OffensAI Logo

OFFENSAI Security Policy

Last Updated: January 6, 2026

At OFFENSAI, Inc., we understand that security is paramount—especially for a company that helps organizations identify and remediate vulnerabilities in their cloud environments. This Security Policy describes the technical and organizational measures we implement to protect your data and ensure the integrity of our Platform.

Our Commitment to Security

OFFENSAI maintains a comprehensive information security program that includes policies, procedures, and controls governing the processing of Personal Data and Customer Data. We implement and maintain appropriate technical and organizational measures, internal controls, and information security routines designed to protect data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction.

Personnel Security

Confidentiality Obligations

OFFENSAI personnel will not process Personal Data or Customer Data without authorization. All personnel are obligated to maintain the confidentiality of any data they access, and this obligation continues even after their engagement with OFFENSAI ends.

Background Checks

OFFENSAI conducts reasonable and appropriate background investigations on personnel in accordance with applicable laws and regulations. Personnel must pass our background checks prior to being assigned to positions in which they will, or are reasonably expected to, have access to Personal Data or Customer Data.

Security Training

OFFENSAI conducts annual mandatory security awareness training to inform personnel on relevant security procedures and the consequences of violating those procedures. This training ensures our team stays current with security best practices and emerging threats.

Technical and Organizational Measures

Access Controls

  • We maintain a formal access control policy to manage employee access to Personal Data and Customer Data
  • Access rights are regularly reviewed for authorized personnel
  • Upon change in scope of employment or termination, access rights are promptly removed
  • Account credentials and authentication systems are protected with industry-standard security measures

Data Separation

Customer data is logically separated from other customers' data, ensuring isolation and preventing unauthorized cross-access.

Physical Security

OFFENSAI maintains appropriate physical security measures designed to protect tangible items such as physical computer systems, networks, servers, and devices that process data. Access to our facilities is tightly controlled, and upon termination of employment, physical access is promptly revoked.

Facility Access

Access to OFFENSAI facilities is tightly controlled through appropriate security measures. At termination of employment, OFFENSAI promptly revokes terminated personnel's physical access to all corporate facilities.

Data Protection

Permitted Use and Disclosure

OFFENSAI will not transfer, rent, barter, trade, sell, loan, lease, or otherwise process Personal Data or Customer Data in any manner other than:

  • As permitted or required by our agreements with customers
  • As otherwise instructed by the data controller
  • As required by applicable law

Subcontractor Management

Any subcontractors engaged by OFFENSAI are:

  • Evaluated to ensure they maintain appropriate physical, technical, organizational, and administrative controls
  • Required to comply with data protection obligations that are at least as protective as those in our Data Processing Addendum
  • Subject to our continued oversight and accountability

OFFENSAI remains responsible for the acts and omissions of its subcontractors as if OFFENSAI had performed the acts or omissions itself.

Business Continuity

OFFENSAI maintains a written business continuity and disaster recovery plan addressing the availability of Personal Data and Customer Data. This plan is designed to ensure service continuity and data availability even in the event of significant disruptions.

Security Incident Response

Notification

If OFFENSAI becomes aware of a Security Incident, we will:

  1. Notify affected customers without undue delay and no later than 48 hours after becoming aware
  2. Investigate and take reasonable steps to remediate the Security Incident
  3. Provide customers with information about the Security Incident
  4. Reasonably cooperate with customer investigation and response efforts

Definition

A "Security Incident" means a Personal Data breach or any unauthorized access or breach of security leading to, or reasonably believed to have led to, the theft, accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of, or access to, any Personal Data processed by OFFENSAI.

Compliance and Certifications

OFFENSAI is committed to maintaining compliance with applicable data protection laws and industry standards, including but not limited to:

  • GDPR (General Data Protection Regulation)
  • CCPA (California Consumer Privacy Act)
  • UK Data Protection Laws
  • Industry frameworks such as SOC 2, ISO 27001, and others as applicable

Data Transfers

When transferring data internationally, OFFENSAI implements appropriate safeguards in compliance with applicable Data Protection Laws, including:

  • EU Standard Contractual Clauses (SCCs) for transfers from the EU
  • UK Standard Contractual Clauses for transfers from the UK
  • Other approved data transfer mechanisms as appropriate

Audit Rights

Upon written request and subject to appropriate confidentiality agreements, OFFENSAI will:

  • Provide responses up to once per year to reasonable written questions for purposes of verifying compliance with our data protection obligations
  • Support additional assessments if required by applicable laws or following a Security Incident
  • Facilitate reviews conducted in a manner that does not compromise confidentiality obligations to other clients

Continuous Improvement

OFFENSAI may update these security measures from time to time to reflect:

  • Changes in our services and operations
  • Evolving security threats and best practices
  • Updates to applicable laws and regulations
  • Customer feedback and industry standards

Any material changes will be communicated through appropriate channels.

Contact Information

For questions about our security practices or to report a security concern, please contact:

OFFENSAI, Inc. 6770 Stanford Ranch Road, #1309 Roseville, CA 95678

Security Team Email: security@offensai.com General Inquiries: legal@offensai.com

For information about how we handle your personal data, please review our Privacy Policy.

For our complete terms of service, please review our Terms of Service.

To report a security vulnerability, please visit our Vulnerability Disclosure page.

Document Version: 1.0