Information Security Policy

Last updated February 27, 2024

1. Introduction

This Information Security Policy outlines the framework for managing OpenPipe, Inc.'s information security. Our commitment is to protect the confidentiality, integrity, and availability of data entrusted to us by our customers, especially focusing on our model fine-tuning service. Through this policy, we establish and communicate our information security objectives and procedures to all employees, contractors, and third parties involved with our information systems and processes.

2. Purpose

The purpose of this policy is to ensure that:

• Customer data is protected against unauthorized access, disclosure, alteration, and destruction.

• Our information processing facilities and IT infrastructure are secure.

• Information security is integral to our corporate culture.

• Legal, regulatory, and contractual obligations are met.

3. Scope

This policy applies to all employees, contractors, and third-party users of information systems and IT infrastructure owned, operated, or provided by OpenPipe, Inc. It covers all forms of data, including electronic and physical, information systems, and data centers.

4. Data Classification and Handling

• Data Encryption: All customer data is encrypted at rest using industry-standard encryption technologies. Our storage solution, AWS RDS, is configured to ensure the highest levels of data protection.

• Data Usage: Customer data is exclusively used for the purpose of training fine-tuned models within their own customer account. Customers must provide explicit consent for any use beyond this scope.

5. Access Control

• Access to customer data and sensitive information systems is restricted to authorized personnel only, based on the principle of least privilege and role-based access control.

• Multi-factor authentication and strong password policies are enforced for all access to systems handling sensitive information.

6. Physical and Network Security

• Our physical infrastructure is hosted in secure AWS facilities that comply with SOC 2 standards, ensuring robust physical security controls.

• Network security measures, including firewalls and intrusion detection systems, are implemented to protect against unauthorized access and cyber threats.

7. Third-party Security

• We engage with third-party services for data processing and inference serving. All third parties are vetted to ensure they are SOC 2 compliant and adhere to strict data usage policies that align with this policy.

8. Incident Response and Management

• We have established an incident response plan to quickly address any security breaches or incidents, minimizing impact and ensuring timely communication with affected parties.

9. Compliance and Legal Requirements

• OpenPipe, Inc. is committed to complying with all relevant legal, regulatory, and contractual obligations, including data protection laws and privacy requirements.

10. Policy Review and Enforcement

• This policy will be reviewed at least annually or following significant changes to our business, technology, or threat landscape.

• Violations of this policy may result in disciplinary action, up to and including termination of employment or contracts, and legal action.

11. Contact Information

For questions or concerns regarding this policy or information security practices at OpenPipe, Inc., please contact our Information Security Officer at security@openpipe.com.