This Security Addendum is part of Your Terms with InPolicy LLC. Any capitalized terms not defined here have the meaning set forth in the Terms of Service or Data Processing Agreement. InPolicy's computing services are cloud-based and provided via Google Cloud Platform ("Cloud Environment"). InPolicy shall implement and maintain the security measures described in this Security Addendum throughout the term of the Agreement. InPolicy shall not materially reduce the overall level of security protection provided under this Security Addendum during the term without providing at least thirty (30) days’ prior written notice to Customer. InPolicy will periodically review and update its security measures to address evolving threats, vulnerabilities, and industry best practices, provided that such updates do not materially diminish the protections afforded under this Security Addendum.
1. Certifications and Audits
1.1 InPolicy is in active preparation for SOC 2 Type I certification. Upon completion, reports will be made available to customers upon request subject to confidentiality obligations.
1.2 InPolicy intends to pursue SOC 2 Type II following Type I and will notify customers when obtained.
1.3 In lieu of a completed SOC 2 report, InPolicy will provide its current security posture report upon request at security@inpolicy.ai.
2. Hosting Location
2.1 Customer Data is stored and processed exclusively in the United States on Google Cloud Platform infrastructure.
2.2 InPolicy does not store Content. All Content is processed transiently and never written to persistent storage.
2.3 InPolicy does not transfer Customer Data outside the United States. InPolicy shall not change the geographic location of its data processing or storage infrastructure without Customer’s prior written consent. InPolicy shall ensure that all Subprocessors similarly process and store Customer Data exclusively within the United States unless otherwise agreed in writing with Customer.
3. Encryption
3.1 InPolicy encrypts Customer Data at rest using AES-256 (or equivalent) encryption provided by GCP.
3.2 InPolicy uses TLS 1.2 or better for all Customer Data and Content in transit over public or untrusted networks.
3.3 Encryption key management leverages Google-managed encryption key infrastructure on GCP, with logical separation of keys from Customer Data. Encryption keys are rotated at least annually, or more frequently as required by industry best practices. InPolicy does not store encryption keys alongside encrypted data. All inter-service communication within InPolicy’s backend infrastructure is encrypted in transit. InPolicy is evaluating Customer-Managed Encryption Keys (CMEK) as a future capability for enterprise customers and will notify customers when this feature becomes available.
4. Access Controls
4.1 Access to InPolicy's Cloud Environment requires a unique user ID, multi-factor authentication (MFA), and a secure connection, consistent with the principle of least privilege.
4.2 InPolicy personnel will not access Customer Data or Content except: (i) to provide or support the Service as explicitly requested by Customer; or (ii) to comply with applicable law or a binding governmental order. Any such access is logged.
4.3 InPolicy personnel use company-managed devices with encryption and endpoint security controls.
4.4 Access rights are reviewed and revoked promptly upon personnel departure or role change. Access rights are reviewed at least quarterly to ensure that permissions remain appropriate and consistent with the principle of least privilege. Privileged access to production systems is limited to a designated set of senior engineering personnel, requires additional approval, and is subject to enhanced logging and monitoring. All administrative sessions are subject to automatic timeout after a period of inactivity. InPolicy maintains a formal access request and approval process, and all access grants and revocations are documented and auditable.
5. Network and System Security
5.1 InPolicy leverages GCP's threat detection, monitoring, and alerting capabilities for suspicious activities and security incidents. InPolicy maintains centralized security logging and monitoring across all production systems, including application logs, access logs, and infrastructure events. Logs are retained for a minimum of twelve (12) months for audit and forensic purposes. InPolicy employs automated alerting for anomalous behavior, unauthorized access attempts, and potential security incidents. Security events are triaged and investigated by designated personnel within defined response timeframes.
5.2 Vulnerabilities are prioritized and addressed as follows:
| Severity | Maximum Remediation Window |
|---|---|
| Critical | 7 days |
| High | 30 days |
| Medium | 90 days |
| Low | Next scheduled maintenance cycle |
5.3 InPolicy intends to engage an independent third party for annual penetration testing following the conclusion of the beta period. Summary results will be made available to customers upon request following completion.
6. Subprocessor Security
6.1 InPolicy requires all Subprocessors to maintain data protection and security obligations substantially equivalent to this Security Addendum. Prior to engaging any Subprocessor, InPolicy conducts a security assessment of the Subprocessor’s technical and organizational measures, including review of applicable security certifications (e.g., SOC 2, ISO 27001), data handling practices, and incident response capabilities. InPolicy periodically re-assesses the security posture of its Subprocessors and will promptly notify Customer if a Subprocessor fails to meet the security requirements of this Security Addendum.
6.2 InPolicy's LLM subprocessor (Google Cloud, Vertex AI) is subject to Google's Cloud Data Processing Addendum, which prohibits training on customer data and requires zero data retention for inference requests.
6.3 Subprocessors, except for cloud storage providers, will not retain or log Content for human review.
7. Incident Detection and Response
7.1 InPolicy maintains an incident response process to detect, contain, and remediate security incidents.
7.2 In the event of a confirmed Personal Data Breach, InPolicy will:
- Notify Customer within 72 hours of becoming aware
- Provide: nature of the breach; categories and approximate number of Data Subjects and records affected; likely consequences; and measures taken or proposed
- Cooperate with Customer and take reasonable steps to mitigate
7.3 Notification does not constitute acknowledgment of fault or liability. InPolicy shall maintain a written record of all security incidents, including the facts relating to the incident, its effects, and the remedial action taken. Such records shall be made available to Customer upon reasonable request. InPolicy shall not notify any third party of a Personal Data Breach affecting Customer Data without Customer’s prior written consent, unless required by applicable law. InPolicy shall provide reasonable cooperation to Customer in connection with any notifications that Customer is required to make to Data Subjects, Supervisory Authorities, or other third parties.
8. Customer Audit Rights
8.1 Upon at least 30 days' prior written notice, InPolicy will provide information necessary to confirm compliance with this Security Addendum, including its current security posture report and, upon completion, its SOC 2 report.
8.2 Formal audits may be conducted no more than once per calendar year, at Customer's expense, during normal business hours, in a manner agreed in advance by both parties.
8.3 InPolicy may satisfy audit requests by providing a current third-party audit report where it sufficiently addresses the scope of the inquiry.
8.4 All audit materials provided to Customer are InPolicy's Confidential Information and may only be used to assess InPolicy's security practices. Customer shall not disclose audit materials to any third party without InPolicy’s prior written consent, except to the extent required by applicable law or regulation, or to Customer’s professional advisors who are bound by confidentiality obligations. InPolicy shall promptly remediate any material non-compliance identified during an audit at its own expense and shall provide Customer with evidence of remediation within a reasonable timeframe.
9. Personnel Security
9.1 InPolicy personnel with access to Customer Data are subject to confidentiality obligations as a condition of employment or engagement.
9.2 InPolicy conducts background checks on personnel with access to production systems, to the extent permitted by applicable law.
9.3 InPolicy provides security awareness training to personnel with access to Customer Data. Security awareness training is provided upon onboarding and at least annually thereafter, and covers topics including phishing awareness, secure coding practices, data handling procedures, incident reporting, and social engineering prevention. InPolicy maintains records of training completion and may provide evidence of training programs to Customer upon reasonable request. Personnel who fail to complete required training are subject to access restrictions until training is completed.
10. Business Continuity
10.1 InPolicy leverages GCP's infrastructure redundancy and availability capabilities to maintain Service availability.
10.2 InPolicy maintains a data backup process for Customer Data consistent with GCP best practices. Backups are encrypted at rest and are stored in geographically separate locations within the United States to protect against regional outages. InPolicy periodically tests its backup restoration procedures to verify data recoverability. InPolicy maintains a documented business continuity and disaster recovery plan that includes recovery time objectives (RTO) and recovery point objectives (RPO) appropriate to the nature of the Service. The business continuity plan is reviewed and tested at least annually.
11. AI-Specific Security Measures
11.1 InPolicy does not train or fine-tune AI models on Customer Data or Content. Customer data is used at inference time only, eliminating the risk of sensitive data becoming part of any model.
11.2 InPolicy implements controls to mitigate AI-specific attack vectors including prompt injection and sensitive information disclosure. These controls include, without limitation: input validation and sanitization to detect and block prompt injection attempts; output filtering to prevent sensitive information disclosure in LLM responses; guardrails to prevent the LLM from generating responses outside the scope of policy compliance analysis; monitoring for anomalous inference patterns that may indicate adversarial use; and tenant-level isolation to prevent cross-tenant data leakage in the policy enforcement pipeline. InPolicy continuously evaluates emerging AI security threats and updates its controls in response to new attack vectors identified by the security research community.
11.3 InPolicy's LLM subprocessor processes Content in-memory only and does not retain inference inputs or outputs beyond the duration of the inference request.
For security inquiries: security@inpolicy.ai
12. Data Disposal
12.1 Upon termination of the Agreement or upon Customer’s written request, InPolicy shall securely delete or return all Customer Data in accordance with the retention provisions of the Terms of Service and Data Processing Agreement. Deletion shall be performed using methods that render the data irrecoverable, consistent with NIST SP 800-88 (Guidelines for Media Sanitization) or equivalent standards.
12.2 InPolicy shall ensure that all copies of Customer Data held by Subprocessors are similarly deleted in accordance with this Section. InPolicy shall provide written certification of deletion upon Customer’s request.
13. Change Management
13.1 InPolicy maintains a formal change management process for all changes to production systems that process Customer Data. Changes are documented, reviewed, tested, and approved prior to deployment. Emergency changes are documented and reviewed retrospectively within five (5) business days of deployment.
13.2 InPolicy maintains separate development, testing, and production environments. Customer Data is not used in development or testing environments unless it has been anonymized or replaced with synthetic data.
14. Updates to This Security Addendum
InPolicy may update this Security Addendum from time to time to reflect changes in its security practices, certifications, or applicable law. InPolicy shall provide at least thirty (30) days’ advance written notice of any material changes to this Security Addendum. Material changes include, without limitation, changes to encryption standards, access control policies, subprocessor security requirements, or incident response procedures. If a material change results in a material reduction of the security protections afforded to Customer Data, Customer may terminate the Agreement upon written notice within thirty (30) days of receiving notification of the change.
This Security Addendum is incorporated by reference into InPolicy's Terms of Service and Data Processing Agreement.