# Security ## Data Architecture All data we store is encrypted in-flight and at-rest and is correlated via cryptographic IDs, which enables us to easily process deletion requests should we receive them. ## Source Code * Two-person code review is mandatory before any code is deployed. * Third party libraries are used as minimally as possible (to reduce supply chain risks) and any that are used are carefully vetted. * Automation is in place to detect any vulnerabilities in libraries and source code is scanned for security issues. * Penetration testing is performed when required. ## Agent While our agent is not open source, we are happy to explain how it works and what the it does on your endpoints - we fully understand the significance and privilege of running on your devices and want you to feel confident and informed. * To function, the agent intercepts traffic on your host, this interception happens on-device. * A new Certificate Authority (CA) is generated on your device on first run (this is unique to each device so if it was ever compromised \[eg: by malware on the device] the CA would not be useful to attack the traffic of any other machine). * The agent intercepts requests to the defined set of AI endpoints and no others. * See [AI Provider](https://docs.subrosa.ai/ai-provider) Please contact us via [security@subrosa.ai](mailto:security@subrosa.ao) if more information is required. ## Infrastructure ### **Identity** * Our identity infrastructure leverages Auth0. * The tenant is hosted in Australia. ### **Cloud** * All our infrastructure is deployed on AWS and aligns to the [Well Architected Framework](https://aws.amazon.com/architecture/well-architected/). * Data sovereignty is respected with all infrastructure being deployed in Australia * Architectural and network segmentation exists between the application tier, services tier and data storage tier. * The data storage tier is never exposed to the internet directly. ### Backups * Backups are regular and automated. ### Encryption * Any storage we use is encrypted-at-rest (servers, backups, etc). * All traffic between the agent and server is encrypted on-the-wire via HTTPS (TLS1.2 or above). ### **Monitoring** * Monitoring is present throughout the environment along with automated alerting. ### Internal Security Procedure * All administrative access is logged and monitored. * System configurations are deployed consistently throughout the environment via automation. ## Reporting issues * If you experience any bugs or issues when using Subrosa, please contact us on [help@subrosa.ai](mailto:help@subrosa.ia) with your inquiry. * If your issue is security related please contact and we will reply urgently. ## What to know more about our security practices? Feel free to contact our security team at