# Security ## Data Architecture All data we store is encrypted in-flight and at-rest and is correlated via cryptographic IDs, which enables us to easily process deletion requests should we receive them. ## Source Code * Two-person code review is mandatory before any code is deployed. * Third party libraries are used as minimally as possible (to reduce supply chain risks) and any that are used are carefully vetted. * Automation is in place to detect any vulnerabilities in libraries and source code is scanned for security issues. * Penetration testing is performed when required. ## Agent While our agent is not open source, we are happy to explain how it works and what the it does on your endpoints - we fully understand the significance and privilege of running on your devices and want you to feel confident and informed. * To function, the agent intercepts traffic on your host, this interception happens on-device. * A new Certificate Authority (CA) is generated on your device on first run (this is unique to each device so if it was ever compromised \[eg: by malware on the device] the CA would not be useful to attack the traffic of any other machine). * The agent intercepts requests to the defined set of AI endpoints and no others. * See [AI Provider](/ai-provider/ai-provider-support.md) Please contact us via [security@subrosa.ai](mailto:security@subrosa.ao) if more information is required. ## Infrastructure ### **Identity** * Our identity infrastructure leverages Auth0. * The tenant is hosted in Australia. ### **Cloud** * All our infrastructure is deployed on AWS and aligns to the [Well Architected Framework](https://aws.amazon.com/architecture/well-architected/). * Data sovereignty is respected with all infrastructure being deployed in Australia * Architectural and network segmentation exists between the application tier, services tier and data storage tier. * The data storage tier is never exposed to the internet directly. ### Backups * Backups are regular and automated. ### Encryption * Any storage we use is encrypted-at-rest (servers, backups, etc). * All traffic between the agent and server is encrypted on-the-wire via HTTPS (TLS1.2 or above). ### **Monitoring** * Monitoring is present throughout the environment along with automated alerting. ### Internal Security Procedure * All administrative access is logged and monitored. * System configurations are deployed consistently throughout the environment via automation. ## Reporting issues * If you experience any bugs or issues when using Subrosa, please contact us on [help@subrosa.ai](mailto:help@subrosa.ia) with your inquiry. * If your issue is security related please contact and we will reply urgently. ## What to know more about our security practices? Feel free to contact our security team at --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://docs.subrosa.ai/resource/security.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.