Security Policy

Data Security

AWARE processes client data under strict technical and organisational controls. All data is encrypted in transit (TLS 1.3 minimum) and at rest (AES-256). Role-based access controls ensure that only authorised personnel can access client environments, and all access is logged with timestamps, user identity, and action type.

Client documents are stored in isolated, customer-specific data partitions. No client data is commingled. Data residency is configurable to UK or EU regions, and Good CISO does not transfer client data outside the agreed jurisdiction without explicit written consent.

AI Security

The AWARE platform uses AMRO-S (Adaptive Multi-Route Orchestration System) for agent orchestration. Every agent route is subject to security-weighted heuristics: trust scores, data clearance levels, blast radius containment rules, and policy compliance checks before execution.

All AI agents operate within sandboxed environments with mandatory kill switches. Agents cannot exfiltrate data outside their permitted scope. Every decision — routing, scoring, classification — is logged with full explainability and is SIEM-compatible.

Access Controls

Access to the AWARE platform requires multi-factor authentication (MFA) for all users. The principle of least privilege governs all access grants. Good CISO conducts quarterly access reviews, and access is automatically revoked upon employee departure.

Infrastructure credentials are rotated quarterly and managed through a secrets vault with audit logging. External penetration tests are conducted annually by a CREST-approved firm.

Compliance Certifications

Good CISO is working toward the following certifications:

• Cyber Essentials (UK): Government-backed certification covering basic cybersecurity controls. Self-assessed, with verification by a qualified auditor. Target: Q2 2026.
• CSA AI Control Matrix: Cloud Security Alliance framework for AI systems. Self-certifiable. Good CISO conducts annual self-assessments against this framework.

ISO 27001 and SOC 2 Type II require formal external audits by accredited certification bodies. These are planned once the platform reaches full production maturity.

The AWARE platform is designed to support clients' UK GDPR compliance obligations, including data processing agreements (DPAs), data breach notification within 72 hours, and the right to erasure.

Incident Response

Good CISO maintains a documented incident response process. If you identify a security vulnerability or have concerns about the security of the AWARE platform, contact us immediately at security@goodciso.org. We aim to acknowledge all reports within 4 hours and provide a remediation timeline within 72 hours for critical issues.

For confirmed security incidents affecting client data, Good CISO will notify affected clients within 24 hours of confirmation, providing full details of the incident scope, data affected, and remediation steps taken.

Responsible Disclosure

We ask that security researchers and clients notify us of vulnerabilities before public disclosure. Please email security@goodciso.org with details. We commit to not taking legal action against good-faith research conducted under this policy.