Security Policy
Last updated: 2025-01-29
IceCore.ai is committed to protecting the confidentiality, integrity, and availability of customer data through layered technical and organizational controls.
1. Data Protection
Data is encrypted in transit (TLS 1.2+) and at rest where supported by our providers. Access is restricted based on role and least-privilege principles.
2. Multi-Tenant Data Isolation
IceCore.ai is a multi-tenant SaaS platform. We implement strict data isolation to ensure that customer data is protected from unauthorized access by other customers:
- Workspace-level isolation: All queries and operations are scoped to workspace identifiers to prevent cross-customer data access.
- Database-level controls: Row-level security policies and application-level filtering ensure customers can only access their own data.
- Widget analytics isolation: Analytics data collected through our web widget is tagged with workspace/company identifiers and filtered at query time to ensure complete isolation between customers.
- Authorization checks: All API requests verify user permissions against workspace membership before returning data.
3. Authentication and Access
We employ robust authentication, session management, and audit controls:
- User authentication: Strong password policies and secure session management.
- Administrative access: Protected by multi-factor authentication (MFA) and monitored through audit logs.
- Role-based access control (RBAC): Internal personnel access to customer data is restricted based on job function and necessity.
- Audit logging: All data access by IceCore.ai personnel is logged and can be reviewed upon request.
4. Vulnerability Management
We regularly patch dependencies, monitor for vulnerabilities, and address issues based on severity and risk.
5. Incident Response
We maintain an incident response process to detect, contain, and remediate security events and to notify affected parties as required by law.
6. Compliance
We follow industry best practices and align with common standards relevant to our size and risk profile. Formal certifications may be pursued as we grow.
7. Data Access by IceCore.ai Personnel
Authorized IceCore.ai personnel may access customer data for legitimate business purposes including:
- Platform operations and infrastructure maintenance
- Customer support and troubleshooting
- Security monitoring and incident response
- Product improvement and analytics (using aggregated, anonymized data where possible)
All access is subject to strict internal policies, role-based permissions, and audit logging. We do not sell customer data or share it with third parties except as required to provide our services or as required by law.
8. Contact
Report a security issue or contact us at security@icecore.ai.