Autonomi logo

Security Policy

Company:
AUTONOMi
Website:
goautonomi.com
Effective Date:
March 10, 2026
Last Updated:
March 10, 2026
Compliance: This policy is designed to comply with applicable US security requirements, GDPR Article 32 technical and organizational security measures, and industry best practices including ISO 27001 and SOC 2 frameworks.

1. Introduction

AUTONOMi is committed to protecting the security, confidentiality, integrity, and availability of all data entrusted to us by our clients, employees, and users. This Security Policy describes the technical and organizational measures we implement to protect personal data and platform infrastructure.

This policy applies to:

  • All AUTONOMi systems, infrastructure, and applications
  • All employees, contractors, and service providers with access to AUTONOMi systems
  • All client data processed through the AUTONOMi platform

2. Security Governance

2.1 Responsibility

Security is a shared responsibility across AUTONOMi. Leadership is ultimately accountable for information security. Day-to-day security operations are managed by our designated security function with executive oversight.

2.2 Security Reviews

AUTONOMi conducts:

  • Annual security policy reviews
  • Periodic risk assessments of systems and processing activities
  • Security reviews for all new products, features, and significant infrastructure changes

2.3 Vendor and Third-Party Assessment

Before engaging third-party processors or vendors with access to client or personal data, AUTONOMi evaluates their security posture and requires contractual commitments to maintain appropriate security measures.

3. Data Encryption

3.1 Encryption in Transit

All data transmitted between users and AUTONOMi systems is encrypted using:

  • TLS 1.2 or higher for all web traffic and API communications
  • TLS 1.3 for new connections where supported
  • HSTS (HTTP Strict Transport Security) enforced on all public-facing domains
  • All connections to third-party advertising platforms (Google, Meta, TikTok, LinkedIn, etc.) are encrypted in transit

Unencrypted HTTP connections are redirected to HTTPS and not accepted.

3.2 Encryption at Rest

Personal data and client data stored on AUTONOMi infrastructure is encrypted at rest using:

  • AES-256 or equivalent for database storage
  • Encrypted backups
  • Encryption of sensitive fields at the application layer where applicable

3.3 Key Management

Encryption keys are managed using industry-standard key management practices:

  • Keys are rotated on a defined schedule
  • Access to encryption keys is limited to authorized systems and personnel
  • Key material is never stored in plaintext alongside the data it protects

4. Access Controls

4.1 Principle of Least Privilege

Access to systems and data is granted on a need-to-know, least-privilege basis. Employees and contractors are granted only the permissions necessary to perform their role.

4.2 Authentication

  • Multi-factor authentication (MFA) is required for all internal system access, administrative accounts, and production environment access
  • Strong password policies are enforced (minimum length, complexity, no reuse of recent passwords)
  • Service accounts use rotating keys or certificates rather than static passwords where possible

4.3 Client Account Access

  • Client platform accounts are protected by individual credentials and MFA where enabled
  • Clients control which users within their organization have access to their AUTONOMi account
  • AUTONOMi staff access to client accounts is limited to support contexts, logged, and restricted to authorized personnel

4.4 Access Reviews

Access rights are reviewed periodically and revoked promptly when an employee leaves the organization or changes roles.

4.5 Privileged Access

Privileged access to production systems is:

  • Limited to a small number of authorized personnel
  • Logged and audited
  • Reviewed regularly

5. Network Security

5.1 Network Segmentation

Production systems are segregated from development and test environments. Client data is isolated from AUTONOMi internal systems through logical and where applicable physical network segmentation.

5.2 Firewall and Perimeter Controls

  • Firewalls are configured to deny all traffic not explicitly permitted
  • Public-facing services expose only necessary ports
  • Administrative interfaces are not exposed to the public internet

5.3 Intrusion Detection and Prevention

AUTONOMi employs monitoring tools to detect unusual or unauthorized activity on its networks and systems, including:

  • Anomaly detection on access logs
  • Alerting for unexpected authentication patterns
  • Network traffic monitoring

6. Application Security

6.1 Secure Development

AUTONOMi follows secure development practices including:

  • Security requirements incorporated into the software development lifecycle (SDLC)
  • Code review processes that include security considerations
  • Protection against OWASP Top 10 vulnerabilities (injection, XSS, CSRF, insecure deserialization, etc.)
  • Dependency and third-party library scanning for known vulnerabilities

6.2 Security Testing

AUTONOMi conducts:

  • Vulnerability assessments of internet-facing applications on a periodic basis
  • Penetration testing conducted by qualified internal or third-party security professionals at least annually
  • Remediation of identified vulnerabilities based on risk severity

6.3 Input Validation

All data received from external sources is validated and sanitized before processing to prevent injection and other input-based attacks.

7. Infrastructure Security

7.1 Cloud Infrastructure

AUTONOMi uses leading cloud infrastructure providers with SOC 2 Type II, ISO 27001, and PCI DSS certifications. Physical security of underlying infrastructure (data centers, hardware) is the responsibility of those providers.

AUTONOMi's responsibilities include:

  • Configuration and hardening of cloud resources
  • Identity and access management within cloud environments
  • Network controls and security group configuration
  • Logging and monitoring of cloud activity

7.2 System Hardening

  • Server and system images are hardened to remove unnecessary services and default credentials
  • Software and security patches are applied on a defined schedule, with critical patches applied as soon as practicable after release
  • Systems are inventoried and tracked

7.3 Logging and Monitoring

  • Security-relevant events are logged including authentication events, access to sensitive data, administrative actions, and system errors
  • Logs are retained for a minimum of 12 months and protected from unauthorized modification
  • Alerts are configured for security-relevant events and reviewed by authorized personnel

8. Data Handling and Classification

8.1 Data Classification

AUTONOMi classifies data into the following categories:

ClassificationDescriptionExamples
ConfidentialHighest sensitivity — restricted accessClient data, payment data, credentials, encryption keys
InternalOperational data — internal use onlyEmployee records, business strategy, financial data
PublicApproved for public disclosureMarketing materials, published documentation

8.2 Client Data Handling

Client data is:

  • Processed only for the purposes of delivering contracted services
  • Never sold, licensed, or shared with third parties for third-party benefit
  • Logically segregated from other clients' data
  • Accessible to AUTONOMi staff only when required for support, subject to logging

8.3 Secure Disposal

Data that is no longer required is securely deleted:

  • Digital data is deleted using methods that prevent recovery
  • Backups are purged on the retention schedule
  • Physical media is destroyed through certified secure disposal methods

9. Incident Response

9.1 Incident Response Plan

AUTONOMi maintains an incident response plan that defines procedures for:

  • Identifying and classifying security incidents
  • Containing and eradicating threats
  • Recovering affected systems
  • Post-incident review and lessons learned

9.2 Incident Classification

SeverityDescriptionResponse Time
CriticalActive breach, data exfiltration, ransomwareImmediate — within 1 hour
HighSuspected breach, unauthorized access, significant vulnerabilityWithin 4 hours
MediumContained incident, vulnerability with limited exposureWithin 24 hours
LowMinor policy violation, low-risk vulnerabilityWithin 72 hours

9.3 Data Breach Notification — EU (GDPR)

In the event of a personal data breach affecting EU data subjects, AUTONOMi will:

  • Notify the relevant supervisory authority within 72 hours of becoming aware of the breach (GDPR Art. 33)
  • Notify affected data subjects without undue delay where the breach is likely to result in high risk to their rights and freedoms (GDPR Art. 34)
  • Maintain a register of all personal data breaches, regardless of whether notification is required

For EU client data for which AUTONOMi acts as a processor, we will notify the client controller without undue delay to enable their own notification obligations to be met.

9.4 Data Breach Notification — United States

In the event of a data breach affecting US residents, AUTONOMi will comply with applicable state breach notification laws, which may require notification to:

  • Affected individuals (timelines vary by state, typically 30–90 days)
  • State attorneys general or regulators
  • Consumer reporting agencies (in certain states for large-scale breaches)

California (CCPA/CPRA): Notification to California residents and the California Attorney General where required.
Other states: Notification in accordance with applicable breach notification statutes.

9.5 Internal Reporting

Employees and contractors who become aware of a suspected security incident or breach must report it immediately to security@goautonomi.com.

10. Business Continuity and Disaster Recovery

10.1 Backups

Client and operational data is backed up:

  • Automatically on a defined schedule (minimum daily backups)
  • Stored in encrypted form in geographically separate locations
  • Tested periodically to verify recoverability

10.2 Recovery Objectives

AUTONOMi targets:

  • Recovery Time Objective (RTO): Systems restored to operational status within a defined recovery window following a declared disaster
  • Recovery Point Objective (RPO): Data loss limited to no more than 24 hours of data in a major disaster scenario

Specific RTO and RPO commitments for enterprise clients may be defined in service-level agreements.

10.3 Availability

AUTONOMi uses redundant infrastructure to minimize downtime:

  • Load balancing and auto-scaling in production environments
  • Redundant network paths where applicable
  • Monitoring with automated alerting for service degradation

11. Human Resources Security

11.1 Pre-Employment

Background screening is conducted for employees in roles with access to sensitive data or production systems, subject to applicable law.

11.2 Security Training

  • All employees complete security awareness training upon hire and annually thereafter
  • Employees with elevated access (engineers, operations) receive additional technical security training
  • Phishing simulation exercises are conducted periodically

11.3 Acceptable Use

Employees are bound by an Acceptable Use Policy governing the use of AUTONOMi systems, data, and resources. Violations are subject to disciplinary action up to and including termination.

11.4 Offboarding

Upon departure, employee access to all AUTONOMi systems is revoked promptly. Company devices are returned and data is wiped.

12. Physical Security

Physical access to AUTONOMi offices and to data center facilities (where applicable) is controlled through:

  • Access controls limiting physical entry to authorized personnel
  • Secure disposal of physical media and hardware
  • Visitor management procedures for sensitive areas

Physical security of cloud infrastructure is the responsibility of the respective cloud provider (AWS, Google Cloud, etc.) under their security certifications.

13. Compliance and Certifications

13.1 Regulatory Compliance

AUTONOMi's security program is designed to support compliance with:

  • GDPR (EU) — Article 32 technical and organizational security measures
  • BDSG (Germany) — Data protection and security requirements
  • CCPA/CPRA (California) — Reasonable security measures
  • NIST Cybersecurity Framework — Risk management guidance

13.2 Security Standards Alignment

AUTONOMi aligns its security practices with industry frameworks including:

  • ISO/IEC 27001 — Information security management
  • SOC 2 Type II — Security, availability, and confidentiality (target framework)
  • OWASP — Application security standards

13.3 Certifications

AUTONOMi is working toward formal certification and third-party audit. Clients requiring certification evidence (SOC 2 reports, penetration test summaries, or security questionnaire responses) may contact security@goautonomi.com.

14. Vulnerability Disclosure

AUTONOMi welcomes responsible disclosure of security vulnerabilities. If you believe you have discovered a security vulnerability in our systems, please contact us at:

Email: security@goautonomi.com

Please include:

  • A description of the vulnerability and the affected system
  • Steps to reproduce the issue
  • Potential impact

We will acknowledge receipt within 3 business days and work to investigate and remediate verified vulnerabilities. We request that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it.

15. Policy Updates

This Security Policy is reviewed and updated at least annually, or following a significant security incident, material change to our infrastructure or processing activities, or changes to applicable law.

16. Contact

For security concerns, incident reporting, or security-related inquiries:

AUTONOMi Security

Email: security@goautonomi.com

For GDPR and data protection matters:
Email: gdpr@goautonomi.com

General privacy inquiries:
Email: privacy@goautonomi.com

Website: goautonomi.com