Security Policy

Deep Origin captures backups on a regular basis to ensure internal and customer data is protected from loss according to our Business Continuity and Disaster Recovery procedures.  All backup materials are encrypted using AES-256.

Deep Origin may securely retain API inputs and outputs at varying lengths to provide the services and to identify abuse. After their respective retention timeframe, API inputs and outputs are removed from our systems, unless we are legally required to retain them.

All customer data is encrypted at-rest using AES-256. Deep Origin is committed to following encryption best practices per industry guidelines and continually reviews the rigor of current encryption standards

All customer data is encrypted in-transit using TLS 1.2/1.3.

Physical security is managed by AWS.

Deep Origin captures backups on a regular basis to ensure internal and customer data is protected from loss according to our Business Continuity and Disaster Recovery procedures.  All backup materials are encrypted using AES-256.

Deep Origin’s teams are dedicated to developing a deep understanding of both known and potential unknown risks, integrating enhanced safety and ethical reasoning into our foundational models.

Deep Origin's teams are dedicated to implementing system-level mitigations across our products. This comprehensive approach ensures that our AI systems are secured against evolving threats and privacy concerns, maintaining high standards of safety and compliance

At Deep Origin, we recognize the importance of addressing AI safety challenges, particularly in the context of training data and potential biases.

In the event of a data breach involving customer data, notifications will be sent in accordance with the terms of our MSA.

Personnel perform security and privacy awareness training on an annual basis. Topics covered include: Passwords, Mobile devices, Social Engineering, Physical security, and Phishing.

Deep Origin internal system access is adherent to the principles of least privilege, separation of duties, subject to regular review by administrators, documented with clear rationales for provisioning and changes, and revoked according to termination policies.

The Deep Origin environment is subject to constant monitoring for anomalous activity. Logs are stored in our SIEM Tooling.

Deep Origin has a strong internal password policy that includes a requirement for MFA for accounts that do not support SSO. Passwords are required to meet industry standard complexity requirements and are stored in a company managed password manager.

The Deep Origin infrastructure is hosted on Amazon Web Services in multiple regions.

Deep Origin maintains a Business Continuity and Disaster Recovery plan, which is tested, reviewed and approved annually. Deep Origin also conducts regular testing of critical services, backup systems and operational infrastructure to ensure business continuity requirements are met.

Deep Origin employs infrastructure-as-code (IaC) techniques to securely deploy and manage resources within our operational environment. This enables rapid provisioning and scaling while ensuring that all deployments meet security standards.

At Deep Origin, production, staging, and development environments are maintained as distinct entities to safeguard operational integrity and data confidentiality. In these separate environments, customer data is strictly prohibited from use in non-production settings, thus ensuring that developmental and testing activities do not compromise data security.

To protect the confidentiality and integrity of information stored on all employee endpoints, DeepOrigin mandates full-disk encryption. Additionally, we continuously monitor endpoint security to promptly identify and investigate any anomalous activity.

All employee endpoints are protected with an advanced EDR solution. Endpoint security signals
are monitored regularly for anomalous activity.

Deep Origin centrally manages and secures all employee endpoints through a Mobile Device
Management (MDM) solution. This systematic management allows us to enforce security
policies, distribute software and updates, and monitor endpoint integrity.

Deep Origin's Security Team actively monitors the environment for known attacker tactics, techniques, and procedures (TTPs), as well as known malicious binaries and other suspicious activities. These regular activities are complemented by periodic reviews and investigations into anomalous activities to discover unknown threats.

Deep Origin utilizes a combination of traditional firewalls, AWS (N)ACLs, and KubeArmour (to provide specialized firewall capabilities for Kubernetes environments) policy to secure the infrastructure end-to-end. These tools allow us to monitor and control the flow of network traffic, preventing unauthorized access and ensuring data integrity and security.

Our network activity is logged to identify potential security threats such as unauthorized access or anomalous behavior. These systems are critical for the early detection of attacks, allowing us to identify attackers and other anomalous behavior and generate alerts for further investigation.

Deep Origin prioritizes the secure and centralized storage of crucial infrastructure logs. Our SIEM systems continuously monitor these logs, enabling real-time analysis to detect, alert, and mitigate potential threats promptly.

Deep Origin is committed to maintaining asset management practices that span both virtual and physical assets. Our asset management policy is designed to identify and catalog organizational assets and is updated annually.

Deep Origin is committed to maintaining a high level of security and privacy awareness among its personnel through comprehensive annual training programs. This training covers critical topics such as password management, mobile device security, social engineering tactics, physical security, phishing attacks, and compliance with regulations.

To ensure the integrity and security of our operations, all new Deep Origin employees undergo a thorough background check and sign a non-disclosure agreement upon joining. These measures are part of our annually reviewed HR security policy, which mandates compliance with company policies and procedures.

Deep Origin maintains a documented Incident Response Plan. This plan is systematically reviewed, tested, and approved by appropriate stakeholders on an annual basis to ensure readiness and effectiveness in responding to security incidents.

Deep Origin engages in annual risk assessments. These assessments are designed to identify and address vulnerabilities within our operational environment. The findings from these assessments are reviewed and considered by an executive risk committee, which integrates these insights into broader organizational strategic planning.

We utilize Single Sign-On (SSO) technology to simplify and secure the authentication process for our internal applications and to reduce the attack surface associated with multiple passwords and login credentials.

Deep Origin engages in third-party penetration testing annually and upon the release of new products to proactively identify and address security vulnerabilities within our systems. The outcomes of these tests are documented, and any findings are prioritized for remediation according to their severity.

Deep Origin operates an in-house Security Operations Center (SOC), managed by our security team. This center ensures continuous security monitoring as our activity logs are continually assessed by detection algorithms. All identified errors and anomalies are logged and analyzed through our centralized Security Information and Event Management (SIEM) system.

Deep Origin requires all employees to adhere to an annually updated Acceptable Use Policy. This policy is crafted to prevent unauthorized disclosure, modification, removal, or destruction ofinformation stored across our media platforms.

Our Access Control Policy defines how access is provisioned for employees.

Employees are required to agree to our Code of Conduct during onboarding.

We have an internal cryptography policy that defines key management and encryption standards and procedures.

All data in our platform is classified based on our Data Management Policy.

We maintain an Incident Response plan in the event of a security related incident.

Our Information Security Policy defines the roles and responsibilities for all employees.

We have an Operations Security Policy that defines how we log and monitor our network.

We have a Risk Management Policy to ensure that we conduct risk assessments on a regular basis.

Developers are required to review and accept our Secure Development Policy annually.

We have a Third Party Management Policy that requires due diligence and NDAs for external parties.

We have documented Vulnerability Management policies.