Security Practices
This page describes the high-level controls AskVerdict uses to reduce security risk and protect customer data. It is an informational summary and does not disclose sensitive implementation details.
Quick Summary
Applies to: High-level security practices for AskVerdict infrastructure, product, and operations.
- Summarizes governance, access control, secure development, and resilience controls.
- Describes monitoring and incident response processes at a non-sensitive level.
- Provides disclosure boundaries and reporting paths for security issues.
1. Security Governance
- Risk-based security program aligned to business impact.
- Defined ownership for security, privacy, and incident response.
- Policy-driven controls for access, data handling, and change management.
- Periodic review of controls as product architecture and threats evolve.
2. Identity and Access Management
- Least-privilege and role-scoped system access.
- Authentication controls for internal and administrative access.
- Access review and revocation on role or status changes.
- Logging for privileged operations and administrative actions where feasible.
3. Application Security
- Secure coding standards and peer review practices.
- Dependency monitoring and vulnerability remediation workflows.
- Input validation, authorization checks, and abuse safeguards.
- Structured testing before release for reliability and security regressions.
4. Infrastructure and Environment Security
- Environment separation and controlled deployment workflows.
- System hardening and patching as part of operations.
- Network and edge protections against common attack vectors.
- Backup and recovery planning for critical service components.
5. Data Security Controls
- Encryption in transit and at rest for supported data flows.
- Access control boundaries around customer data processing.
- Data minimization principles in service design and operations.
- Retention and deletion workflows tied to legal and business needs.
6. Monitoring and Detection
AskVerdict operates monitoring intended to detect service health anomalies, suspicious behavior, and operational failures in time to support rapid triage and containment.
- Alerting is prioritized by severity to support fast routing of security-significant events.
- Detection coverage is reviewed and tuned as product surfaces and threat patterns evolve.
- Monitoring data is access-controlled and retained according to operational and legal requirements.
7. Incident Response
We maintain incident response procedures covering detection, triage, containment, remediation, recovery, and post-incident review. Notification of affected customers is provided when required by law or contract.
Incident handling is risk-based. Higher-severity events receive immediate escalation and coordinated response across engineering, operations, and legal stakeholders as needed.
8. Resilience and Continuity
Service resilience measures are designed to reduce downtime and data loss risk. These measures may include redundancy patterns, alerting, operational runbooks, and recovery processes proportional to system criticality.
9. Vulnerability Management
- Regular review of known vulnerabilities in dependencies.
- Risk-based prioritization and remediation planning.
- Escalation paths for vulnerabilities with elevated exploitability.
- Security issue intake through responsible disclosure channels.
10. Vendor and Subprocessor Risk Management
Third-party providers are used where necessary to deliver service functionality. Vendor relationships are managed through legal and security controls appropriate to service scope and data sensitivity. Current providers are listed on ourSubprocessors page.
11. Secure Change Management
Product and infrastructure changes follow controlled workflows with review, testing, and rollback planning. Emergency changes are limited to operational necessity and reviewed after deployment.
13. Security Disclosure Boundaries
To protect users and systems, we do not publish sensitive control details such as specific detection logic, infrastructure topology, response playbook internals, or exploit-specific mitigation patterns.
14. Reporting Security Issues
Security reports can be submitted through ourVulnerability Disclosure Policy.
15. Security Documentation and Assurance Requests
For customer due diligence, we may provide high-level security documentation, policy summaries, and questionnaire responses suitable for procurement or vendor risk review. Requests are evaluated based on customer relationship, confidentiality obligations, and operational feasibility.
16. Contact
For urgent security concerns, emailsupport@askverdict.aiand include "Security" in the subject line.