Information Security Policy¶
Company: Tenfold AI · Document owner: CEO · Version: 1.0 · Effective date: 2026-01-01 · Review cycle: Annual or upon significant change
1. Purpose¶
This policy establishes the management direction and principles for information security at Tenfold AI, a cloud-based AI SaaS provider offering an AI legal assistant service.
The objective is to protect the confidentiality, integrity, and availability of customer data, company data, and service operations.
2. Scope¶
This policy applies to:
| Audience | Coverage |
|---|---|
| Personnel | All employees and contractors located in Taiwan and overseas (e.g., US, EU) |
| Systems | All information systems operated by or on behalf of the company |
| Data | All data processed, stored, or transmitted within company-managed environments |
In-scope systems include:
- AWS cloud infrastructure (compute, storage, networking, logging)
- Company-developed SaaS applications
- Third-party services (e.g., Anthropic Claude, MongoDB, LangChain) used strictly for inference via API
3. Information Security Objectives¶
The company aims to:
- Prevent unauthorized access to customer and internal data
- Maintain availability and reliability of SaaS services
- Apply proportionate security controls based on risk
- Comply with contractual, legal, and regulatory obligations
4. Roles and Responsibilities¶
| Role | Responsibilities |
|---|---|
| CEO / Management | Approve information security policies and risk treatment decisions; ensure accountability for information security governance. |
| Engineering Team | Manage AWS infrastructure security (IAM, logging, backups); implement access controls and monitor system events. |
| AI / Product Team | Ensure third-party AI services are used according to approved configurations; avoid unnecessary retention of customer input or output data. |
| All Personnel | Access systems only as required for their role; report suspected security incidents promptly. |
Segregation of duties is achieved through role-based access in AWS IAM and restricted administrative privileges.
5. Risk Management Approach¶
The company adopts a risk-based approach to information security:
- Information security risks are identified and assessed periodically
- Controls are selected based on risk severity and business impact
- AWS native security services (IAM, CloudTrail, logging) are leveraged
- Third-party AI risks are assessed through supplier evaluation
6. Cloud and Third-Party Security Principles¶
Shared responsibility model¶
- AWS is responsible for the security of the cloud.
- The company is responsible for security in the cloud.
Third-party AI usage¶
- AI service providers (e.g., Claude) are used only for inference.
- Customer data is not intentionally stored or reused beyond service delivery, subject to supplier contractual terms.
Least privilege¶
- Access rights are granted based on job responsibilities and reviewed periodically.
7. Supporting Policies and Procedures¶
This policy is supported by documented procedures, including:
- Access Control Policy (AWS IAM)
- Information Security Incident Management Procedure
- Supplier Security Management Policy (AWS, Anthropic)
- Human Resource Security Procedure (onboarding and offboarding)
- Backup and Recovery Policy
8. Communication and Awareness¶
- This policy is communicated to all personnel during onboarding.
- It is accessible through internal documentation platforms.
- Personnel are responsible for familiarizing themselves with applicable requirements.
9. Compliance and Disciplinary Actions¶
Non-compliance with this policy may result in:
- Revocation of system access
- Disciplinary actions according to internal rules
- Contractual remedies for external parties
10. Review and Maintenance¶
This policy shall be reviewed:
- At least annually
- Following significant changes to business operations, AWS architecture, or third-party services