Security at Cord4

• Background-checked engineers. Every full-time team member signs a confidentiality agreement and IP assignment on day one.
• Role-based access. Engineers get access only to the repos, secrets and data stores required for their project — enforced via SSO groups and reviewed quarterly.
• Mandatory security training. OWASP Top 10, prompt injection, secret hygiene, and incident response reviewed yearly.
• Off-boarding in < 4 hours. Access is revoked from every system within the same business day.

• Pull-request review on every change shipping to production — no direct pushes.
• Static analysis (ESLint, TypeScript strict, CodeQL or Semgrep) runs on each PR.
• Dependency scanning with Dependabot / Renovate and Snyk — critical CVEs patched within 72 hours.
• Secrets management via Doppler or cloud-native secret stores — never checked into source control.
• Reproducible builds on CI with signed artifacts where the deploy target supports it.

• Tier-1 cloud providers only — AWS, GCP, Azure, Vercel, Cloudflare. No self-hosted primary databases.
• Encryption in transit — TLS 1.2+ everywhere, HSTS enabled on all public endpoints.
• Encryption at rest — AES-256 on managed databases, object storage and backups.
• Network isolation — private VPCs, least-privilege IAM, WAF on public-facing endpoints.
• Logging & monitoring — centralised logs, alerting on auth anomalies and error-rate spikes.
• Backups — daily encrypted backups with quarterly restore drills.

AI is a core part of how we build — and of the threat model. We take the same “assume untrusted input” posture with LLMs that good engineers take with user input.

• No training on client data. We only use API tiers with zero-retention / no-training settings for Anthropic, OpenAI, Google, and other frontier providers.
• Prompt injection defence. Inputs from agents and retrieved documents are isolated, scoped and rate-limited; tool use is allow-listed per workflow.
• Eval suites & red-team harnesses. Every production LLM feature ships with regression tests — we track hallucination, leakage and jailbreak rates before and after every prompt change.
• PII redaction at the edge for any data sent to third-party models, and per-workload data-residency rules for regulated clients.
• Human-in-the-loop for any irreversible action (writes to prod, emails, payments) by default.

Cord4 aligns its security programme with SOC 2 Type II and ISO/IEC 27001 control frameworks. Formal certification for the core stack is targeted for completion in 2026; our controls and audit trail are available under NDA today.

For client engagements we support GDPR, UK GDPR, India DPDP Act, HIPAA and PCI-DSS requirements with region-specific hosting, data retention and audit configurations.

We run a documented incident-response playbook with a named commander, severity levels, communication cadence and post-mortems shared with affected clients within 5 business days.

We commit to notifying impacted clients of any confirmed security incident involving their data within 72 hours of discovery — faster for material incidents.

Found something? We appreciate you. Please email [email protected] with a description, steps to reproduce, and your preferred credit.

• We acknowledge every report within 2 business days.
• We will not take legal action against researchers acting in good faith who do not exfiltrate data or impact other users.
• Please allow us reasonable time to fix before public disclosure — typically 90 days.