Trust Center
Last Updated: April 14, 2026
Comprehensive security documentation for GenAIPI's platform, policies, and practices. This page supports client security reviews and audits.
1. Information Security Risk Management Program
GenAIPI maintains a formal InfoSec RMP aligned with NIST CSF principles and ISO 27001 best practices, overseen by CAIO Brantley Brumley. The program covers risk identification through automated vulnerability scanning and dependency auditing, risk assessment using a qualitative likelihood/impact framework, risk treatment (mitigate, accept, transfer, avoid), and quarterly risk register reviews with continuous automated monitoring.
2. Confidentiality & Acceptable Use Agreement
All GenAIPI employees and contractors sign a Confidentiality and Acceptable Use Agreement covering: confidentiality obligations for all non-public information, acceptable use of company systems, data handling and minimization requirements, device security requirements, incident reporting obligations, and consequences of violation including termination and legal action.
3. Incident Response Policy
GenAIPI maintains a documented Incident Response Policy governing detection, containment, investigation, remediation, and reporting of security incidents. Incidents are classified as Critical (P1), High (P2), Medium (P3), or Low (P4). The incident response team is led by the CAIO and follows a five-phase response process: Detection, Containment, Eradication, Recovery, and Post-Incident Review.
4. Incident Response Program — Client Notification & SLAs
Client notification SLAs: Critical (P1) — initial assessment within 1 hour, client notification within 24 hours, status updates every 4 hours. High (P2) — assessment within 4 hours, notification within 48 hours, daily updates. Medium (P3) — assessment within 24 hours, notification within 72 hours. Escalation levels range from technical containment through executive/legal engagement and regulatory notification.
5. Network Vulnerability Management
Continuous vulnerability management overseen by the CAIO including: automated dependency scanning, infrastructure monitoring via hosting provider, AI-assisted security analysis (SAST, configuration review), and periodic external penetration testing. Critical vulnerabilities (CVSS 9.0+) addressed within 24 hours; High (7.0-8.9) within 7 days; Medium (4.0-6.9) within 30 days.
6. Encryption Standards
Data in transit: TLS 1.2/1.3 with HSTS (2-year max-age, includeSubDomains, preload). Data at rest: AES-256 encryption managed by database provider. Password storage: bcrypt with adaptive cost factor. Payment data: handled entirely by PCI DSS Level 1 certified payment processor — never touches GenAIPI servers.
7. Communication Protocols
HTTPS (TLS 1.2/1.3) for all web traffic, API calls, and webhooks. WSS for WebSocket connections. SMTP/TLS for email delivery. PostgreSQL SSL for database connections. No customer data transmitted via unencrypted protocols.
8. Network Ports & Restrictions
Port 443 (HTTPS) — public web traffic. Port 80 (HTTP) — redirect to HTTPS only. Port 5432 (PostgreSQL) — restricted to application servers, SSL required. All other ports closed by default. Database not accessible from public internet.
9. Application Vulnerability Management
SAST scanning, automated dependency auditing, peer code review (enhanced review for auth/payment/data handling), schema-based validation on all inputs, and automated API response sanitization stripping sensitive fields.
10. Patch Management
Critical patches applied within 24 hours, high-severity within 7 days, routine updates bi-weekly, framework updates quarterly. Patches prioritized by CVSS score and exploitability. Customers notified in advance of maintenance causing interruption and after emergency patches addressing data-affecting vulnerabilities.
11. End-of-Life Software Policy
Transition planning begins 12+ months before EOL, active migration at 6 months, all EOL software eliminated from production at EOL date. Exceptions require documented risk acceptance by the CAIO.
12. Internal Audits
Quarterly formal audits using manual review and AI-assisted security scanning, covering access controls, secret management, dependency health, code security, security headers, rate limiting, data handling compliance, and backup integrity. Findings tracked to completion with monthly status reviews.
13. Web Application Security Controls
Content Security Policy (CSP), X-Frame-Options: DENY, X-Content-Type-Options: nosniff, X-XSS-Protection, HSTS, Referrer-Policy, IP-based rate limiting on auth endpoints, parameterized queries via ORM, schema-based input validation, automated API response sanitization, framework-level output escaping.
14. Secure Development Practices
SSDLC integrating security at design, development, review, testing, and deployment phases. All code changes undergo peer review with enhanced security review for sensitive changes. Developers trained on OWASP Top 10, secure authentication, input validation, cryptographic best practices, and secure API design.
15. Roles & Permissions
RBAC across all platforms with User, School Portal, fCAIO Client Access, Admin, and Super Admin roles. Server-side middleware enforces authentication and role authorization. Deny-by-default access model with organization-scoped data filtering.
16. Secret Management
All secrets stored as environment variables via hosting platform secret management. Startup validation ensures required production secrets are present. Sensitive credentials strictly server-side. Development uses separate, functionally inert credentials.
17. Authentication
Session-based authentication with server-side session store. Passwords: bcrypt with adaptive cost factor, minimum 8 characters, uppercase and numeric required. Sessions: HttpOnly, Secure cookies, 7-day expiry. Rate limiting on auth endpoints per IP. SSO not currently offered; on roadmap for enterprise.
18. Key Management
API keys rotated on compromise indication, personnel departure, and periodic rotation. Production and development keys strictly separated. Webhook payloads cryptographically verified (no unverified fallback). TLS certificates auto-managed by hosting infrastructure.
19. Network Segmentation
Production and development environments fully isolated with separate databases and credentials. Database not publicly accessible. All external service integrations use dedicated, environment-specific credentials with webhook signature validation.
20. FIPS Compliance
GenAIPI does not currently hold FIPS 140-2 or FIPS 140-3 certification and does not operate in FIPS mode. Current cryptographic posture uses industry-standard implementations: TLS 1.2/1.3, AES-256, bcrypt. FIPS compliance would be pursued if federal contracts require it.
21. Cryptographic Libraries
Platform-native cryptographic modules (OpenSSL-based) for session and token generation, bcrypt for password hashing, infrastructure-managed TLS for transport encryption, provider-managed AES-256 for data at rest, PCI DSS Level 1 certified payment processor for payment data. None currently hold individual FIPS 140-2/140-3 validation certificates.
22. Password Hashing
bcrypt with adaptive cost factor. Unique random salt per hash. Plaintext never stored or logged. Legacy non-bcrypt hashes rejected at login (forced reset). Constant-time comparison prevents timing attacks.
23. Data Retention Policy
Account info: active + 2 years. Certification: validity + 1 year. Assessments: 3 years. Course progress: 3 years. Live courses: 2 years post-completion. AI Transformation: engagement + 2 years. Consulting/dev: engagement + 1 year. Payments: 7 years (regulatory). Marketing: until consent withdrawn. Backups follow same schedule.
24. Data Deletion Procedures
User-initiated deletion processed within 30 days via privacy@genaipi.org. Contract termination: client data deleted within 90 days, credentials deleted immediately. Permanent deletion from primary storage. Backups purged through rotation cycles. Automated cleanup of expired sessions and tokens.
25. Evidence of Data Deletion
Certificate of Destruction provided upon request, documenting scope, date, deletion method, backup purge confirmation, and any legally retained data with justification. Contact privacy@genaipi.org to request.
26. Service Decommissioning & Data Purging
Complete data inventory, primary deletion within 30 days, backup purging within 90 days (cryptographic wiping where applicable), third-party subprocessor notification within 30 days. Certificate of Destruction provided to clients upon completion.
27. Data Classification Matrix
GenAIPI classifies all data into four tiers: Restricted (credentials, API keys, secrets — system-only access, encrypted, rotated, audit-logged), Confidential (PII, assessment results, course progress, fCAIO engagement data — role-based access, encrypted at rest AES-256 and in transit TLS 1.2+, subject to retention and deletion policies), Internal (redacted logs, analytics, admin config, unpublished content — internal personnel with business need), and Public (published content, catalogs, policies — no access restrictions, integrity-controlled). Payment card data is out of scope (handled by PCI DSS Level 1 processor). Unclassified data defaults to Confidential. Classifications reviewed annually or when new data types are introduced.
Contact
For security inquiries, audit requests, or detailed report access: security@genaipi.org