π Security FAQ
We frequently get asked the same security questions. Below are the answers. IntentAI is SOC2 attested by Vanta, meaning that our systems and policies are continuously monitored.
| Security Requirement | Implementation Status |
|---|---|
| Comply with the Good practices in PDPC's Guidelines to Securing Personal Data in Electronic Medium | Company complies with PDPC guidelines |
| Users must be authenticated via 2FA for access | All users use 2FA, through Google Authenticator |
| Patch management process in place | Process is in place, review compliance of systems with Patch Manager on a monthly basis |
| Administrative accounts fully protected | In place, through IAM policy |
| Privileged users authenticated via 2FA | In place, through IAM policy - use of soft token OTP is mandatory |
| Use Role Based Access Control | In place, through IAM policy |
| Log capture for key event types and log protection from unauthorized modifications | In place |
| Mask passwords or cryptographic keys during entry | In place, enforced through IAM policy |
| Passwords and cryptographic keys protected during transmission | In place, enforced through IAM policy. Passwords are encrypted in transit using TLS 1.2. All STS endpoints support HTTPS for encrypting data in transit |
| Your solution should protect passwords and cryptographic keys in storage | In place through KMS. KMS generates key material for KMS keys in FIPS 140-2 Level 2βcompliant hardware security modules (HSMs). When not in use, key material is encrypted by an HSM and written to durable, persistent storage. Key material and the encryption keys that protect the key material never leave the HSMs in plaintext form |
| No requirement of hard-coded passwords | In place, enforced through IAM policy |
| Support encryption of information at rest on IT systems, servers and databases should be protected | Data and metadata at rest encrypted within environment using an industry standard AES-256 encryption algorithm |
| Support Bank-grade algorithms for encryption | Encryption using an industry standard AES256 encryption algorithm |
| Separate physical, or minimally logical, environments for production and other operational environments (e.g. development, UAT) | Solution fully cloud-based, with segregated environments for Dev, UAT and Production |
| Distributed Denial of Services (DDoS) mitigations in place | Cloud-based solution sit behind a Load Balancer and be further protected using WAF, AWS Shield, and Firewall Manager |
| Web application firewall (WAF) to protect it from the external network | In place, through WAF |
| Network surveillance and security monitoring procedures to handle security alerts. Real-time monitoring performed for critical systems and applications | In place, through Command Center |
| Vulnerability assessments (VA) and penetration tests (PT) | Done by Wizlinx group https://www.wizlynxgroup.com/ |
| You should have a data loss protection strategy for data in transit | Data in transit is managed by the Certificate Manager, which provisions Transport Layer Security (TLS 1.2) certificates between HTTPS-only endpoints |
| Backup strategy tested and validated regularly | Backup Scheduling policy is every 7 days. Retention 60 days. Activity is monitored using CloudTrail activity logs. Data is encrypted using Key Management Service (KMS) and stored across multiple servers in the Singapore Availability Zone |
| Disaster recovery strategy tested and validated regularly | Backup data is available for restoration, including single-file restoration that can be brought out in minutes |
| Data retention and destruction policy | When an object is deleted, removal of the mapping from the public name to the object starts immediately and is processed across the distributed system within seconds. Once the mapping is removed, there is no remote access to the deleted object. If required, data can be wiped via a specific method, such as those detailed in NIST 800-88 |
| You should have regular reviews of user access privileges to identify and remove dormant, redundant and wrongly provisioned access | In place, AWS FTR certified |
| Patching policy in place | Monitored by Patch Manager, dashboard reviewed and acted upon every 30 days |
| Applications are implemented only via an approved automated CI/CD pipeline | Cloud infrastructure is defined using infrastructure as code instead of manual configuration |
| Expected configuration settings are enforced using a configuration management service or tool | Machine images and infrastructure as code templates are scanned for security vulnerabilities |