Security at Uncapt

• Information Security Management System (ISMS) aligned to ISO/IEC 27001 practices (policies, risk assessment and treatment, continuous improvement).
• Documented policies: access control, acceptable use, cryptography, secure development, vendor risk, incident response, change management, backup/DR, data retention, privacy.
• Security training for all personnel; role‑based training for engineers; background checks for employees where permitted by law.
• Security and privacy by design: risk assessment and data‑protection considerations are embedded in product and project lifecycles.
• Separation of duties; least‑privilege by default; periodic access reviews.

• Role‑based access control (RBAC) and least‑privilege access.
• MFA enforced for administrative and privileged accounts.
• Centralised identity for production access; just‑in‑time elevation for sensitive operations where applicable.
• Segregation of environments (dev/test/stage/prod);
• Quarterly access reviews; immediate revocation on role change or termination.

• Encryption in transit: TLS 1.2+ for all external communications and service‑to‑service calls where supported.
• Encryption at rest: industry‑standard AES‑256 (or cloud‑equivalent) for databases, storage, and backups.
• Key management: cloud KMS/HSM where applicable; key rotation per provider best practices and policy.
• Secrets management: dedicated secrets vault; no secrets in code repositories; rotation on compromise or schedule.
• Tenant isolation: logical segregation of Customer Data; strict access controls and guardrails.
• Data minimisation and purpose limitation aligned to the DPA.

• Threat modelling for material features; design reviews for security and privacy.
• Code review on all changes; CI/CD with automated checks.
• Dependency management with vulnerability scanning (SCA).
• Application security testing: SAST/DAST integrated into the pipeline where applicable; Manual security testing for high‑risk areas
• Change management with approval workflow, rollback plans, and production change logging.

Regular vulnerability scanning of applications and relevant infrastructure.

• Emergency patching for actively exploited issues.
• Third‑party libraries monitored and updated routinely.

• Centralised logging of security‑relevant events (auth, admin actions, configuration changes, data access patterns).
• Time‑synchronised systems; tamper‑resistant log storage.
• Alerting for anomalous activity and failed security controls.
• Regular review of alerts and security dashboards.

• Documented incident response plan with severity classification, roles and escalation paths.
• Customer notifications for confirmed Security Incidents "without undue delay" consistent with the DPA; collaboration on containment, forensics, and remediation.
• Post‑incident reviews and corrective actions for Sev 1/2 incidents; RCA summary provided per SLA.

SaaS backups of platform data under Uncapt control; periodic restoration testing.

• Documented BCP/DR plans; annual exercises.
• For VPC/On‑Prem, Customer is responsible for backups and DR of Customer‑managed layers.

• Data residency and hosting regions as specified in your Order.
• Retention aligned to contractual and legal requirements; data minimisation principles applied.
• Exports: self‑service export features where available; assisted export on request (see Terms/DPA).
• Deletion: on termination (or request), export then delete Personal Information from active systems and purge from backups per standard cycles; certification available on request (see DPA).

• Use of reputable cloud and service providers for hosting, monitoring, email delivery, ticketing, etc.
• Security and privacy due diligence prior to onboarding; contractual obligations no less protective than the DPA.
• Current subprocessors list available on request or in Annex B of the DPA.
• Notifications of material changes to subprocessors per the DPA with an objection/transition process.

• Network segmentation and security groups; least‑privilege firewall rules.
• Managed WAFs and DDoS protections where applicable.
• Hardened images and baseline configurations; CIS‑aligned benchmarks where feasible.
• Bastion‑based administrative access with MFA and session logging.

• Safety gates and governance layer baked into the Platform (quality gates, confidence scoring, human‑in‑the‑loop, audit trails).
• Versioning of knowledge structures and logic; change approval workflows.
• Audit trail generation for decisions and evidence provenance; configurable retention (see SLA/Order).
• Guardrails to reduce harmful/unsafe outputs; monitoring of model performance and drift where relevant.

• Compliance with the Privacy Act 1988 (Cth) and applicable State health records laws; privacy‑by‑design principles.
• DPA available at https://uncapt.com/legal/dpa, including Notifiable Data Breaches cooperation, subprocessors, cross‑border controls (APP 8), and data subject request assistance.

• SSO (SAML/OIDC) and SCIM (where available) for centralised identity and provisioning.
• RBAC with configurable roles/permissions.
• IP allow‑listing and session controls (where available).
• API authentication via OAuth2/bearer tokens; per‑client rate limits and scopes.
• Export utilities for Customer Data.

• Periodic third‑party penetration testing of the externally exposed application and APIs.
• Findings triaged and remediated under the vulnerability SLAs above.
• Coordinated Vulnerability Disclosure: report issues to security@uncapt.com; please include details (affected component, steps to reproduce, impact).
• Do not perform unapproved penetration or load testing (see AUP).

• For SaaS, Uncapt relies on leading cloud providers' certified data centres with industry‑standard physical and environmental controls (access controls, surveillance, redundant power/cooling).
• For VPC/On‑Prem, Customer is responsible for data centre/office physical security and endpoint protections.

• ISMS aligned with ISO/IEC 27001 practices.
• Where formal certifications or attestations are achieved (e.g., ISO 27001, SOC 2), Uncapt will publish details or make reports available under NDA upon request.
• Industry‑specific requirements (e.g., healthcare) are addressed contractually via SOWs/Orders where applicable.

• Security contact: security@uncapt.com
• Privacy contact: privacy@uncapt.com (or via the DPA contact in Annex E)
• Abuse/AUP violations: abuse@uncapt.com
• Status page (availability/incident updates): https://status.uncapt.com

v1.0 (15-Jul-2024): Initial publication of the Security Measures Summary aligned to Terms/DPA/SLA.