Security Measures

• Information Security Management System (ISMS) aligned to ISO/IEC 27001 practices — covering policies, risk assessment and treatment, and continuous improvement.
• Documented policies covering: access control, acceptable use, cryptography, secure development, vendor risk, incident response, change management, backup and DR, data retention, and privacy.
• Security training for all personnel; role-based training for engineers; background checks for employees where permitted by law.
• Security and privacy by design: risk assessment and data-protection considerations are embedded in product and project lifecycles.
• Separation of duties; least-privilege by default; periodic access reviews.

Security responsibilities depend on deployment model.

• Role-based access control (RBAC) and least-privilege access.
• MFA enforced for administrative and privileged accounts.
• Centralised identity for production access; just-in-time elevation for sensitive operations where applicable.
• Segregation of environments (dev / test / staging / prod).
• Quarterly access reviews; immediate revocation on role change or termination.

• Encryption in transit: TLS 1.2+ for all external communications and service-to-service calls where supported.
• Encryption at rest: AES-256 (or cloud-equivalent) for databases, storage, and backups — provided by Microsoft Azure AU managed services.
• Key management: Azure KMS / HSM where applicable; key rotation per provider best practices and policy.
• Secrets management: Dedicated secrets vault; no secrets in code repositories; rotation on compromise or schedule.
• Tenant isolation: Logical segregation of Customer Data; strict access controls and guardrails.
• Data minimisation: Purpose limitation aligned to the DPA; de-identification applied to analytics outputs.

• Threat modelling for material features; design reviews for security and privacy.
• Code review on all changes; CI/CD with automated checks.
• Dependency management with vulnerability scanning (SCA).
• Application security testing: SAST/DAST integrated into the pipeline where applicable; manual security testing for high-risk areas.
• Change management with approval workflow, rollback plans, and production change logging.

Regular vulnerability scanning of applications and relevant infrastructure. Remediation SLA targets (guideline, may vary by environment):

• Emergency patching for actively exploited issues.
• Third-party libraries monitored and updated routinely.

• Centralised logging of security-relevant events (auth, admin actions, configuration changes, data access patterns).
• Time-synchronised systems; tamper-resistant log storage.
• Alerting for anomalous activity and failed security controls.
• Regular review of alerts and security dashboards.

• Documented incident response plan with severity classification, roles, and escalation paths.
• Customer notifications for confirmed Security Incidents “without undue delay” consistent with the DPA; collaboration on containment, forensics, and remediation.
• Post-incident reviews and corrective actions for Sev 1/2 incidents; RCA summary provided per SLA.

SaaS backups of platform data under UNCAPT control; periodic restoration testing.

• Documented BCP/DR plans; annual exercises.
• For VPC/On-Prem, Customer is responsible for backups and DR of Customer-managed layers.

• Data residency and hosting regions as specified in your Order. Default: Microsoft Azure AU (Australian data centres).
• Retention aligned to contractual and legal requirements; data minimisation principles applied.
• Self-service export features where available; assisted export on request (see Terms/DPA).
• On termination or request: export then delete Personal Information from active systems and purge from backups per standard cycles; certification available on request (see DPA).

• Use of reputable cloud and service providers for hosting, monitoring, email delivery, ticketing, etc. Primary infrastructure: Microsoft Azure AU.
• Security and privacy due diligence prior to onboarding; contractual obligations no less protective than the DPA.
• Current subprocessors list available on request or in Annex B of the DPA.
• Notifications of material subprocessor changes per the DPA, with an objection/transition process.

• Network segmentation and security groups; least-privilege firewall rules.
• Managed WAFs and DDoS protections where applicable.
• Hardened images and baseline configurations; CIS-aligned benchmarks where feasible.
• Bastion-based administrative access with MFA and session logging.

The ELI Platform includes safety and governance controls as core architectural components:

• Safety gates and governance layer baked into the Platform (quality gates, confidence scoring, human-in-the-loop, audit trails).
• Stage verifiers enforce reasoning constraints at each decision point; HALT escalation routes uncertain cases to domain experts.
• Versioning of knowledge structures and logic; change approval workflows for Living Knowledge Banks.
• Audit trail generation for decisions and evidence provenance; configurable retention (see SLA/Order).
• Guardrails to reduce harmful or unsafe outputs; monitoring of model performance and drift where relevant.
• Zero hallucinations maintained in clinical evaluation contexts through expert-supervised stage verifiers.

• Compliance with the Privacy Act 1988 (Cth) and applicable State health records laws; privacy-by-design principles.
• Health Information processed in accordance with applicable Australian privacy legislation, including the Health Records Act 2001 (Vic), the Health Records and Information Privacy Act 2002 (NSW), and equivalent state and territory legislation.
• Full details in the Privacy Policy and Data Processing Addendum.

• SSO (SAML/OIDC) and SCIM (where available) for centralised identity and provisioning.
• RBAC with configurable roles and permissions.
• IP allow-listing and session controls (where available).
• API authentication via OAuth2 / bearer tokens; per-client rate limits and scopes.
• Export utilities for Customer Data.

• Periodic third-party penetration testing of the externally exposed application and APIs.
• Findings triaged and remediated under the vulnerability SLAs above.
• Coordinated Vulnerability Disclosure: report issues to security@uncapt.com; please include details (affected component, steps to reproduce, impact).
• Do not perform unapproved penetration or load testing (see AUP).

• For SaaS, UNCAPT relies on Microsoft Azure AU certified data centres with industry-standard physical and environmental controls (access controls, surveillance, redundant power and cooling).
• For VPC/On-Prem, Customer is responsible for data centre and office physical security and endpoint protections.

• ISMS aligned with ISO/IEC 27001 practices.
• ISO 27001 certified. Where additional certifications or attestations are achieved (e.g., SOC 2), UNCAPT will publish details or make reports available under NDA upon request.
• MRFF-backed research partnerships; University of Sydney Brain and Mind Centre peer review.
• Industry-specific requirements (e.g., aged care, mental health) addressed contractually via SOWs/Orders where applicable.

• Security: security@uncapt.com
• Privacy: info@uncapt.com
• Abuse / AUP violations: abuse@uncapt.com
• Status page: https://status.uncapt.com
• General: info@uncapt.com