Our Commitment to Security
At ELJEBRA, security is not a feature — it is a founding principle. We build transformative AI systems that handle sensitive data across industries including healthcare, finance, and scientific research. The integrity of that data, and the trust of those who share it with us, is non-negotiable.
This page outlines our security posture, the protections we have in place, and how you can reach us if you discover a security concern. We believe in full transparency with the researchers, organisations, and individuals who depend on us.
If you have discovered a security vulnerability, please report it responsibly to security@eljebra.com before disclosing it publicly. We respond to all valid reports within 72 hours.
System Status
Current operational status of ELJEBRA's public-facing systems:
For real-time status updates, contact security@eljebra.com.
Data Protection
We apply the following controls to protect all personal and organisational data entrusted to us:
- Encryption in transit: All data transmitted to and from ELJEBRA systems is encrypted using TLS 1.2 or higher. We enforce HTTPS across all endpoints.
- Encryption at rest: All stored data — including databases, backups, and file storage — is encrypted using AES-256.
- Data minimisation: We collect only the minimum data required to fulfil a specific purpose, in line with our Privacy Policy.
- Retention limits: Data is retained only for as long as necessary and is securely deleted in accordance with our retention schedule.
- Backup integrity: Backups are encrypted, version-controlled, and regularly tested for restorability.
Infrastructure Security
ELJEBRA's infrastructure is hosted on enterprise-grade cloud platforms with industry-leading physical and logical security controls. Our architecture is designed with a defence-in-depth philosophy.
- Cloud provider: We use Tier-1 cloud infrastructure (e.g., AWS / GCP) with ISO 27001, SOC 2 Type II, and FedRAMP compliance
- Network segmentation: All systems are isolated into least-privilege network segments. Production environments are strictly separated from development and staging.
- DDoS protection: Enterprise-grade distributed denial of service mitigation is applied at the network edge
- Intrusion detection: Continuous automated monitoring and alerting for anomalous activity across all systems
- Vulnerability scanning: Automated scanning of infrastructure and dependencies, run continuously and on every deployment
- Patch management: Critical security patches are applied within 24 hours of publication. All systems are kept current on a rolling basis.
Access Controls
Access to ELJEBRA systems and data is governed by strict identity and access management (IAM) principles:
- Principle of least privilege: Every team member and system is granted only the minimum permissions required to perform their function
- Multi-factor authentication (MFA): Required for all internal accounts with access to sensitive systems or data
- Single Sign-On (SSO): Centralised identity management for all internal tooling, with audit logging of all authentication events
- Privileged access management: Elevated access is time-limited, logged, and requires secondary approval
- Access reviews: Permissions are reviewed quarterly and revoked immediately upon staff departure
- Zero-trust architecture: All access requests — internal and external — are verified before being granted, regardless of network location
Application Security
Security is embedded throughout our software development lifecycle (SDLC), not bolted on after the fact:
- Secure coding standards: All engineers follow OWASP guidelines and language-specific security best practices
- Code review: Every code change undergoes peer review with mandatory security checkpoints before merging
- Static analysis (SAST): Automated static code analysis is run on all pull requests to detect vulnerabilities before deployment
- Dependency management: All third-party libraries are inventoried and continuously scanned for known CVEs using automated tooling
- Penetration testing: We conduct internal and third-party penetration tests at least annually and after major architectural changes
- Security training: All engineering staff complete security awareness and secure coding training on onboarding and annually thereafter
Incident Response
ELJEBRA maintains a formal incident response plan (IRP) to detect, contain, eradicate, and recover from security incidents rapidly and effectively.
- Detection: 24/7 automated monitoring and alerting across all production systems
- Classification: Incidents are classified by severity (P1–P4) within 1 hour of detection, with escalation paths for each level
- Containment: Affected systems are isolated within minutes to limit the blast radius of any incident
- Notification: Affected parties are notified within 72 hours of confirmed data breaches, in compliance with GDPR, CCPA, and other applicable regulations
- Post-incident review: Every security incident is subject to a blameless post-mortem, with findings used to improve controls
ELJEBRA's IRP is reviewed and tested via tabletop exercises bi-annually.
Vulnerability Disclosure Policy
ELJEBRA welcomes responsible security research. If you discover a security vulnerability affecting our systems, we ask that you follow responsible disclosure principles:
- Report the vulnerability to us privately before any public disclosure
- Give us reasonable time (minimum 90 days) to investigate and remediate before going public
- Do not access, modify, or delete data that does not belong to you
- Do not perform denial-of-service attacks, social engineering, or physical security attacks
- Do not share, sell, or otherwise misuse discovered vulnerabilities or data
Send a detailed report including steps to reproduce, proof of concept (if applicable), and your assessment of the severity to:
We acknowledge all reports within 72 hours and provide status updates at least every 7 days until resolution. We credit researchers in our acknowledgements where they consent to being named.
Third-Party Audits & Certifications
ELJEBRA is committed to independent verification of our security controls. We pursue and maintain the following:
- SOC 2 Type II: Annual audit of our security, availability, and confidentiality controls by an accredited third-party auditor
- Annual penetration tests: Conducted by independent security firms with full-scope access to production infrastructure
- Dependency audits: Quarterly review of all third-party software, APIs, and vendors for security posture
- GDPR Data Protection Impact Assessments (DPIAs): Conducted for all new data processing activities
Audit reports and certifications are available to enterprise customers and prospective investors under NDA. Contact security@eljebra.com to request access.
Contact
For all security-related enquiries, vulnerability reports, and audit requests:
- Security team: security@eljebra.com
- Privacy team: privacy@eljebra.com
- General enquiries: hello@eljebra.com
PGP keys for encrypted communication with our security team are available on request.