Security Statement

Effective Date: January 1, 2025 Last Updated: January 5, 2025

At Askalot, security is foundational to everything we do. This statement describes our security practices, infrastructure, and commitments to protecting your data.

Our Security Commitment

We understand that you trust us with sensitive survey data. We take this responsibility seriously by implementing comprehensive security measures across our platform, infrastructure, and organization.

Infrastructure Security

Tenant Isolation

Every customer operates in a fully isolated environment:

• Separate Linux Containers (LXC): Each tenant runs in its own isolated container
• Network Isolation: Tenants cannot communicate with each other
• Dedicated Resources: Compute and storage resources are not shared between tenants
• Independent Databases: Each tenant has isolated data storage

Data Center Security

Our services are hosted in enterprise-grade data centers with:

• 24/7 physical security and surveillance
• Biometric access controls
• Redundant power and cooling systems
• Fire detection and suppression
• Environmental monitoring

Network Security

• Firewalls: Multi-layer firewall protection
• DDoS Protection: Automatic detection and mitigation
• Intrusion Detection: Continuous monitoring for suspicious activity
• Network Segmentation: Isolated network zones for different service tiers

Data Protection

Encryption

All data is protected with strong encryption:

Data State	Encryption Standard
In Transit	TLS 1.2+ (HTTPS)
At Rest	AES-256
Backups	AES-256 with separate key management

Access Controls

• Role-Based Access Control (RBAC): Users only access what they need
• Multi-Factor Authentication (MFA): Available for all accounts
• Single Sign-On (SSO): Centralized authentication via OIDC
• API Token Management: Secure token generation and revocation
• Session Management: Automatic timeout and secure session handling

Data Backup and Recovery

• Daily encrypted backups
• Geographic redundancy
• Regular recovery testing
• Point-in-time recovery capabilities

Application Security

Secure Development

• Security-focused code reviews
• Automated security scanning in CI/CD
• Dependency vulnerability monitoring
• Regular security training for developers

Authentication

• OIDC-Compliant: Standards-based authentication
• Password Security: Bcrypt hashing with high work factor
• JWT Tokens: Cryptographically signed session tokens
• Secure Cookies: HttpOnly, Secure, SameSite flags

API Security

• Bearer token authentication
• Rate limiting to prevent abuse
• Input validation on all endpoints
• SQL injection and XSS protection

Operational Security

Monitoring and Logging

• Real-time security monitoring
• Comprehensive audit logging
• Alerting for anomalous activity
• Log retention for forensic analysis

Incident Response

We maintain a formal incident response process:

1. Detection: Automated monitoring and alerting
2. Containment: Immediate isolation of affected systems
3. Investigation: Root cause analysis
4. Remediation: Fix vulnerabilities and restore service
5. Communication: Timely notification to affected customers
6. Review: Post-incident analysis and improvement

Vulnerability Management

• Regular vulnerability scanning
• Timely patching of security updates
• Penetration testing by independent security firms
• Bug bounty considerations for responsible disclosure

Compliance and Certifications

We align our security practices with industry standards and are committed to achieving formal compliance certifications.

ISO/IEC 27001 Compliance

We are committed to compliance with ISO/IEC 27001:2022, the international standard for information security management systems (ISMS). Our security program is designed to meet ISO 27001 requirements, including:

• Risk Management: Systematic identification and treatment of information security risks
• Security Controls: Implementation of Annex A controls appropriate to our risk profile
• Continuous Improvement: Regular review and enhancement of security measures
• Management Commitment: Leadership engagement and resource allocation for security
• Documentation: Comprehensive policies, procedures, and records
• Internal Audits: Regular assessment of ISMS effectiveness

ISO/IEC 42001 Compliance

We are committed to compliance with ISO/IEC 42001:2023, the international standard for Artificial Intelligence Management Systems (AIMS). As AI capabilities are integrated into our platform, we ensure responsible development and governance through:

• AI Governance: Clear policies and accountability for AI system decisions
• Risk Assessment: Evaluation of AI-specific risks including bias, fairness, and reliability
• Transparency: Documentation of AI system purposes, capabilities, and limitations
• Ethics: Alignment with ethical principles throughout the AI lifecycle
• Human Oversight: Appropriate human involvement in AI-assisted processes
• Regulatory Alignment: Preparation for compliance with the EU AI Act and emerging regulations

Standards We Follow

• GDPR: General Data Protection Regulation compliance for EU data protection
• ISO/IEC 27001: Information security management system framework
• ISO/IEC 42001: AI management system framework
• OWASP: Web application security best practices
• CIS Controls: Critical security controls implementation

Certifications Roadmap

We are actively working toward:

• ISO/IEC 27001 Certification: Formal third-party certification (in progress)
• ISO/IEC 42001 Certification: AI management system certification (in progress)
• SOC 2 Type II: Service organization controls audit
• GDPR Certification: Under approved certification mechanisms

Your Security Responsibilities

Security is a shared responsibility. We recommend:

Account Security

• Use strong, unique passwords
• Enable multi-factor authentication
• Review and revoke unused API tokens
• Monitor account activity regularly

Survey Security

• Use password protection for sensitive surveys
• Limit access to survey results
• Configure appropriate data retention
• Review participant access permissions

API Security

• Store API tokens securely
• Rotate tokens periodically
• Use environment variables, not hardcoded credentials
• Implement proper error handling

Data Residency

Primary Location

All data is processed and stored within the European Union.

Data Sovereignty

Enterprise customers may have options for specific data residency requirements. Contact us for details.

Security Updates

We continuously improve our security posture:

• Regular security assessments
• Ongoing infrastructure hardening
• Proactive threat monitoring
• Security feature enhancements

Reporting Security Issues

If you discover a security vulnerability:

1. Do not publicly disclose the issue
2. Email details to [email protected]
3. Include steps to reproduce the issue
4. Allow reasonable time for us to address it

We appreciate responsible disclosure and will acknowledge security researchers who help us improve.

Contact Us

For security-related inquiries:

• Security Team: [email protected]
• Data Protection Officer: [email protected]
• General Contact: [email protected]

Related Policies

• Privacy Statement
• Terms of Service
• Cookie Policy