Trust & Compliance

Security & Ethics

Operational intelligence systems handle sensitive infrastructure data. This page details exactly how we protect it, what standards we follow, and where our ethical boundaries are.

Data Protection

How We Handle Your Data

Every byte of data that flows through our systems is governed by strict policies — from collection to storage to deletion.

Encryption at Rest

All data stored in our systems uses AES-256 encryption. Database-level encryption is enforced across every deployment, with keys rotated on policy-defined schedules.

Encryption in Transit

All communication channels use TLS 1.3. API endpoints enforce HTTPS with HSTS headers. Internal service communication uses mTLS where applicable.

Access Control

Role-based access control (RBAC) with principle of least privilege. All access is logged, auditable, and reviewed. No shared credentials, ever.

Data Minimization

We collect only what's operationally necessary. Sensor data is scoped to the monitoring objective. Personal data is excluded by design.

Retention Policies

Data retention periods are defined per-project. Raw data is purged according to agreed schedules. Aggregated metrics can be retained longer with explicit approval.

Incident Response

Documented incident response plan with defined escalation paths. Clients are notified within 24 hours of any confirmed security event. Post-incident reports are standard.

Ethical Framework

Ethical Use Policy

Technology is a tool. How it's used matters. These are the principles that govern every engagement.

1No Surveillance of Individuals

Our systems monitor infrastructure, environments, and operational processes — never individuals. We do not build facial recognition, behavioral tracking, or employee surveillance systems.

2Informed Consent & Transparency

Every deployment includes clear documentation of what is being monitored, why, and by whom. Stakeholders are informed before systems go live. No covert monitoring.

3Algorithmic Accountability

When we use statistical models or machine learning, we document the training data, assumptions, limitations, and failure modes. Every automated decision is auditable and explainable.

4Right to Explanation

Any stakeholder affected by our systems has the right to understand how decisions or alerts are generated. We provide plain-language documentation alongside technical specifications.

5Engagement Refusal

We reserve the right to decline any project that conflicts with our ethical standards — including mass surveillance, oppressive monitoring, or systems designed to circumvent civil liberties.

Compliance

Standards & Compliance Approach

We align with international standards and are transparent about where we are in the compliance journey.

ISO 27001

Aligned

Information security management practices aligned with ISO 27001 framework.

GDPR

Compliant

Data processing activities comply with GDPR requirements for EU-related engagements.

SOC 2

In Progress

Working toward SOC 2 Type II certification for trust service criteria compliance.

NIST CSF

Aligned

Cybersecurity practices structured around NIST Cybersecurity Framework guidelines.

Institutional Trust

Enterprise Readiness

We understand that large enterprises and organizations have stringent requirements beyond typical commercial engagements. Our approach is designed for this:

On-premise deployment capability

Air-gapped network support

Full source code audit availability

Dedicated security contact & SLA

Customizable data residency

Third-party penetration testing

Documented chain of custody

Staff background verification

Security Questions?

If you have specific security, compliance, or ethics questions about working with Xynak, we're happy to discuss them in detail during a consultation.