Security Policy

Effective Date: March 16, 2025

This Security Policy ("Policy") outlines the measures taken by Panoraxis AI ("Company") to protect its products, services, and customer data from unauthorized access, breaches, and security threats. It applies to all users, employees, contractors, and third-party vendors interacting with Panoraxis AI's infrastructure and services.

1. Security Governance

1.1 Security Leadership

The Company maintains a dedicated security team responsible for overseeing cybersecurity measures, compliance, and risk management.

1.2 Security Policies & Compliance

Panoraxis AI complies with industry standards and applicable regulations, including but not limited to:

  • General Data Protection Regulation (GDPR)
  • California Consumer Privacy Act (CCPA)
  • ISO 27001 Information Security Standard
  • NIST Cybersecurity Framework
  • UK Data Protection Act 2018

1.3 Employee Security Training

All employees and contractors undergo security awareness training, covering:

  • Phishing and social engineering attacks
  • Secure password management
  • Data handling best practices
  • Incident reporting procedures

2. Data Security & Protection

2.1 Data Encryption

  • All data in transit is encrypted using TLS 1.2+.
  • Data at rest is encrypted with AES-256 encryption.
  • Sensitive data is anonymized or pseudonymized where applicable.

2.2 Access Control & Authentication

  • Multi-factor authentication (MFA) is required for access to sensitive systems.
  • Role-based access control (RBAC) ensures the principle of least privilege.
  • Regular audits are conducted to revoke unnecessary access privileges.

2.3 Data Retention & Deletion

  • User data is retained only for as long as necessary for operational or legal purposes.
  • Users can request data deletion in accordance with our Privacy Policy.
  • Secure erasure methods are applied to permanently delete data.

3. Network Security

3.1 Firewall & Intrusion Detection

  • Firewalls are configured to prevent unauthorized access.
  • Intrusion detection and prevention systems (IDS/IPS) monitor for malicious activity.

3.2 DDoS Protection

  • Distributed Denial-of-Service (DDoS) protection mechanisms mitigate potential attacks.
  • Traffic is monitored in real-time for anomalies.

3.3 Security Patching & Updates

  • Regular security updates are applied to all systems and software.
  • Vulnerabilities are assessed and patched promptly based on severity.

4. Application Security

4.1 Secure Development Lifecycle (SDLC)

  • Security is integrated into all stages of the software development lifecycle.
  • Code reviews and static/dynamic analysis are conducted to identify vulnerabilities.

4.2 Penetration Testing & Audits

  • Third-party penetration tests are performed at least annually.
  • Regular security audits assess compliance with security best practices.

4.3 Bug Bounty Program

  • A responsible disclosure policy allows ethical hackers to report vulnerabilities.
  • Reward incentives are provided for valid security findings.

5. Incident Response & Disaster Recovery

5.1 Incident Response Plan (IRP)

  • A documented incident response plan defines protocols for handling security incidents.
  • Security incidents are classified by severity, and response teams are activated accordingly.
  • Forensic analysis is conducted to determine root causes.

5.2 Breach Notification

  • Users will be notified of security breaches affecting their data as required by law.
  • Authorities and regulators will be informed within applicable reporting timelines.

5.3 Business Continuity & Disaster Recovery

  • Redundant infrastructure and automated backups ensure service availability.
  • Disaster recovery tests are conducted to validate recovery procedures.
  • A Recovery Time Objective (RTO) and Recovery Point Objective (RPO) are defined to minimize downtime.

6. Vendor & Third-Party Security

6.1 Vendor Risk Management

  • All third-party vendors undergo security due diligence before integration.
  • Vendors handling sensitive data must adhere to contractual security requirements.

6.2 Third-Party API & Cloud Security

  • APIs are secured using authentication mechanisms such as OAuth 2.0.
  • Cloud environments are continuously monitored for misconfigurations and vulnerabilities.

6.3 Data Sharing Restrictions

  • Third-party data sharing is restricted to necessary operational functions.
  • Confidentiality agreements are in place for vendors handling proprietary information.

7. Compliance & Legal Considerations

7.1 Legal Compliance

  • Security practices align with international, national, and industry-specific regulations.
  • Regular legal reviews ensure compliance with emerging security laws.

7.2 User Rights & Responsibilities

  • Users must not attempt to bypass security controls.
  • Users must report suspected security incidents immediately.

8. Policy Updates

8.1 Review & Amendments

  • This Policy is reviewed and updated periodically to reflect evolving security threats.
  • Users will be notified of significant policy changes.

Contact Information

For security concerns or incident reports, contact our Security Team at security@panoraxis.tech.

Last updated: March 16, 2025

If you have any questions about this Security Policy, please contact us at security@panoraxis.tech