Trust & Security

We have written 14 formal security policies that describe how we actually operate. These are not template documents purchased from a compliance vendor. Each one was written specifically for our infrastructure, our agent architecture, and our client delivery model.

We maintain a comprehensive risk register with over 25 identified risks across infrastructure, application, agent operations, and business continuity categories. Each risk is rated by likelihood and impact, mapped to specific controls, and tracked through remediation. A separate red-team exercise identified 56 attack vectors across the agent architecture, consolidated into a priority matrix with P0 through P3 ratings.

Critical and high-severity items have been addressed. The risk register is reviewed quarterly and updated when the architecture changes.

We maintain a formal AI Governance Framework aligned with NIST AI RMF and ISO 42001. This framework governs how we build, deploy, monitor, and retire AI agents that have access to client systems. It is the operating manual for responsible agent deployment.

• • Agent inventory and classification — every agent in production is cataloged with defined scope, access permissions, and risk classification
• • Three-tier human oversight model — human-in-the-loop for high-risk actions (financial approvals, external communications), human-on-the-loop for moderate-risk (report generation, data analysis), full automation only for well-bounded routine tasks (email triage, status monitoring)
• • Incident classification for agentic AI — five severity levels covering hallucination, unauthorized action, data leakage, instruction drift, and prompt injection attempts
• • Model management — evaluation procedures, version tracking, rollback capabilities, and training data opt-out for all deployed models
• • Transparency and disclosure — clients are informed of what AI does, what it cannot do, where human judgment is applied, and what data flows through third-party model providers

Request the full framework →

Our legal documentation is production-ready. MSA, DPA, HIPAA BAA, and SOW templates can be executed immediately. An Agentic MSA with AI-specific liability provisions is in development with attorney review.

• • Master Services Agreement (MSA) — includes AI disclosure clause, tiered pricing structure, SLA exhibit with 99.5% uptime commitment, and standard liability provisions
• • Data Processing Agreement (DPA) — GDPR-aligned, covers all personal data processing with defined retention periods, deletion procedures, subprocessor list, and data subject rights
• • HIPAA Business Associate Agreement (BAA) — 45 CFR 164.504 compliant, 9 mandatory provisions, AI-specific language for PHI access, subcontractor BAA flow-down
• • Statement of Work (SOW) templates — standardized engagement scoping with deliverables, milestones, acceptance criteria, and payment terms
• • Agentic MSA — in development, covers AI-specific liability allocation, autonomy tier definitions, insurance requirements, and incident response provisions specific to autonomous agent systems

We carry cyber liability and errors & omissions (E&O) insurance with affirmative AI coverage. Our carrier was selected specifically because their policies do not contain AI exclusions, which means claims arising from AI agent operations, model failures, and autonomous actions are explicitly covered. This is a deliberate choice — many carriers in the market are adding AI exclusion clauses, and we chose one that does the opposite.

• • Cyber + E&O with affirmative AI coverage (no AI exclusions)
• • General liability (Business Owner's Policy)
• • Certificate of Insurance available on request
• • Additional Insured endorsement available for enterprise clients

We maintain pre-filled responses for SIG Lite and CAIQ v4 questionnaires with evidence references mapped to each control. For enterprise procurement teams, we can typically return a completed vendor questionnaire within 24–48 hours instead of the 2–3 weeks that is standard in the industry.

If you have a custom security questionnaire, send it to security@1404.io and we will turn it around on the same timeline.

Client environments are hosted on AWS (us-east-1 and us-east-2) with automatic TLS via Caddy reverse proxy. Administrative access runs through a Tailscale WireGuard mesh VPN — no management ports are exposed to the public internet.

The architecture follows defense-in-depth with five isolated Linux user tiers (admin, application, agent-service, per-client workers, per-client MCP processes), per-client iptables egress rules, three-tier credential vaults, secret scrubbing on all agent output, and immutable agent instruction files. No single compromised layer provides access to client data.

Backups run on a three-layer strategy: local daily (30-day retention), remote daily (30-day retention), and S3 Glacier weekly (52-week retention). Recovery targets are 1 hour RTO and 24 hours RPO for cloud infrastructure, verified through quarterly restoration tests.

Our incident response plan defines four severity levels with escalating response and resolution targets. All incidents are documented with full timelines, root cause analysis, remediation steps, and lessons learned.

System status and incident history are published at status.1404.io. Audit logs are retained for a minimum of 12 months. Agent transcripts, API call logs, and knowledge store activity are all logged with timestamps and full traceability.