Security Policy
Overview of the Company’s security practices for the Platform.
1. Preface
This Security Policy describes the Company’s security program at a high level and provides information relevant to Customers and End Users regarding the protection of the Platform and Customer Content. This Security Policy is intended to support risk assessment and contractual governance, including under the Data Processing Agreement where applicable. Effective Date: February 21, 2026. Last Updated: February 21, 2026.
2. Definitions and Relationship to Other Documents
Capitalized terms used in this Security Policy have the meanings set out in the Terms of Service, including Company, Platform, Customer, Organization, Instructor, Learner, End User, Content, Personal Data, Controller, Processor, and Subprocessor. Where the Company acts as a Processor, security obligations are further described in the DPA and will prevail to the extent of any conflict regarding Processor obligations.
3. Security Program Overview
The Company maintains an information security program designed to protect the confidentiality, integrity, and availability of the Platform and data processed in connection with the Platform. The scope of the security program covers all systems, networks, and data involved in providing the Platform, including risk assessment, access controls, encryption, monitoring, incident response, and employee security awareness, and may evolve over time as the Platform changes. The Company may use administrative, technical, and physical safeguards proportionate to risk.
4. Access Control and Authentication
The Company applies access control principles intended to limit access to systems and data to authorized personnel based on role and necessity. Authentication methods include email and password, with multi-factor authentication (MFA) available for all accounts. The Company may maintain logs and monitoring to support security investigations and to detect unauthorized access.
5. Encryption, Backups, and Resilience
The Company may use encryption in transit for communications between clients and the Platform. The Company uses encryption at rest (AES-256) for stored data, with key management handled through cloud provider key management services. Backups are performed daily and retained for 30 days. The Company may maintain backup and recovery processes intended to support restoration following certain types of incidents, but the Company does not guarantee that all data can be recovered in all circumstances.
6. Vulnerability Reporting and Responsible Disclosure
The Company may provide a vulnerability reporting channel for security researchers and Customers to report suspected vulnerabilities. Vulnerability reports may be submitted to heretohelp@openmirai.com. The Company encourages responsible disclosure; reports submitted in good faith will not result in legal action against the reporter. The Company will acknowledge receipt within 5 business days and provide an initial assessment within 30 days. Reports should include sufficient detail to enable investigation, and reporters must avoid actions that could compromise data, service availability, or privacy. The Company may coordinate disclosure timelines where appropriate and may decline to engage where reports are incomplete or involve prohibited testing.
7. Incident Response and Notification
The Company maintains procedures intended to detect, respond to, and mitigate security incidents affecting the Platform. Incidents are classified by severity (Critical, High, Medium, Low). The Company will notify affected Customers within 72 hours of confirming a security incident via email to the Customer's designated contact. Where required by applicable law or contract, the Company may notify Customers of incidents affecting Customer Content or Personal Data processed on the Customer’s behalf. Where the Company acts as a Processor, incident notification obligations are further described in the DPA.
8. Customer Responsibilities
Security is a shared responsibility. Customers are responsible for configuring access controls within their Organizations, maintaining the security of End User credentials, applying appropriate password and authentication policies, and limiting access to authorized personnel. Customers are responsible for the lawfulness and security of Customer Content, including ensuring that Content does not contain malware and that Customer-controlled integrations are configured securely. Customers should promptly notify the Company of suspected compromise of credentials or unauthorized access to the Platform.
9. Updates to this Security Policy
The Company may update this Security Policy from time to time. The Company will publish the updated version within the legal documentation portal and may provide additional notice of material changes by reasonable means. Unless otherwise stated, changes take effect on the effective date specified in the updated Security Policy.
10. Contact
Security contact email: heretohelp@openmirai.com. General contact methods are provided in the Contact and Notices page.