Security Statement

1 Objective and scope

This Statement describes the security controls of Aenvo Natural Interaction Lda., applicable to the website, applications, APIs, and AI models ("Services"). The objective is to protect the confidentiality, integrity, and availability of data and systems, in compliance with GDPR and industry best practices.

2 Security principles

We adopt a defence-in-depth approach, guided by the principles of Privacy by Design, Security by Design, data minimisation, least privilege principle, and strict separation of environments (development, testing, and production).

3 Access and identity management

We implement Role-Based Access Control (RBAC) to ensure employees and systems have access only to necessary information. Multi-factor authentication (MFA) is mandatory for all administrative accounts. We perform rigorous token and key management, with periodic permission reviews and segregation of critical duties.

4 Encryption

All data is protected by strong encryption. In transit, we use TLS 1.2 or higher. At rest, data is encrypted using the AES-256 standard. Key management includes regular rotation and the secure storage of secrets in digital vaults.

5 Network security

Our infrastructure utilises network segmentation and rigorous access control lists. We deploy next-generation firewalls, Web Application Firewalls (WAF), and protection against DDoS attacks (DDoS mitigation). Where applicable for Enterprise clients, we support integration with private networks (VPC peering) and IP restriction rules.

6 Logging, auditing, and monitoring

We maintain detailed security and application logs for auditing and troubleshooting, with a typical operational retention of up to 30 days. We use Intrusion Detection Systems and SIEM for real-time analysis. Automated alerts and response playbooks are triggered in the event of anomalies.

7 Vulnerability management and testing

We perform weekly vulnerability scans and apply continuous patching and corrections. Penetration tests are conducted regularly by independent third parties. We maintain a responsible vulnerability disclosure programme and bug bounty.

8 Secure Software Development Life Cycle (SSDLC)

Security is an integral part of our development cycle. We conduct architecture reviews, threat modelling, security QA, and peer code reviews. All software dependencies are automatically monitored, and we maintain a strict versioning and rollback policy.

9 Specific AI security

10 Incident management

We have a formal incident response process with severity classification and defined target times for containment and remediation. We commit to notifying customers and competent authorities (CNPD) in the event of a data breach, as required by law. Following each incident, we conduct post-mortem analyses to implement corrective actions.

11 Business continuity and disaster recovery (BCP/DR)

We ensure service resilience through encrypted backups and periodic restoration tests. We have defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). We conduct failure scenario exercises and utilise geographic redundancy to mitigate outages.

12 Sub-processors and physical infrastructure

We partner only with infrastructure providers (such as Google Cloud and AWS) that maintain top-tier security certifications (e.g., SOC 2, ISO 27001) and ensure rigorous physical security of data centres. All sub-processors are subject to Data Processing Agreements (DPA) and risk assessments.

13 Training and awareness

All AENVO employees undergo mandatory annual security and privacy training. We conduct phishing simulations and maintain internal acceptable use policies to ensure a proactive security culture.

14 Security contact

To report vulnerabilities, incidents, or security questions, please contact security@aenvo.ai. For privacy questions, please use privacy@aenvo.ai.