Security Policy
Nauto takes data protection seriously and is SOC 2 Type 1 and Type 2 certified and ISO/IEC 27001:2022 certified. Nauto implements at least the following security requirements and AI governance aligned with ISO27001 and ISO42001 framework to help keep data safe:
1 – Information Security and AI Governance
- Assignment of defined roles and responsibilities for information security and AI governance within the organization.
- Documented information security, privacy, and AI management policies, supported by standards, procedures, and guidelines applicable to employees and relevant third parties.
- Periodic risk assessments addressing information security risks, including risks related to data processing, AI model behavior, misuse, robustness, and unintended outcomes.
- Security and AI awareness training provided to personnel commensurate with their roles.
- Processes to identify, classify, and manage information assets and AI systems throughout their lifecycle.
2 – Identity and Access Management
- Procedures for the creation, modification, review, and revocation of user, privileged, service, application, and temporary accounts.
- Role-based access controls aligned with the principles of least privilege and need-to-know.
- Periodic reviews of access rights and prompt revocation of access when no longer required.
- Authentication mechanisms consistent with generally accepted industry standards.
- Multi-factor authentication for privileged access and remote access to sensitive systems, where technically feasible.
3 – Systems Security and Hardening
- Secure configuration baselines for operating systems, applications, and infrastructure.
- Timely application of security updates and patches, consistent with risk.
- Deployment of malware protection controls on applicable systems.
- Email and messaging security controls designed to detect and mitigate malicious content.
- Limitation or removal of unnecessary services, ports, and protocols.
4 – Information Protection Security
- Restrictions on the use of removable media, where appropriate.
- Encryption of sensitive information in transit and at rest using industry-accepted cryptographic standards.
- Protection of credentials, secrets, and cryptographic material from unauthorized access.
- Measures designed to preserve data integrity and availability.
5 – Physical Security
- Access controls for offices and restricted areas.
- Authorization mechanisms for personnel access.
- Physical monitoring measures, where appropriate.
6 – Business Continuity Management and Disaster Recovery
- Business continuity and disaster recovery planning appropriate to the nature of the services provided.
- Data backup procedures and periodic testing of restoration capabilities.
- Redundancy and availability controls commensurate with operational risk.
- Reasonable assurance that critical third-party service providers maintain appropriate continuity measures.
7 – Security and AI Incident Management
- Documented incident response process addressing detection, containment, remediation, and recovery.
- Defined internal escalation and communication procedures.
- Post-incident review activities designed to identify corrective actions and improvements.
8 – Network Security
- Secure configuration of network infrastructure.
- Network segmentation, including separation of untrusted or guest networks.
- Firewall and routing controls governing communications between trusted and untrusted environments.
- Secure wireless network configurations aligned with industry standards.
- Monitoring mechanisms designed to detect anomalous or unauthorized activity, where appropriate.
9 – Cloud and Cryptographic Security
- Cloud security practices aligned with generally accepted industry standards.
- Encryption key management practices designed to protect cryptographic material.
- Use of encryption mechanisms compliant with applicable regulatory or contractual requirements, where required.
- Secure storage of credentials and secrets using protected key management solutions.