Security Policy

Company: ProducterHQ OÜ

Registration Number: 16539847

Jurisdiction: Republic of Estonia

Address: Tiiu tn 12/322, Kesklinna linnaosa, 10135 Tallinn, Harju maakond, Estonia

Website: https://mues.ai/

• General Data Protection Regulation (GDPR)

• Estonian Personal Data Protection Act

• Estonian Cybersecurity Act

• SOC 2 Type II (planned certification)

• ISO 27001 (planned certification)

• Primary Cloud Provider: Amazon Web Services (AWS Lightsail)

• Data Center Locations: European Union regions exclusively

• Primary Regions: eu-west-3 (Paris), eu-central-1 (Frankfurt)

• Compliance: AWS maintains SOC 2/3, ISO 27001, and GDPR compliance

• Access Control: Multi-layered biometric and card-based access systems

• Monitoring: 24/7 security personnel and surveillance

• Environmental Controls: Climate control, fire suppression, and power redundancy

• Compliance: AWS facilities maintain ISO 27001 and SOC 2 certifications

• Architecture: Zero-trust network model with micro-segmentation

• Encryption: All network traffic encrypted using TLS 1.3

• Firewalls: Web Application Firewall (WAF) and Network Access Control Lists

• Monitoring: Real-time network traffic analysis and intrusion detection

• Public: Marketing materials, public documentation

• Internal: Business operations, non-sensitive communications

• Confidential: Customer data, conversation logs, usage analytics

• Restricted: Authentication credentials, encryption keys, financial data

• AES256 encryption for all stored data

• Database-level encryption with automated key management

• Object storage encryption using server-side encryption

• Regular encryption key rotation (quarterly)

• TLS 1.3 for all external communications

• Certificate pinning for mobile applications

• Perfect Forward Secrecy (PFS) implementation

• Rejection of connections using TLS below 1.2

• Managed database services with automated backups

• Point-in-time recovery capabilities

• Database activity monitoring and logging

• Secure object storage with versioning enabled

• Cross-region replication for disaster recovery

• Lifecycle policies for automated data management

• Access logging and monitoring

• Enterprise-grade API access with dedicated capacity

• Data processing agreements compliant with GDPR

• Zero data retention for API calls

• Content filtering and safety measures

• Constitutional AI with built-in safety measures

• Enterprise privacy controls

• Real-time content moderation

• Secure API integration

• Google Cloud AI with enterprise security

• Data residency controls within EU

• Advanced threat protection

• Compliance with Google's AI principles

• Comprehensive input sanitization and validation

• Protection against prompt injection attacks

• Content filtering for malicious inputs

• Rate limiting and abuse detection

• Real-time output analysis for harmful content

• Automated content filtering and moderation

• Human oversight for sensitive operations

• Audit trails for all AI interactions

• Secure model deployment and versioning

• Protection against model extraction attacks

• Regular security assessments of AI components

• Isolation of AI processing environments

• Mandatory for all user accounts

• Support for TOTP, SMS, and hardware tokens

• Biometric authentication for mobile applications

• Session management with automatic timeout

• OAuth 2.0 integration with Google and GitHub

• SAML 2.0 support for enterprise customers

• Just-in-time (JIT) user provisioning

• Centralized access management

• Role-based access control (RBAC)

• Time-limited administrative access

• Regular access reviews and certification

• Automated deprovisioning for terminated employees

• Secure bastion hosts for infrastructure access

• Session recording and monitoring

• Break-glass procedures for emergency access

• Multi-person authorization for critical operations

• Secure coding standards and guidelines

• Static Application Security Testing (SAST)

• Dynamic Application Security Testing (DAST)

• Dependency scanning and vulnerability management

• Isolated development, staging, and production environments

• Data masking in non-production environments

• Separate encryption keys per environment

• Controlled promotion processes

• Secure JavaScript SDK with Content Security Policy (CSP)

• Subresource Integrity (SRI) for script validation

• Cross-Origin Resource Sharing (CORS) controls

• Regular security updates and patching

• OAuth 2.0 with PKCE for API authentication

• Rate limiting and throttling

• Input validation and output encoding

• API gateway with security policies

• Security Information and Event Management (SIEM)

• Automated threat detection and alerting

• User behavior analytics (UBA)

• Infrastructure monitoring and alerting

• Comprehensive audit logs for all system activities

• Centralized log management and analysis

• Log integrity protection and retention

• Regular log review and analysis

• Dedicated incident response team

• 24/7 security operations center (SOC)

• Escalation procedures and communication plans

• Regular incident response training and drills

• Incident classification and prioritization

• Containment and eradication procedures

• Recovery and post-incident analysis

• Regulatory notification requirements

• Multi-Availability Zone deployment

• Auto-scaling and load balancing

• Database clustering and replication

• Content delivery network (CDN) integration

• 99.9% uptime service level agreement

• Automated failover procedures

• Regular maintenance windows with advance notice

• Performance monitoring and optimization

• Automated daily backups with retention policies

• Cross-region backup replication

• Point-in-time recovery capabilities

• Regular backup testing and validation

• Recovery Time Objective (RTO): 4 hours

• Recovery Point Objective (RPO): 1 hour

• Documented recovery procedures

• Annual disaster recovery testing

• Security assessments for all vendors

• Contractual security requirements

• Regular vendor security reviews

• Incident notification procedures

• Stripe: PCI DSS compliant payment processing

• AWS: SOC 2/3 and ISO 27001 certified infrastructure

• AI Providers: Enterprise-grade security and privacy controls

• GDPR-compliant data processing agreements

• Standard contractual clauses for international transfers

• Security and confidentiality obligations

• Incident notification requirements

• GDPR compliance with documented procedures

• Estonian data protection law compliance

• EU-US Data Privacy Framework participation

• Regular compliance audits and assessments

• SOC 2 Type II: Q4 2025

• ISO 27001: Q2 2026

• ISO 27017: Q4 2026 (Cloud Security)

• ISO 27018: Q4 2026 (Cloud Privacy)

• Mandatory security training for all employees

• Quarterly security updates and refreshers

• Phishing simulation and testing

• Incident response training

• Secure development training for engineers

• Privacy training for customer-facing staff

• Compliance training for management

• AI ethics and safety training

• Security documentation and guidelines

• Best practices for AI agent usage

• Regular security webinars and updates

• Incident notification and response guidance

• Email: security@mues.ai

• Response Time: 24 hours for security inquiries

• Emergency: security-emergency@mues.ai

• Responsible disclosure program

• Email: security@mues.ai

• Acknowledgment within 24 hours

• Regular updates on remediation progress