
- Least privilege: access is restricted to what's necessary to perform a job.
- Secure by design: we factor security into architecture, development, and operations
- Continuous improvement: we monitor, assess, and enhance controls regularly
- Transparency: clear responsibilities between SecretSource and customers.

2. Data protection

- Data segregation: tenant isolation at the application and data layers
- Encryption in transit: for all data between clients and our services.
- Encryption at rest: industry-standard encryption for databases, object storage, and backups
- Secrets management: for keys and credentials; rotation policies enforced.
- Backups: scheduled encrypted backups with periodic restore testing.

3. Application and platform security

- Secure SDLC:
Code reviews and change control.
Dependency scanning and vulnerability management.
- Architecture:
Network segregation and security groups/firewalls.

4. Infrastructure and operations

- Hosting: AWS
- High availability: redundant components; health checks and auto-recovery.
- Monitoring and logging: centralised logs, metrics, and alerts; anomaly detection.
- Business continuity and disaster recovery:
Documented BCP/DR plans.
Periodic exercises.

5. Access control and identity

- Authentication: email + strong password
- MFA: REQUIRED for admin roles;
- Admin access: limited to vetted personnel with just-in-time elevation

6. Data ingestion and integrations

- Connectors: OAuth or API keys stored securely
- Customer-managed keys: [NOT AVAILABLE].
- Third-party sources: customers are responsible for complying with source terms and obtaining necessary rights/consents.

7. Privacy and compliance

- Privacy: see our Privacy Policy

8. Security of AI and knowledge graphs

- Model security: training/evaluation environments follow the same controls for access, logging, and isolation.
- Data minimisation: inputs to AI pipelines are limited to what's required; PII handling follows the DPA.
- Output controls: throttling, abuse monitoring, and metadata checks to reduce leakage or misuse.
- Model updates: versioning and rollback procedures; change review before deployment.

9. Customer responsibilities

- Use strong, unique passwords and enable MFA where available.
- Manage user access regularly; revoke access for leavers promptly.
- Configure data sources responsibly; avoid ingesting prohibited/sensitive data unless agreed in writing.
- Keep endpoints and browsers up to date; protect API keys and OAuth tokens.
- Report suspected security issues immediately via email.

10. Incident response

- 24x7 monitoring for critical alerts.
- Formal incident response plan with defined roles, triage, investigation, containment, eradication, and postmortem.
- Breach notification: we will notify affected customers without undue delay and provide relevant details per legal and contractual obligations.

11. Vulnerability disclosure

- We welcome responsible disclosure. Report vulnerabilities via email with details and proof of concept.

12. Secure development and data lifecycle

- Data classification and handling guidelines for staff.
- Least data retention consistent with business needs; deletion and anonymisation routines.
- Environment separation: dev/test/prod separated; production data not used in lower environments
- Change management with approvals and audit trails.

13. Employee security

- Background checks per local laws for relevant roles.
- Confidentiality agreements and acceptable use policies.

14. Third-party risk management

- Due diligence and security reviews for critical vendors.
- Contractual security, privacy, and breach notification obligations.
- Ongoing monitoring and re-assessment

15. Contact

- Contact: see our Contact page