Security

Our infrastructure is hosted on enterprise-grade cloud platforms (Google Cloud Platform, Amazon Web Services, and Railway) that maintain comprehensive security certifications including SOC 2 Type II, ISO 27001, and PCI DSS.

Network Security

• Firewalls: All systems are protected by network firewalls with default-deny policies, allowing only necessary traffic.
• DDoS Protection: We employ distributed denial-of-service protection at the network edge to ensure service availability.
• Network Segmentation: Our infrastructure uses network segmentation to isolate different components and limit the blast radius of potential security incidents.
• Private Networks: Internal service-to-service communication occurs over private networks, not exposed to the public internet.

Compute Isolation

• Container Isolation: Each customer's agents run in isolated containers, ensuring separation between different customers' workloads.
• Resource Limits: Containers are configured with CPU and memory limits to prevent resource exhaustion attacks.
• Ephemeral Environments: Agent execution environments are ephemeral and destroyed after use, minimizing persistence of sensitive data.

Encryption

• Data in Transit: All data transmitted between your systems and Connic is encrypted using TLS 1.2 or higher. We enforce HTTPS for all connections and use HSTS headers.
• Data at Rest: All stored data, including databases, backups, and logs, is encrypted using AES-256 encryption.
• Key Management: Encryption keys are managed using cloud provider key management services with automatic key rotation.

Secrets Management

• Environment Variables: Your API keys and secrets are stored encrypted and injected into agent environments at runtime, never stored in code or logs.
• No Plaintext Storage: Sensitive credentials are never stored in plaintext. All secrets are encrypted before storage.
• Secure Injection: Secrets are injected into containers via secure environment variables, not command-line arguments or files.

Data Retention & Deletion

• Agent execution logs are retained according to your subscription tier (7-90 days)
• Upon account deletion, your data is removed within 30 days from active systems
• Backup copies are purged within 90 days of account deletion
• You can export your data at any time

Authentication

• Multi-Factor Authentication: MFA is available for all accounts and required for administrative access.
• OAuth/SSO: We support authentication via GitHub, Google, and other identity providers through Auth0.
• Session Management: Sessions are securely managed with appropriate timeouts and secure cookie settings.
• API Keys: API keys can be scoped, rotated, and revoked at any time. We recommend regular rotation.

Authorization

• Role-Based Access Control: Access to resources is controlled through role-based permissions at the project and organization level.
• Least Privilege: Users and services are granted the minimum permissions necessary to perform their functions.
• Audit Logging: All access to sensitive resources is logged for audit purposes.

Internal Access

• Connic employees access production systems only when necessary for support or maintenance
• All employee access to production is logged and regularly audited
• Employees undergo background checks and security training
• Access is revoked immediately upon employee departure

Secure Development

• Code Review: All code changes undergo peer review before deployment.
• Dependency Scanning: We continuously scan dependencies for known vulnerabilities and update them promptly.
• Static Analysis: Code is analyzed for security issues using automated static analysis tools.
• Secure Coding Practices: Our development team follows OWASP secure coding guidelines.

Vulnerability Management

• Regular vulnerability assessments and penetration testing
• Automated scanning of infrastructure and applications
• Timely patching of identified vulnerabilities based on severity
• Critical vulnerabilities are addressed within 24-48 hours

Input Validation

• All user inputs are validated and sanitized
• Protection against common attacks including SQL injection, XSS, and CSRF
• Rate limiting to prevent abuse and brute-force attacks

Continuous Monitoring

• 24/7 Monitoring: Our systems are continuously monitored for security events and anomalies.
• Alerting: Automated alerts notify our security team of potential security incidents.
• Log Aggregation: Security logs are centrally aggregated and retained for analysis and forensics.
• Intrusion Detection: We employ intrusion detection systems to identify suspicious activity.

Incident Response

• Documented incident response procedures with defined roles and responsibilities
• Incidents are classified by severity and escalated appropriately
• Post-incident reviews are conducted to identify root causes and improvements
• Customers are notified of security incidents affecting their data in accordance with our DPA and applicable law

• Backups: Data is backed up regularly with backups stored in geographically separate locations.
• Redundancy: Critical systems are deployed with redundancy to ensure high availability.
• Disaster Recovery: We maintain disaster recovery procedures and test them regularly.
• Recovery Objectives: Our infrastructure is designed to meet recovery time objectives (RTO) and recovery point objectives (RPO) appropriate for our service level commitments.

Connic is committed to maintaining compliance with applicable regulations and industry standards:

• GDPR: We comply with the General Data Protection Regulation for processing personal data of EU residents.
• CCPA/CPRA: We comply with California privacy laws for California residents.
• Data Processing Agreement: We offer a comprehensive Data Processing Agreement that meets GDPR requirements.
• Infrastructure Certifications: Our cloud providers maintain SOC 2 Type II, ISO 27001, and other certifications.

Enterprise Compliance

For enterprise customers with stringent compliance requirements, we offer additional certifications and attestations as part of our Enterprise plan:

• SOC 2 Type II: Annual audit attestation covering security, availability, and confidentiality controls.
• ISO 27001: Certified Information Security Management System (ISMS) covering policies, procedures, and risk management.
• ISO 27701: Privacy Information Management extension demonstrating GDPR and privacy regulation compliance.
• HIPAA: Healthcare data protection compliance for customers handling Protected Health Information (PHI).

Contact sales@connic.co to discuss your compliance requirements and request audit reports.

As an AI agent deployment platform, Connic is committed to responsible AI practices and compliance with emerging AI regulations, including the European Union's Artificial Intelligence Act (EU AI Act).

EU AI Act Compliance

The EU AI Act establishes a risk-based framework for AI systems. Connic supports customers in meeting their obligations under this regulation:

• Transparency: We provide clear documentation about AI system capabilities, limitations, and intended use cases to help customers make informed deployment decisions.
• Audit Trails: Comprehensive logging of agent executions, inputs, outputs, and tool calls enables traceability and accountability as required by the Act.
• Human Oversight: Our platform supports human-in-the-loop workflows, approval gates, and monitoring capabilities for high-risk use cases.
• Risk Assessment: Enterprise customers receive guidance on classifying their AI use cases and implementing appropriate safeguards.

Responsible AI Practices

• Model Agnostic: Customers choose their own LLM providers and retain control over model selection, allowing them to select providers that meet their specific governance requirements.
• Data Minimization: Agents process only the data necessary for their designated tasks, and customers control data retention policies.
• No Training on Customer Data: Customer data processed through Connic is never used to train AI models.

For enterprise customers requiring formal EU AI Act compliance documentation and risk assessments, please contact sales@connic.co.

We appreciate the security research community's efforts to improve our security. If you discover a security vulnerability, please report it responsibly:

• Email your findings to security@connic.co
• Include detailed steps to reproduce the vulnerability
• Allow us reasonable time to address the issue before public disclosure
• Do not access or modify other users' data during your research

We commit to acknowledging your report within 48 hours and keeping you informed of our progress in addressing the issue.