1. Our Security Commitment
At EzPze AI Pte. Ltd., security is not an afterthought β it is built into everything we do. We understand
that you entrust us with sensitive business data, customer information, and communications. Protecting
that trust is our highest priority.
This page outlines the comprehensive security measures we implement to safeguard your data and ensure the
integrity, confidentiality, and availability of our AI Employee services.
Security Philosophy: We follow a defense-in-depth strategy, implementing multiple
layers of security controls across infrastructure, application, and operational levels to protect your
data from unauthorized access, disclosure, alteration, or destruction.
2. Infrastructure Security
2.1 Data Center Security
Our infrastructure is hosted on enterprise-grade cloud platforms with world-class physical security:
π’
Primary Infrastructure Providers
- Vultr β Singapore data center with ISO 27001 certification
- Amazon Web Services (AWS) β Singapore region (ap-southeast-1)
Both providers maintain:
- 24/7 physical security and surveillance
- Biometric access controls
- Environmental controls (fire suppression, climate control)
- Redundant power and network connectivity
2.2 Network Security
We implement multiple layers of network security:
- Cloudflare Protection: DDoS mitigation, web application firewall (WAF), and traffic
filtering
- Network Segmentation: Isolated networks for production, staging, and development
environments
- Firewall Protection: Strict firewall rules limiting inbound and outbound traffic
- Intrusion Detection: Real-time monitoring for suspicious network activity
- VPN Access: Secure VPN required for administrative access
2.3 System Hardening
All servers and systems undergo security hardening:
- Minimal software installation (only essential services)
- Regular security patching and updates
- Disabled unnecessary ports and services
- Secure default configurations
- Operating system-level security controls
3. Data Encryption
3.1 Encryption in Transit
π
TLS/SSL Encryption
All data transmitted between your devices and our servers is protected using:
- TLS 1.3 (Transport Layer Security) β The latest and most secure protocol
- Strong cipher suites β AES-256 encryption with forward secrecy
- HTTPS everywhere β All web traffic is encrypted by default
- API encryption β All API communications use encrypted channels
3.2 Encryption at Rest
πΎ
AES-256 Encryption
All data stored on our servers is encrypted using:
- AES-256 encryption β Military-grade encryption standard
- Database encryption β All databases are encrypted at the disk level
- File encryption β Uploaded files and documents are encrypted
- Backup encryption β All backups are encrypted before storage
- Key management β Encryption keys are stored separately from encrypted data
3.3 End-to-End Encryption for Sensitive Data
Highly sensitive data, such as API keys and authentication tokens, are encrypted with additional layers
of protection, ensuring that even EzPze AI staff cannot access them without proper authorization.
4. Access Control
4.1 Multi-Factor Authentication (MFA)
Coming in 2026: We are introducing mandatory Multi-Factor Authentication (MFA) for all
user accounts. This adds an extra layer of security by requiring a second form of verification in
addition to your password.
4.2 Role-Based Access Control (RBAC)
We implement strict role-based access control:
- Principle of Least Privilege: Users and employees only have access to data and
systems necessary for their role
- Granular Permissions: Fine-grained control over who can view, edit, or delete
specific data
- Team Management: Administrators can control access for team members within their
organization
- Audit Logs: All access and permission changes are logged for accountability
4.3 Employee Access Management
Access to customer data by EzPze AI employees is strictly controlled:
- Need-to-Know Basis: Access granted only when necessary for support or
troubleshooting
- Temporary Access: Administrative access is time-limited and requires approval
- Access Reviews: Regular reviews to ensure only authorized personnel retain access
- Background Checks: All employees undergo security screening before access is
granted
- Termination Procedures: Immediate revocation of access upon employee departure
4.4 Session Management
- Automatic session timeout after inactivity
- Secure session tokens with expiration
- Protection against session hijacking and fixation attacks
- Single sign-on (SSO) support for enterprise customers (coming soon)
5. Compliance & Certifications
5.1 Current Compliance
πͺπΊ
GDPR Compliant
β Active
EU General Data Protection Regulation
πΈπ¬
PDPA Compliant
β Active
Singapore Personal Data Protection Act
π³
PCI DSS
β Active
Payment Card Industry Data Security Standard (via
Stripe)
5.2 Future Certifications
We are actively working towards obtaining additional security certifications to further demonstrate our
commitment to security:
π
SOC 2 Type II
π Planned
Service Organization Control certification for
security, availability, and confidentiality
π
ISO 27001
π Planned
International standard for information security
management systems
5.3 Data Protection Officer
We have designated a Data Protection Officer (DPO) to ensure compliance with data protection regulations:
Name: Siska
Email: hr@asalta.com
6. Security Monitoring
6.1 24/7 Security Monitoring
Our systems are monitored around the clock for security threats:
- Real-Time Alerts: Automated alerts for suspicious activity, failed login attempts,
and anomalies
- Log Analysis: Comprehensive logging and analysis of system events
- Intrusion Detection: Active monitoring for unauthorized access attempts
- Performance Monitoring: Continuous tracking of system health and availability
- Threat Intelligence: Integration with global threat intelligence feeds
6.2 Vulnerability Management
We proactively identify and address security vulnerabilities:
- Automated vulnerability scanning of infrastructure and applications
- Regular penetration testing by third-party security experts
- Dependency monitoring for known vulnerabilities in third-party libraries
- Rapid patching process for critical vulnerabilities
- Security risk assessments for new features and changes
7. Incident Response
7.1 Incident Response Team
We maintain a dedicated Security Incident Response Team (SIRT) responsible for:
- 24/7 monitoring and response to security incidents
- Investigation and containment of security breaches
- Coordination with law enforcement when necessary
- Communication with affected customers
- Post-incident analysis and improvement
7.2 Data Breach Notification Process
Our Commitment: In the unlikely event of a data breach affecting your information, we
will:
- Immediate Investigation: Begin investigating and containing the breach within 1
hour of detection
- Customer Notification: Notify affected customers within 72
hours of confirming a breach
- Regulatory Notification: Comply with all legal requirements for breach
notification to authorities
- Transparency: Provide clear information about what data was affected and what
we are doing about it
- Support: Offer assistance and guidance to affected customers
7.3 Incident Response Process
- Detection: Automated systems and monitoring detect potential security incidents
- Classification: Incidents are classified by severity and impact
- Containment: Immediate action to contain and isolate the incident
- Investigation: Thorough forensic analysis to determine cause and scope
- Remediation: Fix vulnerabilities and restore normal operations
- Notification: Inform affected parties as required by law and our policies
- Post-Incident Review: Analyze what happened and implement improvements
8. Security Audits & Testing
8.1 Regular Security Audits
We conduct comprehensive security audits to ensure ongoing protection:
- Internal Audits: Quarterly security reviews by our internal team
- External Audits: Annual third-party security assessments
- Compliance Audits: Regular checks for GDPR, PDPA, and PCI DSS compliance
- Code Reviews: Security-focused code reviews for all releases
- Infrastructure Audits: Regular reviews of cloud infrastructure configurations
8.2 Penetration Testing
We engage independent security experts to perform penetration testing:
- Annual comprehensive penetration tests of infrastructure and applications
- Quarterly testing of critical systems and new features
- Simulated attacks to identify vulnerabilities before malicious actors can exploit them
- Remediation of all identified vulnerabilities based on risk priority
8.3 Security Training
All EzPze AI employees receive regular security training:
- Security awareness training for all staff
- Specialized training for engineers and developers
- Phishing simulation exercises
- Incident response drills
- Ongoing education about emerging threats
9. Customer Responsibilities
While we implement robust security measures, security is a shared responsibility. Customers play a
crucial role in protecting their accounts and data.
9.1 Account Security Best Practices
You are responsible for:
- Creating and maintaining strong, unique passwords
- Keeping your login credentials confidential
- Enabling multi-factor authentication when available (coming 2026)
- Regularly reviewing account activity
- Logging out of shared or public devices
- Not sharing your account with unauthorized users
9.2 Password Requirements
To protect your account, we require passwords that meet minimum security standards:
- Minimum 8 characters in length (12+ recommended)
- Combination of uppercase and lowercase letters
- At least one number
- At least one special character
- Not a previously compromised password (checked against breach databases)
9.3 Suspicious Activity Reporting
If you suspect unauthorized access to your account:
- Immediately change your password
- Contact our security team at team@ezpze.ai
- Review recent account activity for any unauthorized actions
- Check connected integrations and revoke any you don't recognize
- Enable additional security measures such as MFA when available
9.4 Data Protection Recommendations
To maximize the security of your data:
- Only upload necessary customer data to the platform
- Regularly review and delete data you no longer need
- Use secure connections (avoid public Wi-Fi for sensitive operations)
- Keep your devices and software up to date
- Be cautious of phishing attempts impersonating EzPze AI
10. Bug Bounty Program
π
Responsible Disclosure Program
We believe in working with the security community to keep our platform secure. We operate a bug
bounty program to reward security researchers who responsibly disclose vulnerabilities to us.
10.1 Program Details
Scope: All EzPze AI production systems, applications, and infrastructure
Eligible Vulnerabilities:
- Remote code execution
- SQL injection
- Authentication bypass
- Cross-site scripting (XSS)
- Cross-site request forgery (CSRF)
- Server-side request forgery (SSRF)
- Sensitive data exposure
- Authorization issues
10.2 Reporting a Vulnerability
If you discover a security vulnerability, please report it responsibly:
- Email us: team@ezpze.ai with subject line "Security Vulnerability Report"
- Include: Detailed description, steps to reproduce, and potential impact
- Allow us time: Give us reasonable time to investigate and fix before public
disclosure
- Avoid: Accessing, modifying, or deleting customer data
10.3 Rewards
We offer rewards for valid, high-impact vulnerabilities based on:
- Severity of the vulnerability (Critical, High, Medium, Low)
- Quality of the report and reproduction steps
- Potential impact on customer data and systems
Reward amounts are determined on a case-by-case basis.