| Program | Status |
|---|---|
| Penetration testing | Scheduled — not yet completed for production environment. Will be performed before broad public launch. |
| SOC 2 Type II | Planned. Self-attestation letter available at /soc2-attestation. Formal audit timeline: 12-18 months post public launch. |
| ISO 27001 | Not currently certified. Controls aligned with ISO 27001 Annex A requirements for access control, cryptography, and incident management. |
| GDPR compliance | DPA template available at /dpa. EU/UK data transfer mechanisms available on request. Processing occurs in the United States. |
| Vulnerability disclosure | Contact support@ai2coe.com with subject 'Security Disclosure'. Acknowledged within 2 business days. |
Security controls
Technical and organizational measures in production.
Encryption in transit
All data transmitted between client browsers and the AI2COE portal uses TLS 1.2 as the minimum protocol. HSTS is configured for production deployments to enforce HTTPS for all connections.
Encryption at rest
Application database is encrypted at the storage layer in production. Diagnostic run folders containing report artifacts are stored on encrypted volumes.
Access control — application layer
Administrative pages are protected by session authentication and owner-authorization checks. Report artifacts are tied to authenticated user accounts. Report link expiry controls are implemented.
Access control — infrastructure layer
Production server access is restricted to authorized administrators via SSH key authentication. Password authentication for server access is disabled in production.
Catalog data isolation
Each diagnostic run executes in an isolated session folder. Source catalog files are deleted immediately after report generation. No catalog row data is written to the application database.
Security headers
X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy, Content-Security-Policy, and HSTS headers configured on all responses.
Session management
HTTP-only, SameSite=Lax session cookies. CSRF tokens required for all state-changing form submissions. Sessions invalidated on logout.
Incident response
Material security incidents affecting client data are notified to affected clients without undue delay and within 72 hours of discovery, consistent with GDPR Article 33 processor obligations.
Audit and certification status
Current compliance posture — honest disclosure.
Quotable control — encryption standard
All data in transit is protected by TLS 1.2 or higher. Catalog data and report artifacts stored at rest are encrypted with AES-256. Session run folders are isolated per upload and purged automatically after report generation completes.
Quotable commitment — breach notification
Industrial IQ commits to notifying affected clients within 72 hours of confirming a material data breach, consistent with GDPR Article 33 processor obligations. Notification includes breach nature, data categories affected, estimated record count, and remediation actions taken.
Security questionnaire responses
Completing a vendor security assessment?
For enterprise accounts completing a vendor security questionnaire, a pre-populated response document is available on request. Contact support@ai2coe.com with “Security Questionnaire” in the subject line and attach your organization's template. Standard questionnaires (CAIQ, SIG Lite, custom) are responded to within 5 business days.
