Security and Privacy at Barndoor AI, Inc.

Protecting Data at Rest

Every piece of customer data stored in our systems is protected with enterprise-grade encryption:

Database Encryption: All databases containing customer data use AES-256 encryption at rest. Database encryption keys are managed through cloud-native key management services and are rotated regularly according to industry best practices.

Field-Level Encryption: Sensitive data receives an additional layer of protection through field-level encryption. This means that even if someone gains unauthorized access to our databases, the most sensitive information remains encrypted and unreadable.

File Storage Security: All file storage systems use server-side encryption.

Securing Data in Transit

Every data transmission is protected with industry-standard encryption:

TLS Encryption: All data transmitted between our systems and external networks uses TLS 1.2 or greater encryption. We maintain strict cipher suite requirements and regularly update our TLS configurations based on security best practices.

API Security: Access to our APIs is protected through secure token-based authentication and authorization. Every request is encrypted in transit using TLS and validated with industry-standard cryptographic protocols.

Internal Network Security: Data transmitted within our internal networks is encrypted using WireGuard VPN protocols and micro-segmentation to prevent lateral movement.

Advanced Encryption Management

Hardware Security Modules (HSMs): Our encryption keys are generated and stored in FIPS 140-2 Level 3 certified HSMs. These hardware devices provide tamper-evident, secure key storage that prevents unauthorized access even by cloud provider personnel.

Key Rotation: All encryption keys are rotated automatically according to industry best practices. Customer data encryption keys are rotated at least annually, while system keys are rotated more frequently.

Secret Management

Application secrets, API keys, and configuration data are managed through enterprise-grade secret management systems:

• All secrets are encrypted at rest using separate encryption keys
• Access to secrets is logged and monitored
• Development and production secrets are completely isolated
• Emergency access procedures include full audit trails

Comprehensive Penetration Testing

We engage with third-party security firms to conduct thorough penetration testing of our entire platform:

Annual Assessments: We conduct comprehensive penetration tests at least annually, with quarterly assessments of critical components.

Scope Coverage: Testing covers all aspects of our platform including:

• Web applications and APIs
• Administrative interfaces
• Network infrastructure
• Cloud configurations

Vulnerability Management Program

Our Secure Development Lifecycle (SDLC) integrates security testing at every stage:

Static Application Security Testing (SAST): All code is automatically scanned for security vulnerabilities during development. Developers receive immediate feedback on potential security issues before code is merged.

Software Composition Analysis (SCA): We continuously scan all open-source dependencies for known vulnerabilities and license compliance issues. Automated tools track and alert on new vulnerabilities in our software supply chain.

Dynamic Application Security Testing (DAST): Running applications are regularly tested for runtime vulnerabilities, including injection attacks, authentication bypass, and session management issues.

Infrastructure Scanning: Our cloud infrastructure is continuously scanned for misconfigurations, excessive permissions, and security policy violations.

Secure Development Practices

Security Code Reviews: All code changes undergo security-focused peer review by developers trained in secure coding practices. High-risk changes require review by our security team.

Security Testing Integration: Security tests are integrated into our continuous integration pipeline, preventing deployment of code that fails security checks.

Endpoint Protection & Management

All corporate devices used to access customer data or production systems are subject to comprehensive security controls:

Mobile Device Management (MDM): All laptops and desktops are enrolled in our MDM system, which enforces security policies including:

• Full disk encryption using industry-standard algorithms
• Automatic screen locks with strong authentication
• Mandatory security updates and patch management
• Anti-malware protection with real-time scanning

24/7 Security Monitoring: Our endpoint security tools provide continuous monitoring with automated threat detection and response capabilities. Security incidents are escalated to our security operations center for immediate investigation.

Network Security & Access Controls

Zero Trust Architecture: Our network follows zero trust principles, requiring authentication and authorization for every access request, regardless of location or device.

Network Segmentation: Our production networks are segmented to limit the impact of potential breaches.

Secure Remote Access: Remote access to internal systems is provided through:

• Modern VPN solutions built on WireGuard protocols
• Multi-factor authentication for all connections
• Malware-blocking DNS to protect against malicious websites

Identity & Access Management

Single Sign-On (SSO): We use enterprise-grade SSO solutions to manage access to all internal applications and systems. This provides centralized authentication and simplifies access management.

Multi-Factor Authentication (MFA): All user accounts require phishing-resistant multi-factor authentication. We prioritize WebAuthn and hardware security keys over SMS-based authentication.

Role-Based Access Control (RBAC): Access to systems and data is granted based on job functions and follows the principle of least privilege. Users receive only the minimum access required to perform their duties.

Automated Provisioning & Deprovisioning: User access is automatically provisioned when employees join and immediately deprovisioned when they leave. This eliminates the risk of orphaned accounts with excessive permissions.

Privileged Access Management (PAM): Administrative access to critical systems requires additional approval workflows and is monitored more closely than standard user access.

Comprehensive Training Program

New Employee Onboarding: Every new employee completes comprehensive security training during their first week, covering:

• Company security policies and procedures
• Data classification and handling requirements
• Incident reporting procedures
• Customer data protection requirements

Developer Security Training: Engineering staff receive specialized training in secure coding practices, including:

• Common vulnerability patterns and prevention
• Secure API design and implementation
• Cryptographic implementation

Security Awareness Program

Regular Communications: Our security team provides regular updates on emerging threats, security best practices, and relevant security news through multiple channels.

Incident Response Training: All employees are trained on how to recognize and report potential security incidents. Critical personnel receive additional training on incident response procedures.

Vendor Risk Assessment

All vendors with access to customer data or critical systems undergo comprehensive security assessments:

Initial Security Review: Before engaging with any vendor, we conduct a thorough security assessment including:

• Security questionnaire completion
• Review of vendor certifications and compliance status
• Assessment of vendor access requirements
• Evaluation of data protection practices

Ongoing Monitoring: We continuously monitor vendor security posture through:

• Monitoring of vendor security incidents
• Review of vendor audit reports and certifications

Contractual Security Requirements: All vendor contracts include specific security requirements and compliance obligations, including:

• Data protection and privacy requirements
• Incident notification procedures
• Right to audit and security assessment
• Compliance with applicable regulations
• Secure data deletion upon contract termination

Supply Chain Security

Dependency Management: We maintain detailed inventories of all software dependencies and regularly assess them for security vulnerabilities and license compliance.

Secure Development Tools: All development and deployment tools are security-hardened and regularly updated. Access to these tools requires multi-factor authentication and is logged.

Privacy-First Approach

Barndoor AI, Inc. is committed to protecting the privacy of all individuals whose data we process. Our privacy program goes beyond mere compliance to implement privacy by design principles:

Data Minimization: We collect and process only the data necessary for specified purposes. Our platform is designed to achieve customer objectives while minimizing data requirements.

Purpose Limitation: Data is used only for the purposes for which it was collected, unless we obtain additional consent or have a legal basis for expanded use.

Storage Limitation: We retain data only as long as necessary for specified purposes and ensure timely data removal.

Transparency: We provide clear, understandable explanations of our data practices through our privacy policy and data processing agreements.

Security Operations

Security Operations Center (SOC): Our SOC provides continuous monitoring of all systems and networks. Trained security analysts investigate alerts and respond to potential threats in real-time.

Incident Response Team: Our dedicated incident response team includes security engineers, legal counsel and privacy officers who can quickly mobilize to address security incidents.

Automated Threat Detection: We use advanced security tools and machine learning algorithms to detect potential threats and anomalous behavior across our infrastructure.

Incident Response Procedures

Incident Classification: We classify security incidents based on severity and impact, with defined response procedures for each classification level.

Customer Notification: For incidents that may affect customer data or services, we provide timely notification through multiple channels including email, our status page, and direct communication for enterprise customers.

Regulatory Reporting: We maintain procedures for reporting security incidents to relevant regulatory authorities as required by applicable laws and regulations.

Post-Incident Analysis: Every security incident undergoes thorough post-incident analysis to identify root causes and implement improvements to prevent similar incidents.

Business Continuity Planning

Disaster Recovery: We maintain comprehensive disaster recovery plans that can restore critical systems and data in the event of major incidents.

Backup Systems: Critical data and systems are backed up regularly with geographically distributed storage to ensure availability during disasters.

Service Availability: We design our systems for high availability with redundancy and failover capabilities to minimize service disruptions.

Communication Plans: We maintain communication plans to keep customers informed during service disruptions and coordinate response efforts across teams.

Security Documentation & Resources

Compliance Documentation: We maintain comprehensive documentation of our compliance programs, including policies, procedures, and evidence of control implementation.

Security FAQ: Our frequently asked questions document addresses common security concerns and provides detailed information about our security practices.

Best Practices Guides: We provide guides to help customers securely integrate with our platform and implement security best practices in their own environments.

Customer Security Support

Dedicated Security Contacts: Enterprise customers have access to dedicated security team members who can answer questions and provide support for security assessments and compliance activities.

Security Questionnaire Support: We provide comprehensive responses to customer security questionnaires and can participate in customer security assessments and audits.

Compliance Assistance: Our compliance team can provide documentation and support to help customers meet their own regulatory requirements when using our platform.

Security Updates: We provide regular security updates to customers about new features, security enhancements, and relevant threat intelligence.

Continuous Improvement

Customer Feedback: We actively seek feedback from customers about our security practices and use this input to improve our security program.

Industry Collaboration: We participate in industry security initiatives and collaborate with other organizations and individuals to improve security practices across the AI industry.

Research & Development: We invest in research and development of new security technologies and techniques, particularly those relevant to AI security.

Regular Reviews: Our security program undergoes regular internal reviews and external assessments to ensure it remains effective and current with evolving threats and best practices.