Our services rely on secure integrations with cloud infrastructure like AWS and Azure, and internal applications such as Google Workspace and GitHub. All devices connecting to our infrastructure must comply with strict asset management policies, ensuring secure endpoints and controlled access.

We employ comprehensive data security measures, including classifying all information (Public, Internal, Company Confidential, and Customer Confidential) with increasing levels of protection. All sensitive data is encrypted in transit and at rest using strong, industry-recognized algorithms, and we ensure data durability through replication and versioning, alongside secure data deletion practices.

Our security framework includes extensive logging and monitoring of system and user activity. These logs are crucial for incident response, enabling forensic analysis of security events and verifying compliance with our security standards through regular reviews and audits.

A SOC 2 (Service Organization Control 2) report is an independent audit report detailing a service organization's controls relevant to security, availability, processing integrity, confidentiality, or privacy. While a specific policy for "SOC 2 Report" isn't explicitly detailed, RelationalAI's commitment to security best practices (ISO/IEC 27002:2022, NIST, SANS Institute per), comprehensive data protection, and rigorous encryption standards collectively support the control objectives covered in a SOC 2 report. Our regular internal and external audits also align with the continuous verification expected for such a report.

A Pentest (Penetration Test) Report documents the findings of a simulated cyberattack against an organization's systems to identify vulnerabilities. Although a "Pentest Report" policy isn't explicitly listed, RelationalAI's "Encryption & Key Management Policy" mentions that compliance is verified through "periodic infrastructure and database reviews" and "internal and external audits," which would typically include penetration testing. The "Change Management Policy" also requires code reviews to identify "egregious security errors as defined by the OWASP Top 10," a common framework used in penetration testing, demonstrating a proactive approach to vulnerability identification.

A Network Diagram is a visual representation of a computer network, illustrating its components and how they interact. While not explicitly mentioned as a policy in the provided documents, a clear and up-to-date network diagram is fundamental to several of RelationalAI's security and operational policies. It supports the "Business Continuity Policy" by outlining critical infrastructure like AWS and Azure, aiding in understanding potential outage impacts. It is also crucial for the "Disaster Recovery Policy" by mapping out resources necessary for service and data recovery. Furthermore, effective "Incident Response" for both security and availability incidents would heavily rely on accurate network diagrams to assess damage, identify affected systems, and implement remediations.

At RelationalAI, our Data Deletion Policy specifies that customer data is stored for the contract duration and deleted within 30 days after termination, unless legally required for retention. Only authorized individuals can delete customer data, and once deleted, it cannot be restored. This policy ensures secure and timely removal of sensitive information.

Systems and data are regularly copied and stored to allow for recovery in case of data loss or system failure. RelationalAI's Data Durability Policy explicitly addresses this, stating that user database data is stored in cloud services like AWS S3 and Azure Blob Storage, which replicate data multiple times within a single region for high durability. For service data, continuous backups are utilized with a 30-day retention period. The backup process is tested annually by the engineering team to ensure reliability.

Access monitoring is the continuous tracking and recording of who accesses what resources, when, and how, to detect unauthorized or suspicious activity. RelationalAI's policies demonstrate a commitment to this practice.

A Master Services Agreement is a contract that outlines the general terms and conditions for future agreements or transactions between two parties. An MSA would establish the overarching legal framework and responsibilities that inform and necessitate many of RelationalAI's policies, particularly those concerning data handling, security standards, and contractual obligations.

How the processor will handle personal data on behalf of the controller. RelationalAI's comprehensive Data Protection Policy and Data Deletion Policy directly align with the requirements typically found in a DPA, ensuring that customer data is processed lawfully, protected against unauthorized access, and securely deleted according to contractual and legal obligations.

Cyber insurance refers to an insurance policy designed to protect businesses from the financial consequences of cyberattacks, data breaches, and other cyber-related incidents. 

Employee privacy training educates staff on their responsibilities in handling personal and sensitive data, ensuring compliance with privacy laws and company policies. RelationalAI's Data Protection Policy states a commitment to "train employees in online privacy and security measures,". Our training ensures employees understand and adhere to data protection principles.

A Data Privacy Officer is an appointed individual responsible for overseeing data protection strategy and ensuring compliance with data protection regulations. While RelationalAI's does not explicitly name a "Data Privacy Officer," the Information Security Policy designates the VP Infrastructure as the "Security Officer" responsible for "creating and enforcing security policies and procedures,".

Data breach notifications are formal communications issued to affected individuals, regulators, and sometimes the public, informing them about a security incident where sensitive data has been compromised. RelationalAI's Disaster Recovery Policy states that "In the event customer data has been compromised, customers will be notified no later than 24 hours after the compromise incident is verified." This policy aims give a clear commitment to timely data breach notification.

RelationalAI's policy requires employees and contractors to use complex and unique passwords for all accounts with access to company data. They must also use two-factor authentication where available and are encouraged to store passwords in encrypted ways, such as with a password manager. Password sharing is prohibited, and suspected compromises must be reported immediately.

Logging is the process of recording events that occur within an information system, such as user activities, system processes, and network communications. These logs are crucial for monitoring, auditing, security analysis, and troubleshooting.

RelationalAI's policies emphasize controlling data access through several means:

• Least Privilege: Where possible, RelationalAI employs the principle of least privilege when granting employees access to applications, services, and cloud platforms.
• Proprietary Information: Employees may access, use, or share proprietary information only to the extent authorized and necessary for their job duties.
• Affiliate Access: The Affiliate Access Policy details different types of access for affiliates (e.g., GitHub repositories, Google Workspace, Slack) and the requirements for obtaining and maintaining that access, including acceptance of relevant agreements and training.
• Data Classification: The Data Classification Policy assigns different levels of sensitivity to data (Public, Internal, Company Confidential, Customer Confidential) and outlines the corresponding protection and access requirements for each classification.

RelationalAI's Security Detection and Response Team actively monitors the environment for known attacker tactics, techniques, and procedures (TTPs), as well as known malicious binaries and other suspicious activities. These regular activities are complemented by periodic reviews and investigations into anomalous activities to discover unknown threats occurring on a regular cadence.

RelationalAI centrally manages and secures all employee endpoints through our Mobile Device Management (MDM) solution. This systematic management allows us to enforce security policies, distribute software and updates, and monitor endpoint integrity. RelationalAI also utilizes a third party solution for malware detection on all company endpoints.

All employee endpoints are managed and monitored using best-in-class solutions from trusted vendors. Endpoint security signals across corporate endpoints and cloud infrastructure are monitored regularly for anomalous activity.

We employ firewalls and network policies to monitor and control traffic across our infrastructure. These controls, combined with network segmentation and system hardening, ensure traffic is appropriately restricted, and all changes are authorized, tested, and reviewed.

RelationalAI network configurations are supported by documented justifications for allowed services, protocols, ports, and devices. Network configurations are also governed by strict change management processes.

To enhance endpoint security, RelationalAI implements DNS filtering mechanisms that block access to malicious web traffic. This preventive measure is complemented by regular monitoring.

To protect the confidentiality and integrity of information stored on all employee endpoints, RelationalAI mandates full-disk encryption. Additionally, we continuously monitor endpoint security signals to promptly identify and investigate any anomalous activity.

A Virtual Private Cloud (VPC) is a private, isolated section of a public cloud where users can launch resources in a virtual network. It allows for greater control over networking configurations, including IP addressing, subnets, and network gateways.

Spoofing protection refers to security measures designed to prevent attackers from masquerading as a legitimate entity, such as a user, device, or network, to gain unauthorized access or deceive others.

This can involve verifying the authenticity of communication sources.

RelationalAI has several policies that contribute to Data Loss Prevention:

Data Protection Policy: This policy outlines how RelationalAI collects and processes information, especially Personally Identifiable Information (PII), and sets rules against informal communication, storage beyond specified times, downloading to unapproved devices, and transfer to organizations without adequate data protection. It also commits to restricting and monitoring access to sensitive data, transparent collection procedures, employee training, secure networks, and clear reporting procedures for breaches.

Data Classification Policy: This policy classifies data into categories (Public, Internal, Company Confidential, Customer Confidential) and defines the required levels of protection, preventing sensitive data from being mishandled.

Data Deletion Policy: This policy ensures that customer data is deleted within a specified timeframe after contract termination, reducing the risk of old data being exposed.

Asset Management Policy: This policy requires full disk encryption on company-provided devices and encourages vigilance against suspicious emails and executables, which helps prevent data loss from compromised devices. It also outlines procedures for wiping devices upon an employee's departure and for secure disposal of assets.

BYOD Policy: For personal devices used for work, this policy mandates hard disk encryption and encourages vigilance against suspicious emails and executables, contributing to the security of company data on these devices.

Encryption & Key Management Policy: This policy requires all sensitive data in transit and at rest to be encrypted using strong, industry-recognized algorithms, significantly preventing data loss through unauthorized access to unencrypted information.

RelationalAI has extensive employee training. Ensuring the protection of Customer Data:

Security Awareness Training: Employees and contractors receive training on the company's security policies and procedures within their first 30 days of employment and annually thereafter. They are required to acknowledge electronically that they have attended and understood the security policy. Affiliates with access to core RelationalAI intellectual property must complete Security Awareness Training before access is granted and repeat it annually to maintain access.

Data Protection Policy: Employees are trained in online privacy and security measures as part of data protection efforts.

Code of Ethics & Business Conduct: RelationalAI delivers periodic training to inform employees about the Code of Ethics, help them understand its application, and guide them on how to deal with situations where prohibited conduct may be encountered or solicited.

RelationalAI's policies address email protection:

General Caution: Employees must use extreme caution when opening email attachments from unknown senders, as they may contain malware.

Spoofing Prevention: Postings by employees from a @relational.ai email address to newsgroups should include a disclaimer that the opinions expressed are their own and not necessarily RelationalAI's, unless it's in the course of business duties.

Incident Response: In case of compromised communication tools, including email accounts, the team will announce an out-of-band communication tool immediately.

RelationalAI has detailed Asset Management Practices:

Asset Standards: Any new type of asset (e.g., computer model) used for RelationalAI's operations must be reviewed and approved by the IT team. Approved manufacturers include Apple, Dell, and Lenovo, with expected lifespans of 3-5 years.

Configuration Standards: Company-provided devices must have hard disk encryption enabled, password-protected screensavers (5 minutes or less), and antivirus installed and enabled on managed devices. Employees are required not to store passwords in clear text and can use corporate-provided or approved password managers. Employees are educated to be vigilant against suspicious emails and executables.

Non-Standard Assets: Deviations from standard configurations require documentation and approval from the IT team for valid business needs. Support for non-standard assets is provided only if it doesn't increase the company's risk profile; otherwise, their use is prohibited.

BYOD Policy: Personal devices used by external researchers, collaborators, and contractors must comply with RelationalAI's Bring Your Own Device Policy, including hard disk encryption and password-protected screensavers.

Procurement: All asset procurement requests must be reviewed and approved by the IT team for compliance with asset standards.

Technical Support and Maintenance: The IT team is responsible for device maintenance, upgrades, and patch updates via Mobile Device Management (MDM) platforms. Loaner devices are provided for repairs, and devices are wiped and reissued or added to a loaner pool upon an employee's departure.

Configuration Management: Employee laptops are managed via MDM for automatic updates and patches. Non-MDM devices are expected to be kept up-to-date manually.

Asset Inventory: The IT and Finance teams maintain a list of all company-owned assets. Lost, stolen, or damaged devices must be reported immediately to the IT team for remote lockdown or wiping.

Disposal: Assets not reused internally must have their hard drives reformatted to delete customer data and invalidate access credentials before disposal.

We have documented Vulnerability Management policies.

We have a Third Party Management Policy that requires due diligence and NDAs for external parties.

Developers are required to review and accept our Secure Development Policy annually.

We have a Risk Management Policy to ensure that we conduct risk assessments on a regular basis.

We have an Operations Security Policy that defines how we log and monitor on our network.

We maintain an Incident Response plan in the event of a security related incident.

All data in our platform is classified based on our Data Management Policy.

We have an internal cryptography policy that defines key management and encryption standards and procedures.

Employees are required to agree to our Code of Conduct during onboarding.

RelationalAI maintains a formal Business Continuity Plan (“BCP”) that clearly defines the roles and responsibilities of its applicable workforce personnel as well as sets out the appropriate scope and purpose of contingency plans to ensure organizational resiliency. We utilize different regions and are working on an official RTO, RPO, and DR testing cadence.

The BCP is tested and reviewed annually by security leadership for updates. Associated findings resulting from plan testing are remediated.

Our Information Security Policy defines the roles and responsibilities for all employees.

Our Access Control Policy defines how access is provisioned for employees.

RelationalAI requires all employees to adhere to an annually updated Acceptable Use Policy. This policy is crafted to prevent unauthorized disclosure, modification, removal, or destruction of information stored across our media platforms.

The protection of AI systems from malicious attacks, vulnerabilities, and unintended behaviors. It involves securing the data, models, and infrastructure used in AI development and deployment to ensure reliability, privacy, and integrity.

AI Risk Management is the process of identifying, assessing, and mitigating potential risks associated with the design, development, deployment, and use of AI systems. This includes addressing risks related to bias, fairness, transparency, privacy, and safety.

AI Governance involves establishing frameworks, policies, and ethical guidelines to ensure the responsible and accountable development and deployment of AI technologies. It aims to guide AI use in alignment with organizational values, legal requirements, and societal expectations.

RelationalAI has a Supplier Code of Conduct that is accessible and downloadable through our trust site.

RelationalAI is committed to global impact through ethical practices, diversity and inclusion, environmental responsibility, and social impact. We are evaluating leading platforms and consultancies to deliver a comprehensive ESG audit and sustainability program. Our approach aligns ESG initiatives with business growth and builds internal capabilities for comprehensive ESG reporting.