Security

How does Subrosa protect your data?

Architecture

The most compelling way Subrosa protects your data is that we never see it to begin with!

Subrosa is designed to operate as a zero-knowledge platform, all policy evaluation and enforcement takes place on the agent and only metadata and policy evaluation results are sent back to the console.

The data we do store is encrypted at rest and is correlated via cryptographic IDs, which enables us to easily process deletion requests should we receive them.

Additionally, we build all our software with security as a core requirement, to give you an idea of what this actually means:

Source Code

  • Two-person code review is mandatory before any code is deployed

  • Third party libraries are used as minimally as possible (to reduce supply chain risks) and any that are used are carefully vetted

  • Automation is in place to detect any vulnerabilities in libraries and source code is scanned for security issues

  • Penetration testing is performed when required (eg: major releases)

Agent

While our agent is not open source, we are happy to explain how it works and what the it does on your endpoints - we fully understand the significance and privilege of running on your devices and want you to feel confident and informed.

  • To function, the agent intercepts traffic on your host. In order to do this it must be able to man-in-the-middle (MitM) your https connections, it does this in the most secure and privacy respecting way possible

    • A new Certificate Authority (CA) is generated on your device on first run (this is unique to each device so if it was ever compromised [eg: by malware on the device] the CA would not be useful to attack the traffic of any other machine)

  • The agent does not require Administrative privileges to run

  • The agent specifically only intercepts requests to the defined set of AI endpoints

Please contact us via security@subrosa.ai if more information is required.

Infrastructure

Identity

  • Our identity infrastructure leverages Auth0

    • The tenant is hosted in Australia

Cloud

  • All our infrastructure is deployed on AWS and aligns to the Well Architected Framework

    • Data sovereignty is respected with all infrastructure being deployed in Australia

  • Architectural and network segmentation exists between the application tier, services tier and data storage tier

    • The data storage tier is never exposed to the internet directly

Backups

  • Backups are regular and automated

Encryption

  • Any storage we use is encrypted-at-rest (servers, backups, etc)

  • All traffic between the agent and server is encrypted on-the-wire via HTTPS (TLS1.3)

Monitoring

  • Monitoring is present throughout the environment

    • This includes automatic detection and alerting for any suspicious network traffic and behavioral monitoring higher in the stack

Internal Security Procedure

  • All administrative access is logged and monitored

  • System configurations are deployed consistently throughout the environment

Reporting issues

  • If you experience any bugs or issues when using Subrosa, please contact us on help@subrosa.ai with your inquiry.

  • If your issue is security related please contact security@subrosa.ai and we will reply urgently.

What to know more about our security practices?

Feel free to contact our security team at security@subrosa.ai

PreviousManage OrganisationNextStatus

Last updated