Unosecur Trust Center

Unosecur provides security, compliance, and AI governance infrastructure that enables organizations to build and operate secure systems with confidence. Our security program is aligned with internationally recognized standards and is continuously monitored, audited, and improved. We implement technical, administrative, and organizational safeguards designed to protect customer information, ensure system availability, and support regulatory compliance.

it.security@unosecur.com
Privacy Policy
Overview
Resources
Controls
Subprocessors
Controls
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.
Infrastructure Security
Organizational Security
Internal Security Procedures
AI Security & Compliance
Product Security
Data and Privacy
Infrastructure Security
control
Status
Service infrastructure maintained

The company has infrastructure supporting the service patched as a part of routine maintenance and as a result of identified vulnerabilities to help ensure that servers supporting the service are hardened against security threats

Production data backups conducted

The company performs periodic backups for production data. Data is backed up to a different location than the production system.

Database replication utilized

The company's databases are replicated to a secondary cloud in real-time. Alerts are configured to notify administrators if replication fails.

Remote access MFA enforced

The company's production systems can only be remotely accessed by authorized employees possessing a valid multi-factor authentication (MFA) method.

Unique production database authentication enforced

The company requires authentication to production datastores to use authorized secure authentication mechanisms, such as unique SSH key.

Remote access encrypted enforced

The company's production systems can only be remotely accessed by authorized employees via an approved encrypted connection.

Production data segmented

The company prohibits confidential or sensitive customer data, by policy, from being used or stored in non-production systems/environments.

Network segmentation implemented

The company's network is segmented to prevent unauthorized access to customer data.

Unique network system authentication enforced

The company requires authentication to the "production network" to use unique usernames and passwords or authorized Secure Socket Shell (SSH) keys.

Segregation in virtual computing environments

A cloud service customer's virtual environment running on a cloud service should be protected from other cloud service customers and unauthorized persons.

Production multi-availability zones established

The company has a multi-location strategy for production environments employed to permit the resumption of operations at other company cloud locations in the event of loss of a facility.

Organizational Security
control
Status
Employee background checks performed

The company performs background checks on new employees.

Security awareness training implemented

The company requires employees to complete security awareness training within thirty days of hire and annually thereafter.

Confidentiality Agreement acknowledged by contractors

The company requires contractors to sign a confidentiality agreement at the time of engagement.

Production inventory maintained

The company maintains a formal inventory of production system assets.

Asset disposal procedures utilized

The company has electronic media containing confidential information purged or destroyed in accordance with best practices, and certificates of destruction are issued for each device destroyed.

Whistleblower policy established

The company has established a formalized whistleblower policy, and an anonymous communication channel is in place for users to report potential issues or fraud concerns.

Internal Security Procedures
control
Status
Continuity and disaster recovery plans tested

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it at least annually.

Incident response plan tested

The company tests their incident response plan at least annually.

Backup processes established

The company's data backup policy documents requirements for backup and recovery of customer data.

Vendor management program established

The company has a vendor management program in place. Components of this program include:

• critical third-party vendor inventory;
• vendor's security and privacy requirements; and
• review of critical third-party vendors at least annually.

Incident response policies established

The company has security and privacy incident response policies and procedures that are documented and communicated to authorized users.

Configuration management system established

The company has a configuration management procedure in place to ensure that system configurations are deployed consistently throughout the environment.

Management roles and responsibilities defined

The company management has established defined roles and responsibilities to oversee the design and implementation of information security controls.n.

Service description communicated

The company provides a description of its products and services to internal and external users.

Security policies established and reviewed

The company's information security policies and procedures are documented and reviewed at least annually.

Support system available

The company has an external-facing support system in place that allows users to report system information on failures, incidents, concerns, and other complaints to appropriate personnel.

Roles and responsibilities specified

Roles and responsibilities for the design, development, implementation, operation, maintenance, and monitoring of information security controls are formally assigned in job descriptions and/or the Roles and Responsibilities policy.

Third-party agreements established

The company has written agreements in place with vendors and related third-parties. These agreements include confidentiality and privacy commitments applicable to that entity.

Incident management procedures followed

The company's security and privacy incidents are logged, tracked, resolved, and communicated to affected or relevant parties by management according to the company's security incident response policy and procedures.

Development lifecycle established

The company has a formal systems development life cycle (SDLC) methodology in place that governs the development, acquisition, implementation, changes (including emergency changes), and maintenance of information systems and related technology requirements.

Continuity and Disaster Recovery plans established

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

AI Security & Compliance
control
Status
AI system impact assessment

The organization shall perform AI system impact assessments according to 6.1.4 at planned intervals or when significant changes are proposed to occur. The organization shall retain documented information of the results of all AI system impact assessments.

Determining the scope of the AI management system

The organization shall determine the boundaries and applicability of the AI management system to establish its scope. The scope shall be available as documented information.

AI objectives and planning

The organization shall establish AI objectives at relevant functions and levels. The AI objectives shall be consistent with the AI policy, be measurable (if practicable), take into account applicable requirements, be monitored, communicated, and updated as appropriate.

Monitoring, measurement, analysis

The organization shall determine what needs to be monitored and measured, the methods for monitoring, measurement, analysis and evaluation, when they shall be performed, and when results shall be analysed and evaluated. The organization shall evaluate the performance and effectiveness of the AI management system.

General - Audit

The organization shall conduct internal audits at planned intervals to provide information on whether the AI management system conforms to the organization's own requirements and the requirements of this document, and is effectively implemented and maintained.

Nonconformity and corrective action

When a nonconformity occurs, the organization shall react to it, evaluate the need for action to eliminate the cause(s), implement any action needed, review the effectiveness of any corrective action taken, and make changes to the AI management system if necessary.

AI policy

The organization should document a policy for the development or use of AI systems.

External reporting

The organization should provide capabilities for interested parties to report adverse impacts of the system.

Communication of incidents

The organization should determine and document a plan for communicating incidents to users of the system.

Information for interested parties

The organization should determine and document its obligations to reporting information about the AI system to interested parties.

Processes for responsible use of AI

The organization should define and document the processes for the responsible use of AI systems.

Objectives for responsible use of AI

The organization should identify and document objectives to guide the responsible use of AI systems.

Intended use of the AI system

The organization should ensure that the AI system is used according to the intended uses of the AI system and its accompanying documentation.

Understanding the organization and its context

The organization shall determine external and internal issues that are relevant to its purpose and that affect its ability to achieve the intended result(s) of its AI management system.

Understanding the needs and expectations of interested

The organization shall determine the interested parties that are relevant to the AI management system, their relevant requirements, and which of these requirements will be addressed through the AI management system.

AI management system

The organization shall establish, implement, maintain, continually improve and document an AI management system, including the processes needed and their interactions, in accordance with the requirements of this document.

Leadership and commitment

Top management shall demonstrate leadership and commitment with respect to the AI management system by ensuring that the AI policy and AI objectives are established, ensuring the integration of the AI management system requirements into the organization's business processes, and ensuring that the resources needed are available.

AI policy

Top management shall establish an AI policy that is appropriate to the purpose of the organization, provides a framework for setting AI objectives, includes a commitment to meet applicable requirements, and includes a commitment to continual improvement of the AI management system.

Roles, responsibilities and authorities

Top management shall ensure that the responsibilities and authorities for relevant roles are assigned and communicated within the organization.

Awareness

Persons doing work under the organization's control shall be aware of the AI policy, their contribution to the effectiveness of the AI management system, and the implications of not conforming with the AI management system requirements.

Communication

The organization shall determine the internal and external communications relevant to the AI management system including what it will communicate, when to communicate, with whom to communicate, and how to communicate.

General - AI management

The organization's AI management system shall include documented information required by this document and documented information determined by the organization as being necessary for the effectiveness of the AI management system.

Creating and updating

When creating and updating documented information, the organization shall ensure appropriate identification and description, format and media, and review and approval for suitability and adequacy.

AI risk treatment

The organization shall implement the AI risk treatment plan according to 6.1.3 and verify its effectiveness. The organization shall retain documented information of the results of all AI risk treatments.

Internal audit programme

The organization shall plan, establish, implement and maintain an audit programme, including the frequency, methods, responsibilities, planning requirements and reporting.

General Management Review

Top management shall review the organization's AI management system, at planned intervals, to ensure its continuing suitability, adequacy and effectiveness.

Management review inputs

The management review shall include the status of actions from previous management reviews, changes in external and internal issues, information on the AI management system performance, and opportunities for continual improvement.

Management review results

The results of the management review shall include decisions related to continual improvement opportunities and any need for changes to the AI management system.

Alignment with other organizational policies

The organization should determine where other policies can be affected by or apply to the organization's objectives with respect to AI systems.

Review of the AI policy

The AI policy should be reviewed at planned intervals or additionally as needed to ensure its continuing suitability, adequacy and effectiveness.

Reporting of concerns

The organization should define and put in place a process to report concerns about the organization's role with respect to an AI system throughout its life cycle.

Control of documented information

Documented information required by the AI management system shall be controlled to ensure it is available and suitable for use where and when needed, and it is adequately protected.

General

When planning for the AI management system, the organization shall consider the issues referred to in 4.1 and the requirements referred to in 4.2 and determine the risks and opportunities that need to be addressed.

AI risk assessment

The organization shall define and establish an AI risk assessment process. The organization shall perform AI risk assessments at planned intervals or when significant changes are proposed or occur.

AI system deployment

The organization should document a deployment plan and ensure that appropriate requirements are met prior to deployment.

AI system recording of event logs

The organization should determine at which phases of the AI system life cycle record keeping of event logs should be enabled, but at the minimum when the AI system is in use.

Quality of data for AI systems

The organization should define and document requirements for data quality and ensure that data used to develop and operate the AI system meet those requirements.

System documentation and information

The organization should determine and provide the necessary information to users of the system.

Product Security
control
Status
Vulnerability and system monitoring procedures established

Host-based vulnerability scans are performed at least quarterly on all external-facing systems. Critical and high vulnerabilities are tracked to remediation. The company's formal policies outline requirements for system monitoring.

Data and Privacy
control
Status
Privacy policy established

The company has a privacy policy in place that documents and clearly communicates to individuals the extent of personal information collected, the company's obligations, the individual's rights to access, update, or erase their personal information, and an up-to-date point of contact where individuals can direct their questions, requests or concerns.

Data retention procedures established

The company has formal retention and disposal procedures in place to guide the secure retention and disposal of company and customer data.

Privacy compliant procedures established

The company has documented processes and procedures in place to ensure that any privacy-related complaints are addressed, and the resolution is documented in the company's designated tracking system and communicated to the individual.

Privacy policy available

The company has a privacy policy available to customers, employees, and/or relevant third parties who need them before and/or at the time information is collected from the individual.

Privacy policy reviewed

The company reviews the privacy policy as needed or when changes occur and updates it accordingly to ensure it is consistent with the applicable laws, regulations, and appropriate standards.

Privacy policy maintained

The company has established a privacy policy that uses plain and simple language, is clearly dated, and provides information related to the company's practices and purposes for collecting, processing, handling, and disclosing personal information including:

• organizational operating jurisdictions;
• an individual's choice and consent for the collection, use, and disclosure of personal information;
• an individual's right to access, update or remove personal information;
• a process for individuals to exercise their rights;
• requirements to only provide the essential information needed for the service;
• types or categories of information collected;
• purposes for the collection of information;
• methods of collection (cookies or other tracking techniques, etc.);
• consequences for not providing or withdrawing the essential information;
• sources of information (third parties, direct collection, etc.);
• types or categories of third parties (sources and disclosures);
• the purpose for disclosure of information to third parties.

Data classification policy established

The company has a data classification policy in place to help ensure that confidential data is properly secured and restricted to authorized personnel.

Data deletion requests handled

The company validates deletion requests and once confirmed are flagged and the requested information is deleted, in accordance with applicable laws and regulations.

Continuity and Disaster Recovery plans established

The company has Business Continuity and Disaster Recovery Plans in place that outline communication plans in order to maintain information security continuity in the event of the unavailability of key personnel.

Continuity and Disaster Recovery plans tested annually

The company has a documented business continuity/disaster recovery (BC/DR) plan and tests it annually.

Limit collection

The company limits collection of PII to the minimum that is necessary for its purposes.

Appoint EU representative

The company shall appoint an EU based representative.

Customer data deleted upon leave

The company purges or removes customer data containing confidential information from the application environment, in accordance with best practices, when customers leave the service.

PII transmission controls for processor

The company encrypts PII in transit.

PII transmission controls for controller

The company implements technical controls to ensure data transmitted to third parties reaches its destination.

Request access
X
Already have access?
Reclaim access
Thank you! Your submission has been received!

If approved, you will receive an email from Unosecur (trust@unosecur.com) to access the Trust Center. An NDA may be required to be signed. If required, you will need to sign one before accessing the documents further.
Oops! Something went wrong while submitting the form.
Reclaim access
X
Thank you! Your submission has been received!

Login details are sent to your email.
Oops! Something went wrong while submitting the form.