Security
Last Updated: January 20, 2026
Our Commitment: Security isn't just a feature - it's the foundation of everything we build. Your data is protected with enterprise-grade security, encryption, and monitoring.
Security Overview
Juron implements a comprehensive security program covering:
- Infrastructure Security: Cloud-native architecture with defense-in-depth
- Data Protection: Encryption at rest and in transit
- Access Controls: Role-based permissions and multi-factor authentication
- AI Security: Model protection and prompt injection prevention
- Compliance: GDPR, CCPA, SOC 2 Type II (in progress)
- Monitoring: 24/7 threat detection and incident response
1. Infrastructure Security
1.1 Cloud Hosting
☁️
Amazon Web Services (AWS)
SOC 2 Type II, ISO 27001, PCI DSS Level 1 certified infrastructure
- Region: US-East-1 (Virginia) - Primary
- Redundancy: Multi-AZ deployment for high availability
- Backups: Automated daily backups with 30-day retention
- Disaster Recovery: RTO: 4 hours, RPO: 1 hour
1.2 Network Security
- Firewalls: AWS Security Groups with least-privilege access
- VPC: Isolated Virtual Private Cloud with private subnets
- DDoS Protection: AWS Shield Standard (included)
- WAF: Web Application Firewall for attack mitigation
- CDN: CloudFront with geographic restrictions
1.3 Server Security
- Hardened OS images with minimal attack surface
- Automated security patching within 48 hours of release
- No direct SSH access (bastion hosts with logging)
- Immutable infrastructure (containers rebuilt, not patched)
2. Data Encryption
2.1 Encryption at Rest
| Data Type |
Encryption |
Key Management |
| Database (PostgreSQL) |
AES-256 |
AWS KMS |
| File Storage (S3) |
AES-256 |
AWS KMS |
| Backups |
AES-256 |
AWS KMS |
| Application Secrets |
AES-256 |
AWS Secrets Manager |
2.2 Encryption in Transit
- HTTPS: TLS 1.3 required for all connections
- Certificate: 256-bit SSL/TLS certificates (Let's Encrypt)
- API: All API endpoints enforce HTTPS only
- Database: Encrypted connections between application and database
- Internal Traffic: Service-to-service encryption
2.3 Key Management
- AWS Key Management Service (KMS) for encryption keys
- Automatic key rotation every 90 days
- Hardware Security Modules (HSMs) for key storage
- Separate keys per customer (enterprise tier)
3. Access Control
3.1 Authentication
- Password Requirements: Minimum 12 characters, complexity enforced
- Multi-Factor Authentication (MFA): Available for all accounts, required for admins
- SSO: SAML 2.0 single sign-on (Enterprise tier)
- Session Management: 24-hour timeout, secure cookie storage
- Account Lockout: 5 failed attempts = 15-minute lockout
3.2 Authorization
- Role-Based Access Control (RBAC): Admin, Member, Viewer roles
- Least Privilege: Users granted minimum necessary permissions
- API Keys: Scoped tokens with expiration
- Audit Logs: All access attempts logged
3.3 Employee Access
- Background checks for all employees with data access
- Just-in-time (JIT) access for support requests
- All access logged and monitored
- Automatic access revocation upon termination
- Annual security training required
4. AI & Model Security
4.1 AI Model Protection
- Proprietary Models: Hosted on isolated infrastructure
- Model Weights: Encrypted and access-controlled
- Training Data: Anonymized and aggregated only
- No Data Leakage: Customer data isolated, never mixed
4.2 Prompt Injection Prevention
- Input validation and sanitization
- System prompt protection mechanisms
- Output filtering for sensitive data
- Rate limiting on API requests
- Behavioral analysis for abuse detection
4.3 Third-Party AI APIs
| Provider |
Usage |
Data Retention |
| OpenAI |
GPT-4 for language tasks |
Zero retention (API agreement) |
| Anthropic |
Claude for reasoning tasks |
Zero retention |
Enterprise Privacy: All API calls use zero-retention agreements. Your data is NOT used to train third-party models.
5. Application Security
5.1 Secure Development
- Code Reviews: Peer review required for all changes
- Static Analysis: Automated security scanning (Snyk, SonarQube)
- Dependency Scanning: Daily checks for vulnerable libraries
- OWASP Top 10: Protection against common web vulnerabilities
- Penetration Testing: Annual third-party security audits
5.2 Vulnerability Management
- Critical: Patched within 24 hours
- High: Patched within 7 days
- Medium/Low: Patched within 30 days
- Bug Bounty: Responsible disclosure program (coming Q2 2026)
5.3 Security Headers
- Content-Security-Policy (CSP)
- X-Frame-Options: DENY
- X-Content-Type-Options: nosniff
- Strict-Transport-Security (HSTS)
- Referrer-Policy: strict-origin-when-cross-origin
6. Monitoring & Incident Response
6.1 Security Monitoring
- 24/7 Monitoring: Automated threat detection
- SIEM: Security Information and Event Management system
- Intrusion Detection: AWS GuardDuty for anomaly detection
- Log Analysis: Centralized logging with 90-day retention
- Alerts: Real-time notifications for security events
6.2 Incident Response
Response Times:
- Critical: 15 minutes
- High: 1 hour
- Medium: 4 hours
- Low: 24 hours
Incident Process:
- Detection & triage
- Containment & isolation
- Investigation & root cause analysis
- Remediation & recovery
- Post-incident review
- Customer notification (if data affected)
6.3 Breach Notification
In the event of a data breach:
- Customer notification: Within 72 hours of discovery
- Regulatory notification: As required by GDPR/CCPA
- Transparency report: Annual security summary
7. Data Protection & Privacy
7.1 Data Segregation
- Each customer's data stored in separate database schemas
- Application-level isolation enforced
- No cross-customer data leakage possible
- Multi-tenancy with logical separation
7.2 Data Retention
- Active accounts: Data retained indefinitely
- Deleted accounts: Data purged within 30 days
- Backups: Deleted from backups within 90 days
- Logs: Security logs retained for 1 year
7.3 Data Portability
- Export all your data in JSON/CSV format
- API access for programmatic data retrieval
- No vendor lock-in
8. Compliance & Certifications
SOC 2 Type II
In Progress
Q3 2026
8.1 Privacy Frameworks
- GDPR (EU): Full compliance with data protection requirements
- CCPA (California): Consumer privacy rights implemented
- CPRA (California): Enhanced privacy protections
- Standard Contractual Clauses: For international data transfers
8.2 Enterprise Compliance
Available for Enterprise customers:
- Data Processing Agreement (DPA)
- Business Associate Agreement (BAA) for HIPAA
- Custom security questionnaires
- On-site security audits
- Dedicated security contact
9. Business Continuity
9.1 Availability
- Target Uptime: 99.9% (8.76 hours downtime/year)
- Enterprise SLA: 99.95% with credits for breaches
9.2 Disaster Recovery
- Backup Frequency: Continuous replication + daily snapshots
- Backup Retention: 30 days (90 days for Enterprise)
- Recovery Time Objective (RTO): 4 hours
- Recovery Point Objective (RPO): 1 hour
- Geographic Redundancy: Multi-region failover (Enterprise)
10. Physical Security
10.1 Data Center Security (AWS)
- 24/7 physical security guards
- Biometric access controls
- Video surveillance
- SOC 2 Type II audited facilities
- Environmental controls (fire, flood, temperature)
10.2 Office Security
- Locked facilities with badge access
- Encrypted laptops with full-disk encryption
- Clean desk policy
- Visitor logs and escort requirements
11. Vendor Security
11.1 Third-Party Risk Management
All vendors undergo security review:
- Security questionnaire
- Compliance certification verification
- Data Processing Agreements (DPAs)
- Annual re-assessment
11.2 Sub-Processors
Full list available in our Privacy Policy. Key vendors:
- AWS (hosting)
- OpenAI / Anthropic (AI models)
- Stripe (payments)
- SendGrid (email)
12. Security Best Practices for Users
12.1 Recommendations
- Enable MFA: Protect your account with two-factor authentication
- Strong Passwords: Use a password manager (1Password, LastPass)
- Review Access: Regularly audit team member permissions
- Monitor Activity: Check audit logs for suspicious activity
- Data Classification: Don't input highly sensitive data (SSNs, credit cards) unless necessary
12.2 Reporting Security Issues
Found a vulnerability? We appreciate responsible disclosure:
- Email: security@juron.ai
- Response Time: Within 24 hours
- Bug Bounty: Coming Q2 2026 via HackerOne
Please do NOT:
- Test on production systems without permission
- Access other customers' data
- Publicly disclose vulnerabilities before we've fixed them
13. Security Roadmap
Q1-Q2 2026
- SOC 2 Type I audit completion
- Bug bounty program launch
- SCIM provisioning for SSO
- Advanced threat detection
Q3-Q4 2026
- SOC 2 Type II certification
- ISO 27001 audit preparation
- HIPAA BAA availability
- Multi-region deployment
14. Contact Security Team
General Inquiries:
security@juron.ai
Vulnerability Reports:
security@juron.ai
PGP Key: Download
Compliance Questions:
compliance@juron.ai
Data Protection Officer:
dpo@juron.ai
Questions about our security? We're happy to discuss our security practices. Enterprise customers can request detailed security documentation and arrange security calls.
Contact Security Team →
Back to Home | Privacy Policy | Terms of Service