A proactive declaration of our security posture. Shared before you ask.

CenturionAI is incorporated in South Africa

All products designed for enterprise deployment from inception — not retrofitted

Named executive holds accountability for security and compliance

Security standards documented and reviewed at least annually

Enterprise prospects may request a dedicated security briefing

Responsible disclosure and partner notification policy in place

Formal programme — Q2 2025

Formal secure SDLC policy documented and followed by all engineers

Threat modelling conducted for all new features and integrations

Mandatory peer code review before any code reaches production

Static application security testing (SAST) integrated into CI/CD pipeline

Expanding coverage Q2 2025

Dynamic application security testing (DAST) in deployment pipeline

Integration Q2 2025

Software composition analysis (SCA) on every build — open source CVE scan

Separate development, staging, and production environments — strictly isolated

No production data used in development or test environments

Security training mandatory for all engineers — renewed annually

Secure coding standards documented and enforced via code review

All data in transit encrypted via TLS 1.3 — no legacy protocol fallback

All data at rest encrypted using AES-256 or equivalent

Database-level encryption enabled — separate from disk-level

Personally identifiable information (PII) encrypted at column level in databases

Encryption keys managed via a dedicated key management service (KMS)

KMS policy in place; automated rotation Q3 2025

All backup data encrypted to the same or higher standard

Data minimisation enforced — only data required for the task is collected

Client data is never used to train or fine-tune AI models

Data residency in South Africa for all primary data stores

Right to deletion implemented — data removed within 14 days of request

No personal data shared with third parties without documented consent or legal basis

Role-Based Access Control (RBAC) implemented across all products and systems

Multi-Factor Authentication (MFA) mandatory for all staff and admin accounts

MFA available for enterprise client accounts

End-user MFA rollout Q3 2025

Single Sign-On (SSO) / SAML 2.0 support for enterprise client integration

Enterprise tier; full rollout Q3 2025

Principle of least privilege — users receive minimum access required

Session timeout enforced on inactivity — configurable, default 30 minutes

Password policy enforced: minimum length, complexity, and breach-list check

Access provisioning and de-provisioning logged with actor and timestamp

Staff access removed within 24 hours of role change or termination

Access rights reviewed quarterly for all staff and service accounts

API access controlled via scoped, rotatable keys with rate limiting

Production infrastructure hosted on ISO 27001 certified cloud provider

Production, staging, and development environments fully isolated via VPC

Web Application Firewall (WAF) active on all public-facing endpoints

DDoS protection enabled at infrastructure level

All cloud storage private by default — no public bucket access permitted

Network segmentation — internal services not exposed to the public internet

Security group and firewall rules reviewed quarterly

Container images scanned for vulnerabilities before deployment

Scanning integrated; policy enforcement Q2 2025

All third-party integrations use official, approved API channels only

Annual penetration test by an independent third party

Report available under NDA on request

Critical CVEs patched within 72 hours of confirmed identification

High-severity CVEs patched within 30 days

Medium-severity CVEs patched within 90 days

Patch exceptions require documented risk acceptance and approval

Automated dependency vulnerability scanning (SCA) on every build

Critical SCA findings block deployment pipeline automatically

Security patches deployed across all environments — not production only

All authentication events logged — successes, failures, and logouts with IP and timestamp

All privileged and administrative actions logged with actor, action, and change detail

All data access and export events logged per user and per record

All API calls logged with caller identity, endpoint, and response code

Log retention minimum 12 months — 90 days hot, remainder archived

Log access restricted to named security team members only

Security event dashboard reviewed weekly by the security team

Audit log extracts available to enterprise clients on request

Real-time alerting on anomalous activity patterns

Rule-based alerting active; SIEM integration Q2 2025

Documented Incident Response Plan (IRP) reviewed annually

Named security incident lead with 24/7 escalation contact

Client notification of confirmed security incidents within 72 hours — POPIA-aligned

Notification to Information Regulator per POPIA Section 22 — Form 4 notification process documented

Post-incident Root Cause Analysis (RCA) shared with affected clients within 14 days

Severity classification framework defined for all incident types

Client-facing incident communication templates prepared in advance

IRP tested via annual tabletop exercise with leadership

First formal tabletop Q2 2025

POPIA compliant — Protection of Personal Information Act (South Africa)

Information Officer appointed and registered with the Information Regulator

GDPR-ready by design — data processing aligned with GDPR principles

Data Processing Agreement (DPA) available for all enterprise clients

Standard DPA on request; bespoke DPA negotiable

Sub-processor register maintained — full list available on request

Clients notified of material sub-processor changes with 30-day notice

AI governance: model transparency and limitation disclosure to clients

AI outputs do not constitute regulated professional advice — clear boundary maintained

Sector-specific compliance supported on request (FAIS, FICA, FSCA, NCA)

Applicable to regulated deployments

SOC 2 Type II — readiness assessment underway

Target Q4 2025

ISO 27001 — gap analysis complete, certification roadmap in progress

Certification target 2026

Recovery Time Objective (RTO) defined — target 4 hours for production systems

Recovery Point Objective (RPO) defined — target 1 hour; backups every 15 minutes

Automated backups with cross-region replication

Disaster recovery runbooks documented for all critical systems

Uptime SLA of 99.9% or above on enterprise tier

SLA credits apply for downtime exceeding committed uptime

Public status page with real-time availability and incident history

Planned maintenance communicated minimum 48 hours in advance

Annual DR test with documented results

First formal DR test Q2 2025

Multi-region failover available for enterprise deployments on request

Available on enterprise tier — Q3 2025