Security
Subrosa considers security a core requirement of our product, the following will give you an idea of what this means and how we protect your data and privacy.
Data Architecture
All data we store is encrypted in-flight and at-rest and is correlated via cryptographic IDs, which enables us to easily process deletion requests should we receive them.
Source Code
Two-person code review is mandatory before any code is deployed.
Third party libraries are used as minimally as possible (to reduce supply chain risks) and any that are used are carefully vetted.
Automation is in place to detect any vulnerabilities in libraries and source code is scanned for security issues.
Penetration testing is performed when required.
Agent
While our agent is not open source, we are happy to explain how it works and what the it does on your endpoints - we fully understand the significance and privilege of running on your devices and want you to feel confident and informed.
To function, the agent intercepts traffic on your host, this interception happens on-device.
A new Certificate Authority (CA) is generated on your device on first run (this is unique to each device so if it was ever compromised [eg: by malware on the device] the CA would not be useful to attack the traffic of any other machine).
The agent intercepts requests to the defined set of AI endpoints and no others.
See AI Provider
Please contact us via security@subrosa.ai if more information is required.
Infrastructure
Identity
Our identity infrastructure leverages Auth0.
The tenant is hosted in Australia.
Cloud
All our infrastructure is deployed on AWS and aligns to the Well Architected Framework.
Data sovereignty is respected with all infrastructure being deployed in Australia
Architectural and network segmentation exists between the application tier, services tier and data storage tier.
The data storage tier is never exposed to the internet directly.
Backups
Backups are regular and automated.
Encryption
Any storage we use is encrypted-at-rest (servers, backups, etc).
All traffic between the agent and server is encrypted on-the-wire via HTTPS (TLS1.2 or above).
Monitoring
Monitoring is present throughout the environment along with automated alerting.
Internal Security Procedure
All administrative access is logged and monitored.
System configurations are deployed consistently throughout the environment via automation.
Reporting issues
If you experience any bugs or issues when using Subrosa, please contact us on help@subrosa.ai with your inquiry.
If your issue is security related please contact security@subrosa.ai and we will reply urgently.
What to know more about our security practices?
Feel free to contact our security team at security@subrosa.ai
Last updated