Legal

Security Policy

Noir Stack LLC

A Virginia Limited Liability Company

Effective Date: January 1, 2024

Last Updated: January 1, 2026

This Security Policy describes the administrative, technical, and physical safeguards implemented by Noir Stack LLC ("Company," "Noir Stack," "we," or "us") to protect systems, infrastructure, and data processed through our platforms, APIs, AI systems, and related services (collectively, the "Services").

This Policy applies to all environments operated or controlled by the Company, including multi-tenant SaaS platforms, APIs, and enterprise deployments.

1. Security Governance

The Company maintains a security program designed to protect the confidentiality, integrity, and availability of systems and data.

Security practices are aligned with industry-recognized frameworks, including:

  • SOC 2 Trust Services Criteria (conceptual alignment)
  • NIST-based control principles (where applicable)

Security controls are reviewed periodically and updated based on risk assessments, threat intelligence, and operational changes.

2. Shared Responsibility Model

Security is a shared responsibility between the Company and the Customer.

The Company is responsible for:

  • Securing underlying infrastructure and managed Services
  • Maintaining platform-level access controls
  • Monitoring system activity and threats
  • Implementing baseline safeguards

The Customer is responsible for:

  • Managing user access and permissions
  • Securing credentials and API keys
  • Configuring integrations and environments
  • Validating outputs and downstream usage

3. Infrastructure Security

The Company implements controls designed to secure infrastructure, including:

  • Network segmentation and logical isolation
  • Firewalls and access restrictions
  • Secure configuration baselines
  • Continuous system monitoring
  • Controlled administrative access

Cloud and hosting providers are selected based on security posture and contractual safeguards.

4. Encryption and Data Protection

The Company employs encryption practices consistent with industry standards:

  • Data in transit is protected using TLS encryption
  • Data at rest is encrypted where applicable and feasible
  • Sensitive credentials are stored using secure hashing or vault mechanisms

No method of transmission or storage is guaranteed to be fully secure.

5. Access Control

Access to systems and data is restricted using:

  • Role-Based Access Control (RBAC)
  • Least-privilege principles
  • Authentication controls (including multi-factor authentication where applicable)
  • Segregation of duties for administrative functions

Access is granted based on business need and revoked when no longer required.

6. Multi-Tenant Security and Isolation

The Services operate in logically segregated environments designed to:

  • Isolate tenant and workspace data
  • Prevent unauthorized cross-tenant access
  • Enforce access boundaries through application-layer controls
  • Maintain audit visibility across tenant activity

Customers are responsible for managing access within their own tenant environments.

7. Application and API Security

The Company applies security controls to application and API layers, including:

  • Input validation and request filtering
  • Authentication and authorization enforcement
  • Rate limiting and abuse detection
  • Secure API key management practices

APIs may be modified, rate-limited, or restricted to maintain system integrity.

8. Logging, Monitoring, and Detection

The Company maintains logging and monitoring capabilities designed to:

  • Track access and system activity
  • Detect anomalous behavior
  • Support incident investigation and response

Logs may include system events, authentication attempts, and API activity.

9. Vulnerability Management

The Company implements processes to identify and address vulnerabilities, including:

  • Periodic security reviews and assessments
  • Dependency and configuration monitoring
  • Timely remediation of identified risks

Security updates and patches are applied based on severity and operational risk.

10. Incident Response

The Company maintains an incident response process designed to:

  • Identify and contain security incidents
  • Investigate scope and impact
  • Remediate vulnerabilities
  • Restore affected systems

In the event of a confirmed breach involving personal data, notifications will be made in accordance with applicable law, including requirements under the Virginia Consumer Data Protection Act and related Virginia statutes.

11. Data Handling and Retention

Data is processed only as necessary to provide the Services.

The Company:

  • Does not claim ownership of Customer Data
  • Retains data only for legitimate business or legal purposes
  • Supports deletion or return of Customer Data upon termination, subject to applicable requirements

12. Personnel Security

The Company maintains internal practices designed to reduce risk, including:

  • Limiting access to systems based on role and necessity
  • Requiring adherence to internal security practices
  • Revoking access promptly upon role change or termination

13. Third-Party Risk Management

The Company may engage third-party providers for hosting, analytics, authentication, or infrastructure.

Such providers are selected based on:

  • Security posture and reliability
  • Contractual obligations for data protection
  • Operational necessity

The Company is not responsible for the independent security practices of third-party services outside its control.

14. Business Continuity and Availability

The Company maintains practices intended to support continuity of Services, including:

  • System redundancy where feasible
  • Backup and recovery processes
  • Monitoring of service health

No guarantee of uninterrupted availability is provided unless specified in a separate agreement.

15. AI and Automated System Security

For AI-enabled systems:

  • Inputs and outputs are processed within controlled system boundaries
  • Access to AI services is governed by authentication and authorization controls
  • AI outputs are not guaranteed to be accurate or deterministic

Customers are responsible for validating outputs and ensuring appropriate use.

16. Compliance and Legal Alignment

Security practices are designed to align with:

  • Applicable U.S. federal and state laws
  • Commonwealth of Virginia data protection requirements
  • Contractual obligations with enterprise customers

Where the Company acts as a processor, data handling is governed by applicable agreements, including Data Processing Addenda.

17. Limitations

While the Company implements commercially reasonable safeguards, no system can eliminate all security risk.

The Company does not warrant that:

  • Services will be free from vulnerabilities
  • Unauthorized access will never occur
  • Data loss or disruption will not happen

Use of the Services is subject to the limitations described in the Terms and Conditions.

18. Updates to This Policy

The Company may update this Security Policy periodically to reflect changes in technology, threats, or legal requirements.

Updates will be reflected by revising the "Last Updated" date.

19. Contact

Security inquiries, including vulnerability reports, may be directed to:

security@noirstack.com

Noir Stack LLC · Commonwealth of Virginia

← All policies