Legal

Security

Last updated: May 2026

Our Commitment

Security is foundational to everything we build. As a company that designs AI systems handling sensitive business data, we hold ourselves to a high standard — both in how we build software for clients and in how we operate our own systems.

This page describes the technical and organisational measures we have in place to protect data and systems. We continuously review and improve our security posture as threats evolve.

Infrastructure Security

Our production infrastructure is deployed on Cloudflare's global edge network, which provides:

  • DDoS protection and traffic filtering at the network edge
  • Web Application Firewall (WAF) with managed rulesets
  • Automatic TLS/SSL encryption for all connections (TLS 1.2 minimum, TLS 1.3 preferred)
  • Geographically distributed Workers runtime with no single point of failure
  • Isolated execution environments per request

All data is encrypted in transit using HTTPS. We enforce HSTS and use secure, modern cipher suites.

Data Security

We apply a principle of minimal data collection: we do not store data we do not need. For data we do retain:

  • Data at rest is encrypted using AES-256 or equivalent
  • Production databases are not accessible from the public internet
  • Backups are encrypted and tested periodically for restorability
  • Data is segregated by client engagement where applicable
  • Retention schedules are applied and data is securely deleted when no longer needed

Client data processed as part of an engagement is handled under the terms of the applicable data processing agreement.

Access Controls

We follow the principle of least privilege across all systems:

  • Access to production systems is restricted to personnel who require it for their role
  • Multi-factor authentication (MFA) is required for all internal systems and cloud providers
  • SSH access uses key-based authentication; password authentication is disabled
  • Access permissions are reviewed quarterly and revoked promptly upon role changes or departure
  • All privileged access is logged and monitored for anomalous activity

Application Security

We build security into our development process, not as an afterthought:

  • Code is reviewed by at least one additional engineer before merging to production
  • Dependencies are kept up to date and monitored for known vulnerabilities
  • Static analysis and automated security scanning are integrated into our CI/CD pipeline
  • We follow OWASP guidelines for web application security
  • All API endpoints are authenticated; sensitive operations require additional authorisation checks
  • Input validation and output encoding are enforced to prevent injection attacks

Incident Response

We maintain a documented incident response plan that covers detection, containment, eradication, and recovery. In the event of a security incident affecting client data:

  • We will notify affected clients within 72 hours of becoming aware of a confirmed breach
  • We will provide a written summary of the incident, its scope, and our remediation steps
  • We will cooperate fully with any regulatory notifications required by applicable law

To report a suspected security incident, contact security@sundeer.ai immediately.

Third-Party Vendors

We carefully evaluate the security posture of all third-party vendors before onboarding them. Our requirements include:

  • Vendors handling personal data must execute a Data Processing Agreement (DPA)
  • Vendors are evaluated against SOC 2 Type II reports or equivalent attestations where available
  • We limit the data shared with each vendor to the minimum necessary for the service they provide
  • Vendor access is reviewed annually and contracts are terminated when services are no longer required

Employee Security

Our team undergoes security awareness training during onboarding and annually thereafter. All employees are bound by confidentiality agreements. Devices used to access production systems are enrolled in device management and subject to full-disk encryption, remote wipe capability, and endpoint security software.

Responsible Disclosure

Found a vulnerability? We appreciate the security research community and encourage responsible disclosure.

Please email security@sundeer.ai with details of the issue. We ask that you give us reasonable time to investigate and remediate before public disclosure, and that you avoid accessing, modifying, or deleting data that does not belong to you.

We commit to acknowledging your report within 3 business days and keeping you informed of our progress.

We do not pursue legal action against researchers who act in good faith and follow responsible disclosure principles.

Contact

For security inquiries, vulnerability reports, or questions about our security practices: