This Security Addendum (“Addendum”) is incorporated into the Platform Agreement between Cyrenza, Inc. (“Cyrenza”) and Customer. It describes the technical and organizational security measures that Cyrenza implements to protect the confidentiality, integrity, and availability of Customer Data.
1.1. Cyrenza maintains a formal information security program that includes policies and standards, risk assessment processes, security awareness training, incident response procedures, business continuity planning, and vendor risk management.
1.2. Security policies are reviewed and updated at least annually.
1.3. Cyrenza’s security program is overseen by dedicated security personnel with regular reporting to leadership.
2.1.1. All Customer Data is encrypted at rest using AES-256 encryption.
2.1.2. Cyrenza uses an envelope encryption architecture with per-tenant encryption keys managed through a hardware-backed key management service.
2.1.3. Encryption keys are rotated on a regular schedule (no less than every ninety (90) days) with no-downtime re-encryption.
2.1.4. Field-level encryption is applied to sensitive data fields, including personally identifiable information.
2.2.1. All external communications are encrypted using TLS 1.3. Legacy TLS versions (1.0, 1.1) are not supported.
2.2.2. Internal service-to-service communication is encrypted using mutual authentication and encryption.
2.2.3. HTTP Strict Transport Security (HSTS) is enforced for all web traffic.
3.1. Cyrenza implements role-based and attribute-based access controls for fine-grained authorization.
3.2. The Platform supports multi-factor authentication for all user accounts.
3.3. The Platform supports single sign-on (SSO) via industry-standard protocols (OIDC/OAuth 2.0) and automated user provisioning and deprovisioning via SCIM 2.0.
3.4. Access tokens are short-lived and subject to automatic rotation.
3.5. Cyrenza personnel access to production systems is restricted to authorized individuals, logged, and subject to periodic review. No implicit trust is granted based on network location.
4.1. Customer Data is logically and cryptographically isolated between tenants.
4.2. Each tenant has unique encryption keys. A compromised tenant key cannot be used to decrypt another tenant’s data.
4.3. Database queries are automatically scoped to the authenticated tenant via row-level security and request-scoped tenant binding.
4.4. Vector search indices maintain per-tenant namespace isolation.
4.5. Cross-tenant access attempts are actively monitored and blocked.
5.1. Backend services operate within a private network and are not directly accessible from the internet.
5.2. A web application firewall protects against common web application threats, including those identified in the OWASP Top 10.
5.3. DDoS protection is enabled for all externally-facing endpoints.
5.4. Rate limiting is enforced per-tenant to prevent abuse and ensure fair resource allocation.
6.1. Cyrenza implements a data loss prevention pipeline that scans content for sensitive data categories (including PII, credentials, financial data, and health information) and applies configurable actions (allow, redact, encrypt, quarantine, or block).
6.2. AI model inputs and outputs pass through safety and content filtering layers.
6.3. All API endpoints require authentication and enforce input validation.
6.4. Security headers are applied to all responses, including Content Security Policy, X-Frame-Options, X-Content-Type-Options, and Referrer-Policy.
7.1. All code changes require peer review before deployment.
7.2. Automated static analysis, dependency scanning, and security testing are integrated into the CI/CD pipeline.
7.3. Pre-commit controls prevent accidental exposure of secrets in source code.
7.4. Production deployments require explicit approval, and automated rollback is available on failure.
7.5. Container images are scanned for vulnerabilities before deployment and run with minimal privileges.
8.1. Cyrenza performs regular vulnerability scanning of infrastructure, dependencies, and applications.
8.2. Vulnerabilities are prioritized and remediated based on severity:
| Severity | Target Remediation |
|---|---|
| Critical (CVSS ≥ 9.0) | 24 hours |
| High (CVSS 7.0–8.9) | 7 days |
| Medium (CVSS 4.0–6.9) | 30 days |
| Low (CVSS < 4.0) | 90 days |
8.3. Dependencies are monitored for security advisories and updated on a regular basis.
9.1. Cyrenza engages independent third-party firms to conduct penetration testing on at least an annual basis.
9.2. Findings are tracked to remediation and summary reports are available to Enterprise customers under NDA.
9.3. Enterprise customers may conduct their own security assessments of the Platform with prior written approval and defined scope.
10.1. Cyrenza maintains real-time security monitoring with automated alerting for security events.
10.2. Comprehensive audit logs are maintained for all security-relevant events, including authentication, authorization decisions, data access, configuration changes, and security threats.
10.3. Audit log entries include a unique event identifier, timestamp, actor, resource, action, outcome, and distributed tracing correlation.
10.4. Audit logs are cryptographically signed for tamper evidence and stored in append-only storage.
10.5. Audit log retention periods are configurable based on compliance requirements.
11.1. Cyrenza maintains an incident response program with defined procedures for detection, triage, containment, investigation, remediation, and post-incident review.
11.2. Confirmed data breaches affecting Customer Data are reported to affected customers within forty-eight (48) hours of confirmation, providing sufficient information for the customer to fulfill their own notification obligations.
11.3. Post-incident reports are published for significant incidents.
12.1. Cyrenza maintains infrastructure across multiple geographic zones with automated failover.
12.2. Recovery objectives:
12.3. Automated backups are maintained with cross-region replication and thirty (30) day retention.
12.4. Disaster recovery procedures are tested periodically.
13.1. Enterprise customers may specify data residency requirements. Each data residency region maintains independent infrastructure, including separate storage, search indices, and database resources.
13.2. Cross-region data transfers are logged for audit purposes and performed only for legitimate operational reasons (such as disaster recovery or customer-requested migration).
14.1. All Cyrenza employees with access to customer data or production systems undergo background checks.
14.2. All employees receive security awareness training upon hire and annually thereafter, including role-specific training for engineering and operations personnel.
14.3. Access is revoked immediately upon employee termination.
15.1. Cyrenza conducts security assessments of all third-party service providers that process Customer Data before engagement and on an ongoing basis.
15.2. Third-party providers are contractually required to maintain appropriate security measures and are bound by data processing agreements.
15.3. Current subprocessors are listed in the Subprocessor List.
16.1. Security is a shared responsibility. Cyrenza is responsible for securing the Platform infrastructure, application, and data processing environment. Customer is responsible for:
17.1. Cyrenza encourages responsible disclosure of security vulnerabilities. Researchers should report findings to security@cyrenza.com with detailed descriptions, reproduction steps, and potential impact.
17.2. Cyrenza will not pursue legal action against researchers who comply with this policy, make good faith efforts to avoid privacy violations and service disruption, and report findings promptly.
17.3. Cyrenza acknowledges valid vulnerability reports and may offer recognition or bug bounty rewards for qualifying findings.
18.1. Cyrenza’s security program is designed to support compliance with applicable data protection and industry regulations, including GDPR, CCPA/CPRA, and HIPAA (Business Associate Agreement available upon request).
18.2. Enterprise customers may request compliance documentation, including audit reports, penetration test summaries, and responses to security questionnaires, by contacting compliance@cyrenza.com.