Security

Data Architecture

All data we store is encrypted in-flight and at-rest and is correlated via cryptographic IDs, which enables us to easily process deletion requests should we receive them.

Source Code

• Two-person code review is mandatory before any code is deployed.

• Third party libraries are used as minimally as possible (to reduce supply chain risks) and any that are used are carefully vetted.

• Automation is in place to detect any vulnerabilities in libraries and source code is scanned for security issues.

• Penetration testing is performed when required.

Agent

While our agent is not open source, we are happy to explain how it works and what the it does on your endpoints - we fully understand the significance and privilege of running on your devices and want you to feel confident and informed.

• To function, the agent intercepts traffic on your host, this interception happens on-device.

  • A new Certificate Authority (CA) is generated on your device on first run (this is unique to each device so if it was ever compromised [eg: by malware on the device] the CA would not be useful to attack the traffic of any other machine).

• The agent intercepts requests to the defined set of AI endpoints and no others.

  • See AI Provider

Please contact us via [email protected] if more information is required.

Infrastructure

Identity

• Our identity infrastructure leverages Auth0.

  • The tenant is hosted in Australia.

Cloud

• All our infrastructure is deployed on AWS and aligns to the Well Architected Framework.

  • Data sovereignty is respected with all infrastructure being deployed in Australia

• Architectural and network segmentation exists between the application tier, services tier and data storage tier.

  • The data storage tier is never exposed to the internet directly.

Backups

• Backups are regular and automated.

Encryption

• Any storage we use is encrypted-at-rest (servers, backups, etc).

• All traffic between the agent and server is encrypted on-the-wire via HTTPS (TLS1.2 or above).

Monitoring

• Monitoring is present throughout the environment along with automated alerting.

Internal Security Procedure

• All administrative access is logged and monitored.

• System configurations are deployed consistently throughout the environment via automation.

Reporting issues

• If you experience any bugs or issues when using Subrosa, please contact us on [email protected] with your inquiry.

• If your issue is security related please contact [email protected] and we will reply urgently.

What to know more about our security practices?

Feel free to contact our security team at [email protected]