Security Practices

Introduction

Traditionally, businesses sought SaaS primarily for cost efficiency or to supplement on-premises capabilities. However, the landscape is evolving, with a focus on leveraging the cloud for enhanced security measures. This shift stems from the realization that cloud service providers allocate substantial resources towards bolstering security through robust personnel and procedural frameworks.

As pioneers in cloud security, OB2 AI has a deep understanding of the security dynamics involved. We meticulously engineer our offerings to deliver superior security compared to conventional on-premises solutions. Security isn't just a feature; it's a core tenet ingrained in every facet of our operations. We prioritize safeguarding our own infrastructure, and since our clients utilize the same infrastructure, they directly benefit from these stringent security protocols.

At OB2 AI , security is a foundational principle. It influences our structural framework, training, and recruitment. Security considerations are part of the fabric of our daily routines, shaping our disaster management strategies and response mechanisms to emerging threats. We adhere to strict protocols governing the handling of customer data, ensuring confidentiality and integrity. This document highlights OB2 AI's approach to security and compliance, and explains how businesses can seamlessly navigate regulatory requirements by leveraging the OB2 AI ecosystem.

Security Culture

OB2 AI has cultivated a dynamic and inclusive security culture that permeates every aspect of our enterprise. This culture is palpable from the initial stages of recruitment, through employee orientation, continuous training programs, to company-wide initiatives aimed at fostering awareness.

Employee background checks

Prior to joining our team, OB2 AI evaluates our candidates' educational backgrounds and prior employment records. This process includes internal and external reference verifications, ensuring a thorough understanding of each individual's professional history.

In compliance with local labor laws and statutory regulations, OB2 AI reserves the right to conduct additional background checks, including but not limited to criminal, credit, immigration, and security screenings. The scope of these checks is contingent upon the nature and requirements of the prospective position. By adhering to these stringent vetting procedures, OB2 AI upholds its commitment to maintaining a secure and trustworthy workforce.

Compulsory security training

At OB2 AI, every employee undergoes comprehensive security training as part of the onboarding process, and this training continues throughout their time on our team. During orientation, new hires affirm their commitment to our Code of Conduct, which underscores our dedication to safeguarding customer information.

Depending on their respective roles, employees may receive specialized training tailored to specific facets of security. For example, engineers are educated by the information security team on topics such as secure coding practices, product design, and automated vulnerability testing tools. Additionally, technical presentations on security-related subjects are conducted regularly, providing employees with insights into emerging threats, attack patterns, and mitigation strategies.

Security and privacy conferences

In addition to internal training initiatives, OB2 AI actively sponsors and participates in conferences and events centered around security and privacy. These gatherings serve as invaluable platforms for knowledge exchange, collaboration, and networking within the broader security community.

Attending such conferences allows OB2 AI employees to stay at the forefront of emerging trends, technologies, and best practices in security and privacy. It provides opportunities to forge strategic partnerships, explore potential collaborations, and showcase OB2 AI's commitment to advancing security in the digital landscape.

About our security operations

OB2 AI employs a dedicated team of security and privacy professionals within our software engineering and operations division. Comprised of some of the industry's leading experts in information, application, and network security, this team plays a pivotal role in fortifying OB2 AI's defense systems.

Our security team utilizes a combination of commercial and custom tools, penetration testing and software security reviews to proactively identify and mitigate security threats. Every application and infrastructure change is subject to review and approval by the security team. Our assets are monitored for any suspicious activity, swiftly addressing information security threats. We conduct routine evaluations and audits to ensure compliance with industry standards.

Our dedication to privacy

At OB2 AI, our privacy team functions independently from product development and security departments. However, they play an integral role in every product launch by meticulously reviewing design documentation and conducting code reviews to ensure adherence to privacy standards. Their aim is to ensure that our products uphold robust privacy principles, including transparent data collection practices and providing users with meaningful privacy configuration options, all while maintaining the highest standards of stewardship over stored information.

Post-launch, the privacy team oversees automated processes that continuously audit data traffic to ensure compliance with established data usage policies. Furthermore, the team engages in research endeavors, offering thought leadership on privacy best practices tailored to our evolving technologies.

Audits and compliance

OB2 AI boasts a dedicated internal audit team tasked with evaluating compliance with security regulations and laws globally. As new auditing standards emerge, this team discerns the necessary controls, processes, and systems to ensure compliance. Moreover, they actively facilitate and support independent audits and assessments conducted by third-party entities.

Operational Security

Security is deeply ingrained in every facet of our operations at OB2 AI.

Vulnerability management

At OB2 AI, we oversee a robust vulnerability management process designed to actively detect security threats through a combination of commercially available tools and proprietary solutions. This process encompasses extensive automated and manual penetration testing, rigorous quality assurance, software security reviews, and external audits.

Our dedicated vulnerability management team diligently tracks and follows up on identified vulnerabilities, logging them, prioritizing based on severity, and assigning appropriate ownership. They maintain a proactive approach, continuously monitoring and addressing issues until remediation is confirmed.

Moreover, OB2 AI maintains collaborative relationships with members of the security research community to stay abreast of reported issues in open-source tools.

Defense against malware

At OB2 AI, we prioritize safeguarding against the potential repercussions of malware attacks, which can result in compromised accounts, data breaches, and unauthorized network access. To combat these threats, OB2 AI employs a multifaceted approach involving prevention, detection, and eradication methods.

Our malware defense strategy commences with infection prevention, utilizing both manual and automated scanners to scrutinize our assets for intrusions.

Monitoring and logging

OB2 AI's security monitoring program is intricately designed to leverage various data sources, including internal network traffic, employee activities within systems, and external intelligence regarding vulnerabilities. Throughout our networks, numerous checkpoints are established to scrutinize internal traffic for any signs of suspicious behavior, such as indications of compromise. This analysis is conducted using a blend of open-source and commercial tools for traffic examination and parsing, supplemented by advanced machine learning capabilities.

Our security protocols also include the examination of system logs to detect anomalies, such as unauthorized attempts to access customer data. To enhance our threat detection capabilities, automated network analysis tools are deployed to identify and escalate potential unknown threats to OB2 AI's security personnel. This automated analysis is complemented by the continuous monitoring and analysis of system logs.

To protect our customers, we utilize advanced data loss prevention technology that continuously scans traffic and logs for sensitive data.

Incident Management

At OB2 AI, we operate a stringent incident management process designed to address security events that could compromise the confidentiality, integrity, or availability of our systems or data. In the event of an incident, our security team meticulously logs and prioritizes the incident based on severity, with a particular focus on those impacting our customers directly.

Our incident management process outlines clear courses of action, notification procedures, escalation protocols, mitigation strategies, and documentation practices. Aligned with NIST guidance on incident handling (NIST SP 800–61), key personnel undergo training in forensics and evidence handling, equipped with both third-party and proprietary tools to effectively manage incidents.

Furthermore, OB2 AI conducts regular testing of our incident response plans, encompassing various scenarios such as insider threats and software vulnerabilities, particularly in areas storing sensitive customer information. Our security team remains available 24 hours to all employees, ensuring swift resolution of security incidents as they arise.

In cases involving customer data, OB2 AI or its partners promptly inform the affected customers and provide support for investigative efforts through our dedicated support team.

Secure from inception

Hardware management

At OB2 AI, compute infrastructure is equipped with world-class servers and network equipment. Our production servers operate on a tailored operating system (OS) derived from a hardened version of Linux, optimized solely for delivering OB2 AI services.

These servers boast dynamic resource allocation capabilities, allowing for seamless scalability and efficient resource management in response to customer demand. Supported by proprietary software, our environments are continuously monitored for any deviations from standard configurations.

These self-regulating mechanisms are integral to OB2 AI's ability to proactively monitor, remediate, and mitigate potential threats, enabling rapid response to incidents and safeguarding against network compromise.

OB2 AI's hard drives employ robust security measures such as full disk encryption (FDE) to safeguard data at rest.

Data in transit

Data security during transit is a top priority at OB2 AI due to the vulnerability of data to unauthorized access while traversing the internet or networks. OB2 AI employs robust encryption protocols like TLS with FIPS-validated ciphers to safeguard connections between customer devices and OB2 AI's web services and APIs. Additionally, OB2 AI offers a range of transport encryption options, including OB2 AI Cloud VPN for establishing zero-trust software-defined networks.

Availability

At OB2 AI, we engineer our platform components with a strong focus on redundancy. This redundancy is evident in our server design, data storage mechanisms, network connectivity, and the software services themselves. Our philosophy of "redundancy of everything" ensures that errors are handled proactively, mitigating reliance on any single server, data center, or network connection.

Geographically distributed data centers play a crucial role in minimizing the impact of regional disruptions, including natural disasters and local outages, on our services. In the event of hardware, software, or network failures, our platform seamlessly shifts services and control planes to alternate facilities, ensuring uninterrupted service delivery. This highly redundant infrastructure not only safeguards against data loss but also empowers customers to build resilient systems on the OB2 AI Cloud Platform.

Resources can be deployed across multiple regions and zones, enhancing resilience and availability. Our commitment to redundancy has enabled OB2 AI to achieve an impressive uptime of 99.99% for essential services, with no scheduled downtime over the last year. This means that users experience minimal to no interruptions during platform maintenance or upgrades, highlighting our dedication to providing uninterrupted service to our customers.

Certified by independent auditors

OB2 AI provides a number of third-party certifications, detailed in our trust portal.

Your data belongs to you

Guding principle

At OB2 AI, we firmly believe that our customers own their data, not us. Any data entrusted to our systems belongs solely to our customers, and we do not use your data for advertisements or sell your data to third parties. We offer comprehensive data processing guarantees, outlining our unwavering commitment to safeguarding customer data. These guarantees explicitly state that OB2 AI will only process data to fulfill contractual obligations and will not utilize it for any other purpose.

Moreover, in line with our commitment to customer privacy, we pledge to delete any customer data from our systems immediately upon deletion by the customer. Additionally, we provide user-friendly tools that enable customers to seamlessly migrate their data out of our services, should they choose to discontinue using our platform, without incurring any penalties or extra costs imposed by OB2 AI.

For more insights into our principles and commitments to our customers, we invite you to explore our trust portal.

Administrator access

At OB2 AI, we prioritize the privacy and security of our customers' data by employing logical isolation techniques to separate each customer's data from others, even when stored on the same physical server. Access to customer data is restricted to a select group of OB2 AI employees, whose access rights and levels are determined by their job roles and responsibilities, following the principles of least privilege and need-to-know.

OB2 AI employees are granted limited default permissions for accessing company resources, such as employee email and internal portals. Requests for additional access undergo a formal approval process, involving verification from data or system owners, managers, or executives, in accordance with OB2 AI's stringent security policies. Workflow tools manage these approvals, ensuring consistency and maintaining audit records of all changes.

Access to resources, including data and systems for OB2 AI SaaS products, is controlled by an employee's authorization settings. Support services are provided exclusively to authorized customer administrators whose identities are rigorously verified through multiple verification methods.

To uphold transparency and accountability, OB2 AI monitors and audits employee access through dedicated security, privacy, and internal audit teams. Audit logs are made available to customers, ensuring visibility into access activities.

Within customer organizations, administrative roles and privileges for OB2 AI software are governed by the project owner, enabling individual team members to manage specific services or perform administrative functions without accessing all settings and data.

Requests from law enforcement

At OB2 AI, we recognize that our customers are the owners of their data and are primarily responsible for responding to law enforcement data requests. However, as is common with technology and communications companies, OB2 AI may receive direct requests from governments and courts worldwide regarding individuals' usage of our services. While fulfilling our legal obligations, we take significant steps to protect our customers' privacy and minimize excessive requests.

Maintaining the privacy and security of the data stored with OB2 AI remains our utmost priority as we navigate these legal requests. Upon receiving such requests, our team will review them to ensure compliance with both legal requirements and OB2 AI's policies. Typically, we require requests to be in writing, signed by an authorized official of the requesting agency, and issued under appropriate laws. Should we deem a request overly broad, we advocate for narrowing its scope and push back when necessary.

We firmly believe in transparency and will take proactive steps to inform the public about government data requests. OB2 AI will regularly publish reports detailing such requests in our transparency report. It is OB2 AI's policy to notify customers about requests for their data, unless legally prohibited by law or court order.

Technology suppy chain

At OB2 AI, we predominantly handle all data processing activities directly to deliver our services. However, there are instances where OB2 AI may enlist the assistance of third- party suppliers for services related to OB2 AI software, such as customer and technical support. Before engaging with these third-party suppliers, OB2 AI conducts a thorough assessment of their security and privacy practices to ensure they align with the necessary standards for handling data and the services they are tasked with providing.

Following this assessment, third-party suppliers are required to adhere to specific security, confidentiality, and privacy contract terms determined by OB2 AI. These terms are designed to mitigate any potential risks identified during the assessment process and uphold the security and privacy standards expected by our customers.

Conclusion

At OB2 AI, we understand that our customers have diverse regulatory compliance requirements, particularly those operating in regulated sectors such as finance, pharmaceuticals, and manufacturing. For the latest updates on compliance information, please refer to our trust portal.

The protection of your data is a fundamental aspect of OB2 AI's infrastructure, products, and personnel operations. Leveraging extensive automation and continuous monitoring, OB2 AI is equipped to swiftly address vulnerabilities or prevent them altogether. We believe that OB2 AI can offer a level of data protection that surpasses many software service providers and private enterprise IT teams. Our commitment to data protection is ingrained in our business, enabling us to make substantial investments in security, resources, and expertise to a degree that sets us apart. These investments allow you to focus on your business and innovation, confident in the security of your data.

OB2 AI's strong contractual commitments ensure that you retain control over your data and its processing, with the assurance that it will not be used for advertising or any purpose other than delivering OB2 AI services. It's not just about security; it's about empowering you to manage your data effectively.

For these reasons and more, organizations worldwide entrust OB2 AI with their most valuable asset: their information. OB2 AI remains committed to investing in our platform to provide you with secure and transparent services that support your business needs.