Technical and organizational security measures to be implemented by Effy AI to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing, and the risks for the rights and freedoms of natural persons. Effy AI is designed to be GDPR compliant.
Policies
We are committed to data privacy and ensure compliance with GDPR and other privacy regulations:
- Privacy Notice: https://www.effy.ai/privacy
- Data Processing Addendum: https://www.effy.ai/dpa
- Sub-Processors: https://www.effy.ai/subprocessors
The platform gives users control over their data and offers transparent information about how data is collected, used, and stored.
Effy AI, as a small team of fewer than ten people, has partially developed security policies covering key areas like data protection, access control, and incident response. Our CTO oversees these processes, ensuring robust security practices aligned with industry standards, even without fully formalized policies.
The CTO manages security directly, including regular code reviews, continuous monitoring, and incident response protocols. Though formal audit, accountability controls, and a business continuity plan are not yet in place, we maintain operational resilience through hands-on management. As we grow, we plan to formalize and expand our policies to include comprehensive security protocols, ensuring continued alignment with best practices and evolving threats.
Corporate Security
Effy AI is committed to high security standards and plans to pursue certifications like ISO 27001 and SOC 2 in 2025. Our Chief Technology Officer (CTO) oversees security policies, including account management, access control, and incident response, with two-factor authentication (2FA) and Single Sign-On (SSO) implemented for secure access.
We provide ongoing security awareness training internally for employees and regularly test responses to threats. The CTO manages a structured incident response plan (IRP) to handle security breaches effectively, with incidents tracked, documented, and reported within 24-48 hours, depending on severity.
Although we don’t have a formal business continuity plan, regular backups ensure operational resilience. As we grow, Effy AI will expand and formalize security policies to stay aligned with industry best practices.
Access Control
Effy AI utilizes an Identity and Access Management (IAM) system to securely manage user identities and permissions. We leverage built-in tools from AWS and Google Workspace to maintain a comprehensive inventory of access accounts across systems. AWS IAM allows us to manage access to AWS resources with role-based controls, while Google Workspace's IAM features ensure proper identity verification and access management within our organization.
To enhance security, we enforce Multi-Factor Authentication (MFA) across all systems, including administrative accounts. MFA is implemented using methods such as SMS verification and app-based tokens through platforms like Google Authenticator. This measure ensures that unauthorized access is mitigated, adding a crucial layer of security. MFA practices comply with industry standards to maintain consistency and control across all systems, including third-party vendors.
For administrative access, we use encrypted channels such as HTTPS and SSH to protect data transmission. We also integrate AWS KMS to manage encryption and ensure sensitive operations are secure.
Effy AI strictly adheres to Role-Based Access Control (RBAC), limiting access to data based on each user's role. This ensures only authorized personnel, including our co-founders, have access to sensitive data. These individuals have been vetted and comply with all relevant privacy regulations. Continuous auditing and monitoring of access logs provide an additional layer of oversight, ensuring that all access is documented and legitimate.
We implement robust authentication for both administrative and non-administrative remote access, requiring at least two forms of authentication for all production environments. Administrative remote sessions are also monitored and logged to ensure compliance with our security policies.
Effy AI is committed to the principle of least privilege (PoLP), ensuring that permissions are reviewed regularly, with automatic provisioning and de-provisioning in place to maintain security.
Data Security
Effy AI ensures that all sensitive data is encrypted both at rest and in transit using industry-standard protocols, such as AES-256 for encryption at rest and TLS (Transport Layer Security) for data in transit. We utilize HTTPS for secure communication between endpoints, and Secure Shell (SSH) is employed to protect administrative communications. Additionally, Virtual Private Networks (VPNs) are enforced to encrypt remote connections, safeguarding data traveling over the Internet.
To maintain data integrity, hash functions are used to verify that data has not been altered during storage or transmission. All access to sensitive data is strictly controlled and audited, with permissions reviewed regularly to ensure adherence to security policies.
Effy AI has implemented cryptographic mechanisms to prevent unauthorized disclosure of sensitive information during transmission. However, cryptographic protections for data at rest are limited to securing passwords, and other security measures are used to protect stored data.
Effy AI adheres to clear data retention policies, ensuring that data is stored only as long as necessary for business operations or regulatory requirements. Customers retain full ownership of all data and metadata generated while using our applications. Although Effy AI retains limited rights to use customer data for service improvements and support, these rights are clearly defined to ensure that customers have full control over their data.
Effy AI is committed to safeguarding client data according to our strict privacy policies. When data is no longer required, it is securely disposed of, either through encryption or physical destruction of assets. This ensures that client data is handled with the highest standards of confidentiality and integrity throughout its lifecycle.
App Security
Effy AI follows a rigorous approach to application security, embedding security at each stage of the software development lifecycle (SDLC). The platform leverages secure coding standards, regular security testing, and automation to detect vulnerabilities early. Key practices include:
- Change Control Tickets: All changes to the application are tracked through change control tickets to ensure accountability and transparency.
- Peer Review: Code changes undergo thorough peer review to identify potential security issues and ensure adherence to best practices.
- Testing in Non-Production Environments: All new features and updates are tested in isolated non-production environments to validate security before deployment.
- Restricted Authorization for Changes: Only authorized personnel are permitted to implement changes, ensuring strict control over modifications to the codebase.
This approach ensures that security is maintained throughout the development process, reducing the risk of vulnerabilities in production environments.
Developers at Effy AI are trained in secure coding techniques to prevent common vulnerabilities, such as buffer overflows and improper authentication. We utilize automated tools for code scanning, and both static and dynamic application security testing (SAST and DAST) are conducted regularly to catch issues in real-time.
Effy AI ensures that software and firmware updates undergo rigorous testing for effectiveness and potential side effects before installation. Our public-facing web applications are regularly tested for OWASP Top 10 vulnerabilities, helping us maintain high-security standards.
Maintenance and upgrades are designed to be seamless, scheduled during non-peak hours to avoid disrupting the user experience. Our comprehensive approach ensures that security is maintained throughout the development process, significantly reducing the risk of vulnerabilities in production environments.
Network Security
Effy AI maintains a robust network security environment with multiple layers of defense to protect against unauthorized access, data breaches, and malicious activities. Key components of our network security strategy include:
- Firewalls: We deploy firewalls to regulate incoming and outgoing network traffic, ensuring that only legitimate traffic is allowed.
- Intrusion Detection and Prevention Systems (IDS/IPS): These systems continuously monitor for malicious activity and policy violations, providing an additional layer of security.
- Network Segmentation: Effy AI employs network segmentation to isolate critical systems and sensitive data from less secure areas. This practice minimizes the risk of lateral movement in the event of a breach, ensuring that compromised systems do not jeopardize other parts of our network.
- Virtual Private Networks (VPNs): We utilize VPNs to provide secure access for remote employees. All communications through the VPN are encrypted, safeguarding data as it travels over the Internet.
- Secure Wireless Access: While we do not restrict employee devices to authorized wireless networks due to our global remote work environment, we enforce strong security measures. All employees are required to use a VPN when accessing company resources to ensure that data remains encrypted and secure, even on public or unsecured networks. Robust authentication protocols, including multi-factor authentication (MFA), are mandatory for accessing company systems and data.
Through these measures, Effy AI ensures the integrity and security of our systems and data, adapting to the challenges posed by a flexible work environment while safeguarding against potential threats.
Infrastructure
Effy AI’s infrastructure is hosted on Amazon Web Services with the highest security certifications: https://aws.amazon.com/ru/security/
All infrastructure components, including virtual machines, containers, and databases, are patched automatically to mitigate known vulnerabilities. This ensures that Effy AI’s systems are always protected against emerging threats.
Effy AI uses automated backup solutions to store encrypted copies of all critical data. A disaster recovery plan is in place, including automated failover systems, to ensure minimal downtime and data loss in the event of an incident.
Endpoint Security
Effy AI applies stringent endpoint security controls to protect all devices interacting with its network. Employee and contractor devices are required to comply with internal security policies.
All endpoints are equipped with up-to-date antivirus and anti-malware solutions, featuring real-time scanning and behavioral analysis. Detected threats are promptly isolated and reported to our security teams for further investigation.
Effy AI utilizes Endpoint Detection and Response (EDR) solutions to continuously monitor endpoint activity, detect suspicious behavior, and respond swiftly to potential threats. These EDR solutions provide deep visibility into endpoint health and security status, facilitating prompt remediation.
Given our remote operational model, we do not have a corporate network. Consequently, USB storage devices are prohibited within our organization, eliminating the need for systems to control or secure them. This policy further reduces potential security risks.
Effy AI remains committed to ensuring that all devices, whether company-issued or personally owned (BYOD), are secured through appropriate technical and administrative measures as our team continues to grow.