Information Security Policy & Practices

Updated February 24, 2026

1. Executive Summary

Eluu AI is committed to ensuring the Confidentiality, Integrity, Availability, and Privacy of its information assets, providing comprehensive protection against the consequences of confidentiality breaches, integrity failures, and interruptions to availability.

Eluu is an AI-powered operations platform designed to help businesses streamline and automate their operational workflows. Our platform leverages artificial intelligence to deliver intelligent automation, seamless integrations, and actionable insights that drive more effective and efficient business operations.

In support of our commitment to Security & Privacy by Design, security is central to how we build our products, safeguard your data, and ensure high resilience. We have established and implemented security and privacy principles within a robust framework for building and maintaining secure systems, applications, and services. This framework allows us to integrate a set of standards, guidelines, and best practices for managing information security, cybersecurity, data security, and privacy considerations, or related risks, by default and by design, while ensuring compliance with multiple global requirements.

We maintain a top-down governance model with security ingrained in our DNA. This approach enables us to continuously navigate evolving threat vectors and to calibrate and strengthen our security posture, aligning with the changing business and technology landscape.

2. Scope

This policy applies to all Eluu employees, assignees, partners and contractors that provide services to Eluu and is an integral part of the Business Code of Conduct.

This also covers the security of information systems and data networks owned or used by Eluu as well as the information that is stored, transmitted, or processed by those systems.

3. Applicability

Eluu is committed to complying with all applicable legislation and laws of the land in all locations and countries related to its operations and information processing.

Key legislation that is complied with includes laws related to corporate governance, employee relations, data privacy, intellectual property, and financial reporting.

4. Leadership & Commitment

Executive leadership (Top Management) members are a part of the internal Information Security & Compliance Steering Committee (ISCSC), which ensures that all Eluu commitments to customers and stakeholders are upheld.

Eluu is committed to information security, protection of personal information, and privacy with applicable laws, regulations, and standards. Information Security & Compliance Steering Committee (ISCSC) members are responsible for defining and improving the Integrated Management System (IMS).

The top management has demonstrated leadership and commitment to the Integrated Management System (IMS) by:

  • Ensuring the information security and personal data protection policy and its objectives are established and are compatible with the strategic direction of Eluu.
  • Ensuring the integration of ISMS and other standards requirements into Eluu's processes.
  • Ensuring that the resources needed are available.
  • Communicating the importance of an effective integrated management system and of conforming to integrated management system requirements.
  • Ensuring that the IMS achieves its intended outcome(s).
  • Directing and supporting persons to contribute to the effectiveness of IMS.
  • Promoting continual improvement.
  • Supporting other relevant management roles to demonstrate their leadership as it applies to their areas of responsibility.

5. Policy

Eluu is committed to:

  • Ensure Confidentiality, Integrity, Privacy, and Availability by adequately protecting the information and information systems against unauthorized access, modification, or alteration.
  • Establish and implement security policies and processes while considering the protection of information and information systems from internal and external threats.
  • Comply with legal, regulatory, and contractual security & privacy obligations as may be applicable.
  • Ensure security and privacy awareness and competency amongst associates to enable them to meet their security & privacy obligations.
  • Provide a framework to manage and handle security incidents, privacy breaches, violations, and business disruptions.
  • Ensure continuous improvement of the security & privacy posture to consistently meet its objectives.

Eluu shall adopt leading industry security & privacy standards and practices to design and develop robust information security & privacy management framework to support this policy statement. To this effect, the policy shall be supported by domain-level security & privacy policies, procedures, guidelines, and standards, which shall be communicated and made available to relevant stakeholders.

5.1. Security and Privacy Governance Structure

At Eluu, executive leadership (Top Management) is integral to the internal Information Security & Compliance Steering Committee (ISCSC), ensuring that all Eluu commitments to customers and stakeholders are upheld. The ISCSC ensures that the security and privacy of customer information, along with the correct processing of any personal information in line with privacy regulations, are standard practices at Eluu.

While information security and privacy are organization-wide responsibilities, the ISCSC has established dedicated information security and privacy roles to oversee these principles. Both roles report directly to the ISCSC and independently manage the governance aspects of information security and privacy. The Information Security function is led by the Information Security Officer (ISO), and the Privacy function is led by the Data Protection Officer (DPO), both of whom report directly to the ISCSC. The committee is headed by the Chief Executive Officer (CEO).

The ISCSC is committed to continuously aligning Eluu's information security and privacy posture to ensure data security, assure non-repudiation of customer data, secure and stabilize products that provide consistent output, deliver services that are resilient to internal and external threats and interruptions, and orient our people to the principles of security and privacy by design in their respective job roles. Business processes are designed and implemented with a focus on risk and control considerations.

The ISCSC conducts structured reviews of Information Security and Privacy on a semi-annual basis. The broad objectives of these reviews are:

  • Roadmap: Ensure that the information security and privacy roadmap is thoughtfully developed, taking into account all customer, regulatory, and contractual requirements, and is aligned with internal and external threat vectors.
  • Initiatives: Review various information security and privacy initiatives or programs and provide necessary recommendations.
  • Expertise: Ensure that adequate expertise is available for all information security and privacy initiatives. The ISCSC provides technical input and ensures that Eluu leverages expert opinions from relevant industry sources.
  • Resources: Ensure that adequate resources, both human and financial, are allocated to various initiatives for effective execution.
  • Performance Evaluation: Evaluate the performance and effectiveness of the Information Security Management System (ISMS) and any related controls.

To mitigate the risk of fraud and errors, Eluu is committed to maintaining a segregation of duties. Responsibilities are divided among different individuals to prevent any single person from having complete control over critical processes or systems.

Eluu Information Security and Privacy Structure:

  • Security Product & Engineering (App Sec): Responsible for ensuring that information security requirements are integrated within the platform's application architecture and technology landscape. This role ensures that technology components are hardened, access-controlled, and monitored, with all internal and external threat vectors managed.
  • Governance, Risk, and Compliance (GRC): Responsible for managing risk, ensuring the appropriate design and consistent operation of controls, coordinating audits, and managing information security incidents. The GRC role ensures compliance with various information security and privacy frameworks and facilitates continuous improvement of controls. Additionally, GRC is responsible for ensuring that the company operates within legal and regulatory frameworks, creating and implementing essential policies, procedures, and controls. These documents are reviewed annually and are accessible to all Eluu employees through a centralized document repository.

5.2. Human Resources Security and Privacy

At Eluu, we take pride in building a secure, reliable, easy-to-use, and high-performance AI-powered operations platform. We believe that our customers and employees are the foundation of our success.

Recruitment

We seek smart, passionate individuals who excel in building great products, designing outstanding user experiences, and creating scalable platforms. All recruitment intents are submitted to HR, accompanied by a job description, roles, and responsibilities. These intents are approved by the respective department or pod heads based on their recruitment plans. Candidates are selected based on a thorough evaluation of cultural and skill fit.

Background Verification

All new employees undergo a mandatory background verification check initiated after the employment offer is extended. Eluu engages third-party service providers to verify identity, education, employment history, and criminal background. Any risks identified during the background check are analyzed and reviewed by HR and the respective business manager before a final decision is made.

Onboarding

New employees undergo an onboarding process that includes an overview of Eluu's values, vision, objectives, organizational structure, and key processes. As part of onboarding, employees receive training on information security, data privacy, the Code of Conduct, and relevant compliance practices. This training ensures that all employees understand their responsibilities regarding information security, privacy, and compliance.

Confidentiality Undertaking

All new hires sign a confidentiality agreement as part of their employment contract. This agreement outlines their obligations and responsibilities in handling confidential information during their employment.

Code of Conduct

Eluu's Code of Business Conduct and Ethics flows directly from our commitment to our mission and core values. We strive for excellence and aim to deliver value to our customers, partners, and stakeholders with integrity and high ethical standards.

The Code is designed to:

  • Promote ethical conduct and deter wrongdoing.
  • Ensure we operate with integrity and avoid conflicts of interest.
  • Ensure compliance with all laws and Eluu policies, including accurate and clear communication in reports, advertising, and public statements.
  • Encourage the prompt internal reporting of suspected violations.

The Code applies to all employees, officers, directors, and independent contractors. Key policies covered by the Code include:

  • Promoting Diversity and Respect
  • Conflict of Interest
  • Anti-Bribery, Antitrust, and Anti-Corruption
  • Fair Dealing
  • Acceptable Use of Company Assets
  • No Retaliation
  • Privacy and Confidentiality
  • Health and Safety
  • Equal Employment Opportunity
  • Prevention of Harassment at Workplace
  • Intellectual Property Rights Policy
  • Disciplinary Process

During onboarding, employees are informed about internal policies and processes. They are also briefed on the complaint reporting mechanism and disciplinary process. Policy violations are reported as incidents and investigated by HR. Depending on the severity, violations can result in a warning, suspension, or termination.

Transfers and Movements

When employees are transferred internally, HR finalizes the transfer date in consultation with the reporting manager and informs the new manager. Access needs are then adjusted according to the new role.

Employee Exits

Resignations are submitted to the reporting manager and HR. The exit process is initiated after HR and the reporting manager confirm the relieving date. Access to company information and assets is revoked, and all company property is returned by the employee.

Remote Working

Employees working remotely must adhere to Eluu's policies and procedures to protect confidential information. This includes using secure networks, maintaining strong passwords, and following best practices for data protection.

5.3. Security Awareness and Training

Eluu ensures that all employees are security and privacy-conscious through ongoing educational activities and practical exercises. Each employee, upon joining, signs a confidentiality agreement and an acceptable use policy, followed by training in information security, privacy, and compliance.

All employees must complete the annual information security, privacy, and compliance awareness training. Additional role-specific training is provided to personnel with specific job functions, focusing on the security and privacy risks relevant to their responsibilities.

Training logs, including details of the training class, attendees, and dates, are maintained by HR.

5.4. Asset Management

Eluu has established a formal Asset Management Policy to facilitate the effective management, control, and maintenance of assets and information within its operations. Assets are classified according to their functionality and criticality to ensure appropriate protection and management.

Asset Classification and Protection

Information assets at Eluu are identified, classified, labeled, and handled according to their level of confidentiality and sensitivity. The confidentiality and sensitivity of information are maintained through an Information Asset Classification scheme, which determines the level of security accorded to each asset.

Acceptable Usage of Assets

Employees are expected to exercise good judgment and responsibility regarding the personal use of company assets. For security and network maintenance purposes, authorized individuals within Eluu monitor equipment, systems, and network traffic.

Eluu reserves the right to suspend or disable employee network accounts in the event of an actual or suspected security breach or policy violation.

5.5. Information Classification & Handling

Eluu has developed and implemented a formal procedure for the information classification and handling standard consisting of distinct levels which must be followed by all Eluu employees. The protection level and requirements for data processing are defined for each classification category. Eluu's classification model consists of four levels:

  • Restricted
  • Confidential
  • Internal
  • Public

The classification levels of all information or data are identified, both on the data and in the asset inventory. Information Assets may be assigned security based on their susceptibility to risk.

5.6. Identification and Authentication

Eluu has adopted a Zero Trust model for Identity and Access Management (IAM), ensuring the principle of "never trust, always verify." Access rights are provisioned based on the principles of "least privilege," "need-to-know," and "need-to-have or need-to-do." As part of user lifecycle management, defined processes for adding, changing, and removing users and their access rights are applied across all information systems, applications, and services, with regular periodic reviews conducted to ensure compliance.

Product Access

Eluu implements the principle of least access privileges and role-based access controls across all information systems. Only authorized employees have access to customer accounts, as necessary for configuration or troubleshooting purposes. These privileged accesses are regularly reviewed.

Internal Systems Access

Access to Eluu's internal systems is based on the principle of least privilege. Information systems and data are classified and segregated to support role-based access requirements. Strong identification, authentication, and logging systems are deployed to provide centralized control for administering, monitoring, and reviewing all critical access events.

Access Control Environments

Eluu maintains separate environments for development, testing, and production. Each environment is isolated and shielded from interactions with others. Developers do not have access to the production environment, including migration changes, which are restricted to designated and authorized individuals.

Authorization Process

All access requests are logged, tracked, and managed through a centralized system. Requests must be approved by the reporting manager and respective department head or their delegate. Once approved, the request is routed to system administrators for provisioning. All access requests, approvals, and provisioning actions are logged to maintain a comprehensive audit trail.

Access Reviews

On a quarterly basis, the ownership of all user accounts in the production environment is reviewed. For sensitive and critical accounts, reviews are conducted monthly. The information security team tracks the user access review process and reports findings to the ISCSC.

Password Management

Eluu enforces password complexity and length requirements according to industry best practices. Password policies include the following:

  • Minimum password length of 8 characters, including a mix of uppercase, lowercase, numbers, and symbols.
  • Account lockout after failed login attempts to prevent brute-force attacks.
  • Mandatory periodic password changes.
  • Secure storage of passwords using approved encryption methods.
  • Password hashing using bcrypt with a random salt to enhance security.
  • Prevention of password reuse.

Single Sign-On (SSO)

Eluu supports Single Sign-On (SSO) via SAML 2.0, enabling teams to log in using their existing corporate credentials.

5.7. Cryptographic Protections

Eluu has developed and implemented a formal cryptographic protection standard to ensure the confidentiality, authenticity, and integrity of information transmitted through third-party networks and to protect against unauthorized access or malicious activities.

Cryptographic Controls

Cryptographic controls at Eluu are employed to achieve various security objectives, including:

  • Confidentiality: Encryption is used to protect restricted or critical information, whether stored or transmitted.
  • Integrity/Authenticity: Digital signatures or message authentication codes (MACs) are used to ensure the authenticity and integrity of sensitive or critical information, both in storage and during transmission.
  • Non-Repudiation: Cryptographic techniques are employed to provide proof of the occurrence or non-occurrence of specific events or actions.

These cryptographic controls are implemented in compliance with all relevant agreements, laws, and regulations.

Data Encryption

Eluu uses industry-standard cryptographic methods to protect customer data both in transit and at rest. Specifically:

  • In Transit: All communications with Eluu platforms and APIs are encrypted using HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between users and Eluu is secure during transit.
  • At Rest: Encryption is enabled by default on all services containing data at rest, utilizing AES-256 bit encryption standards. Key management is handled by industry-standard key management services (KMS).

Key Management

Eluu prioritizes the security and integrity of cryptographic keys through stringent key management practices that adhere to industry standards and best practices. Our key management approach includes:

  • Key Generation, Distribution, and Storage: Keys are generated, distributed, and stored securely, with strict controls over access and usage.
  • Key Updates and Disposal: Regular updates are conducted, and keys are securely disposed of when no longer needed.
  • Incident Response: Any compromises or incidents involving cryptographic keys are promptly addressed.
  • Compliance: We ensure compliance with all legal requirements, maintaining the authenticity and integrity of keys while protecting them against unauthorized access and physical threats.

5.8. Physical & Environmental Security

This section outlines the physical and environmental security measures at Eluu's offices and the data centers where Eluu products and data are hosted.

Physical and Perimeter Security at Data Centers

Eluu's products and data are hosted in cloud data centers that offer cutting-edge security and compliance with various information security standards. The data centers are located in nondescript facilities, with physical access strictly controlled at both the perimeter and building ingress points. Security measures include video surveillance, motion detectors, intrusion alarms, and two-factor authentication for access to data center floors.

Environmental Safeguards at Data Centers

Critical IT equipment is hosted in cloud data centers equipped with automatic fire detection and suppression systems. Flood protection, redundant power supply systems, and optimal climate controls are maintained to prevent overheating and service outages.

Equipment Maintenance

Eluu adheres to supplier recommendations and implements a robust maintenance program to ensure the reliability of equipment. Access to equipment is restricted to authorized personnel, and all maintenance activities are recorded.

Secure Disposal or Reuse of Equipment

Eluu ensures the secure disposal and reuse of equipment and storage media containing confidential information. These measures are critical for maintaining information security and compliance.

5.9. Security Operations

Eluu maintains a formal information security management program with dedicated security personnel. A formal policy and process are in place to address key information security considerations for IT operations, including standard operating procedures, change management, configuration management, release management, information backup, restoration, and cloud computing.

Malware and Spam Protection

Anti-malware systems and services are implemented to detect, prevent, and report malicious software and activities. All in-scope systems are equipped with malware protection and detection software, regularly updated with the latest definitions.

Logging

Eluu has defined criteria for creating and managing logs, specifying the data to be collected and procedures for protecting and handling log data. Logs capture user IDs, system activities, event details, and network information, covering events such as access attempts, system configuration changes, and file access.

Monitoring

Eluu is committed to a robust monitoring framework that safeguards the security and integrity of our systems, networks, and data. Monitoring activities include scope determination, baseline establishment, anomaly detection, and specific measures for web monitoring. Eluu's Security Incident Event Management (SIEM) system collects extensive logs from key network devices and host systems to detect potential threats. Alerts are generated when threshold criteria or suspicious event logics are triggered, notifying the security team for investigation and response.

Threat Intelligence

Eluu maintains robust threat intelligence practices to protect our assets and stakeholders. We vet and select relevant information sources, collect and process data, analyze findings, and communicate them effectively. Continuous improvement is prioritized to adapt to evolving threats and organizational needs.

Backup

Data hosted on the cloud is synced in real-time across Availability Zones (AZs) or to separate cloud regions, ensuring fault tolerance and stability.

Technical Vulnerability Management

Eluu adheres to a CVSS-based vulnerability management standard, categorizing vulnerabilities by severity (critical, high, medium, and low). Regular vulnerability scans are conducted on all production systems and endpoints, with remediation timeframes determined by CVSS level, impact analysis, and contractual SLAs.

5.10. Change Management

Eluu management is committed to establishing a cross-functional working model tailored to the size, nature of activities, and evolving business realities in product development, support, and maintenance. Eluu utilizes agile methodologies combined with a Continuous Integration and Continuous Deployment (CI/CD) approach, to ensure rapid delivery of functionalities to customers.

Code Version Management

Continuous integration (CI) is essential for maintaining fast development cycles within the CI/CD pipeline. Every block of code is unit tested before being checked into the code repository using a source control tool. Changes to uncompiled source code are tracked to ensure code integrity.

Change Verification and Approval

Following the principles of Security by Design, product security is integrated into every build cycle at Eluu. Multiple security checks, including code reviews, web vulnerability assessments, and advanced security tests, are conducted for every build. Source code analysis is performed using approved tools, and identified vulnerabilities are fixed and revalidated before code promotion.

Change Deployment

To minimize potential downtime, Eluu employs deployment strategies that reduce risk by enabling quick rollback capabilities. Deployment and final testing occur in a non-live environment before being switched to live.

5.11. Capacity & Performance Planning

The capacity management process at Eluu is designed to ensure continuous alignment between business capacity management (strategic and forecasting) and service capacity management (tactical). This process ensures that the platform remains available 24x7 throughout the year, except during planned downtimes.

Eluu maintains adequate headroom to accommodate unexpected traffic. The following parameters are used for managing capacity:

  • CPU and memory load
  • IO load and job queue length
  • Concurrent connections (Requests per minute - RPM)
  • Error rate in the system
  • Application-specific parameters

Stress-Testing of Cloud Infrastructure

Eluu conducts regular stress tests on its cloud systems and services to ensure they meet peak performance requirements. These tests help identify potential vulnerabilities or weaknesses in the infrastructure, allowing for proactive measures to be taken.

5.12. Communications Security

Eluu has implemented robust security and privacy controls to protect the confidentiality, integrity, availability, and safety of its network infrastructure. These controls enforce the concept of "least functionality," restricting network access to systems, applications, and services, while providing situational awareness of network activities.

The following controls have been established to protect exchanged information:

  • Network Controls: Eluu periodically monitors and updates its communication technologies to ensure network security according to industry best practices. Cryptographic techniques are employed to protect the confidentiality, integrity, and authenticity of sensitive and confidential information.
  • Infrastructure Controls: Eluu employs Intrusion Detection Systems (IDS), Security Incident Event Management (SIEM) systems, and other security monitoring tools on production servers. Alerts from these tools are sent to the Security Team for prompt action.
  • Secure Communication: All data transmissions to Eluu services are encrypted using TLS protocols, with certificates issued by SHA-256 based Certificate Authorities (CAs), ensuring secure connections from users' browsers to our services.
  • Network Segregation: Network segregation is achieved by establishing VLAN/DMZ architectures. The Testing, Production, and Development environments are segregated to ensure security and isolation.

5.13. System Acquisition, Development, and Maintenance

Eluu has established a Software Development Lifecycle (SDLC) standard, designed to ensure security and privacy are integral parts of each product or platform developed or acquired. This standard aligns with the principles of "least privilege" and "least functionality," ensuring that all systems, applications, and services adhere to secure engineering practices.

Eluu's SDLC and Security Integration

Eluu follows an Agile and DevOps SDLC model focused on process adaptability, customer satisfaction, and quality delivery. Key activities enhancing security and privacy posture include:

  • Defining security and privacy requirements
  • Design activities, including threat modeling, analysis, and security design review
  • Development controls, such as static analysis and manual peer code reviews
  • Testing, including dynamic analysis, third-party security vulnerability assessments, and penetration testing

Security Automation

Automation is a core component of Eluu's application security, enabling continuous security coverage throughout the SDLC. Key automation initiatives include:

  • Static Code Analysis: Automated tools scan code repositories, providing feedback directly to developers to mitigate issues early in the development process.
  • Dynamic Analysis: Tools identify security vulnerabilities at runtime.
  • Software Composition Analysis: Continuous monitoring of third-party components to ensure timely mitigation of vulnerabilities.

Separation of Development, Test, and Production Environments

Eluu enforces strict separation between development, testing, and production environments. The production environment is logically segregated from development and testing environments using virtual private cloud (VPC) and subnet concepts, with no customer data used in development or test environments.

5.13.1. Platform Security

Network Infrastructure Overview

Eluu's network architecture employs a multi-tiered security framework, with services and data hosted in Virtual Private Clouds (VPCs) across multiple availability zones.

External connections are terminated at the Load Balancer, which provides DDoS protection. The Load Balancer directs incoming connections to private subnets containing the application stack.

Networking Security Overview

Eluu's network is decoupled, with multiple firewall rules in place to reduce the attack surface. Key features include:

  • Deny-All Firewall Configuration: Only explicit traffic meeting specific criteria is allowed.
  • Advanced Routing Rules: Secure the network and services from web application exploits.
  • DDoS Mitigation: Implemented through Load Balancer, network firewall, and scalable DNS services, along with WAF protection against Layer 4 and Layer 7 attacks.

Multi-Tenancy

Each application is serviced from an individual VPC, with each customer uniquely identified by a tenant ID. This design ensures that customers can only access their own data.

Encryption and Tokenization

Eluu employs AES-256 bit encryption for data at rest and HTTPS with TLS 1.2 and above for data in transit. Passwords are one-way hashed and salted using bcrypt, and third-party API calls are authorized using OAuth 2.0 with secure access tokens.

Code Security

Secure coding principles are integral to Eluu's development activities, adhering to OWASP Secure Coding Guidelines. Key practices include:

  • Static Code Analysis: Automated analysis using industry-standard tools.
  • Secure Development Lifecycle: Training for developers, design and code reviews, and third-party penetration testing.
  • Protection from Zero-Day Exploits: Employing strict access controls, micro-segmentation, continuous monitoring, and robust incident response.

Bug Reporting

Eluu values responsible disclosure of security vulnerabilities. Bugs can be reported through email at [email protected].

5.14. Third-Party Management

Eluu partners with organizations that adhere to global standards and regulations. These organizations include sub-processors or third parties that Eluu utilizes to assist in providing its products.

Third-Party Onboarding

Eluu classifies vendors into categories based on the nature of the data they handle, ranging from those that handle customer data (store, process, transmit) to internal business tools. All vendors are required to complete a questionnaire and undergo an information security and privacy compliance review.

Third-Party Risk Management

Eluu conducts regular assessments of service providers to ensure that data is processed fairly and only for the purposes for which it was collected. Key checks include the service provider's vulnerability and patch management processes, intrusion protection capabilities, and access management processes.

Data Governance

Eluu's Data Processing Addendum (DPA) executed with sub-processors includes requirements regarding breach notifications and reporting obligations. The GRC team also conducts periodic reviews of service providers as part of its Risk Management Process.

5.15. Cloud Security

Eluu is committed to empowering businesses to achieve exceptional operational outcomes. We accomplish this by providing a comprehensive AI-powered operations platform that is intuitive, intelligent, and designed for teams across organizations of all sizes.

Eluu adheres to industry-standard security frameworks and relevant privacy and data protection regulations, including GDPR, CCPA, and the Australian Privacy Act 1988.

Cloud Resiliency Powered by Architecture

Eluu hosts all applications and customer data in cloud data centers. As a SaaS product, ensuring availability and seamless functionality for users is a top priority.

  • Architecture: Eluu's network security architecture is designed with multiple security zones. The most restricted systems, such as database servers, are protected within our most trusted zones. Demilitarized Zones (DMZs) are utilized between the internet and internally between different zones.
  • Protection: Our network is safeguarded through the use of key cloud security services, edge protection networks, regular audits, and network intelligence technologies. These systems monitor and block known malicious traffic and network attacks.
  • Redundancy: Eluu employs service clustering and network redundancies to eliminate single points of failure. Our rigorous backup regime ensures high service availability. Customers and their data are replicated across multiple availability zones, providing resilience against potential disruptions.

5.16. Incident Response

Eluu has established a comprehensive security incident management process designed to classify and handle incidents and security breaches efficiently. A dedicated incident management team, consisting of individuals with the necessary technical expertise and authority, has been formed to respond to information security incidents. The information security team is responsible for recording, tracking, responding to, resolving, monitoring, and communicating about incidents to appropriate parties in a timely manner.

The incident response plan outlines the procedures to be followed in the event of an information security incident, including the roles and responsibilities of the incident management team. Information security incidents are classified based on their severity and impact on the organization's operations.

For immediate reporting of complaints or breaches, you can contact us at [email protected].

Breach Notification

Eluu has established processes for the early identification and reporting of incidents and breaches. As a data controller, Eluu notifies the relevant Data Protection Authority of a breach within 72 hours of becoming aware of it. Depending on specific requirements, we will also notify customers when necessary. As a data processor, we inform the relevant data controllers without undue delay.

5.17. Business Continuity & Disaster Recovery

Business Continuity Plan

Eluu has established a formal Business Continuity Plan (BCP) and Disaster Recovery Plan (DRP) to support people, processes, and technology during any crisis or business interruption. Roles and responsibilities have been clearly defined and documented. Information security is maintained at appropriate levels throughout any disruption.

  • Recovery Time Objective (RTO): Eluu aims to restore normal operations within four hours from the time a disaster is declared, unless a disaster or multiple disasters impact all Availability Zones used by an account.
  • Recovery Point Objective (RPO): Eluu's infrastructure is configured to limit data loss to one hour or less. This is measured from the point of disruption, not from the disaster declaration.

Eluu continually reviews its business continuity program, incorporating lessons learned from actual events, exercises, and audits.

Real-Time Backup

All data hosted on the cloud is synced in real-time across Availability Zones (AZs) or to separate cloud regions. Each AZ or region is designed to be completely isolated from other regions, helping achieve maximum fault tolerance and stability. Backup and restore testing are conducted annually to ensure the integrity of backups and the effectiveness of restore processes.

Fault Tolerance Using High Availability & Redundancy

Eluu employs high availability solutions to provide continuous service to customers using multiple isolated Availability Zones within each region. Each AZ is physically separated within the metropolitan region, connected through low-latency links, and supported by redundant power and networking infrastructure. These measures help reduce Single Points of Failure (SPOF).

Testing and Exercise

The BC and DR Plan is tested and reviewed annually. Annual training on BCP and DRP requirements is provided to all relevant workforce members involved in the process.

5.18. Endpoint Security

In light of the evolving threat landscape and the increasing sophistication of cyberattacks, Eluu has implemented a Zero Trust model to fortify our defenses and mitigate potential risks.

Zero Trust Model

All devices, including but not limited to computers, laptops, and mobile devices, are considered untrusted by default. Access to resources, applications, and data is granted based on continuous authentication, least privilege access principles, and contextual factors rather than implicit trust in the network or device.

Company-Provided Assets

All employees are provided with company-issued laptops to carry out their responsibilities. These endpoints are configured with standard builds deployed through Mobile Device Management (MDM) solutions for centralized control and management. Authentication is managed via Single Sign-On (IAM) and Two-Factor Authentication (2FA).

  • Antivirus Protection: AI and ML-supported antivirus and antimalware solutions are deployed on all endpoints, implementing multiple layers of protection. Signature updates are periodically pushed to all systems to maintain up-to-date protection.
  • Full Disk Encryption: All laptops and workstations are secured via full disk encryption. Updates are applied to employee machines on an ongoing basis, and workstations are monitored for malware. Critical patches can be applied remotely, and devices can be remotely wiped via the device manager if necessary.
  • Access Controls: Wherever possible, Two-Factor Authentication (2FA) is used to further secure access to Eluu's corporate infrastructure.

Email Security

  • Domain Signing: All emails are signed by the eluu.ai domain to verify authenticity.
  • Encryption in Transit: Emails are encrypted during transit to protect the content from interception.

5.19. Risk Management

Eluu has established a Risk Management Framework as part of its Information Security Management System (ISMS). The Information Security team conducts security risk assessments annually and on an ongoing basis, especially when significant internal changes occur or when notable events happen in the industry.

Integrated Control System

Eluu has implemented an integrated control system characterized by different control types, such as layered, preventative, detective, corrective, and compensating controls, to mitigate identified risks.

Risk Assessments

Risk assessments at Eluu evaluate multiple factors that may impact security, as well as the likelihood and impact of potential loss of confidentiality, integrity, and availability of information and systems.

Recurring Risk Assessments

Risk assessments are conducted bi-annually across various departments or whenever significant changes occur, including technology, infrastructure, or process-related changes, introduction or change of suppliers, changes leading to exceptions to Eluu policies, or changes affecting the legal or regulatory requirements of the system.

Risk Treatment Plans

Appropriate risk treatment plans (Reduce Risk, Avoid Risk, Transfer Risk, Retain Risk) are considered and approved by the CEO and Risk Owner. The risk assessment, top risk selection, and risk treatment plans are reviewed, and progress is tracked by the ISCSC.

5.20. Vulnerability & Patch Management

Eluu has established a comprehensive process and control system for handling vulnerabilities in our products and infrastructure.

Source Code

Eluu follows secure coding guidelines based on OWASP Secure Coding Guidelines. Developers receive training on secure coding practices at least annually to ensure adherence to security standards.

Product Vulnerability Management

Eluu conducts regular Vulnerability Assessment and Penetration Testing (VAPT) for our products. Identified issues are logged as tickets and are prioritized and resolved according to our defined vulnerability management process SLA:

  • Critical: 0-7 days
  • High: 15 days
  • Medium: 30 days
  • Low: 45 days

Cloud Infrastructure Vulnerability Management

Eluu utilizes cloud infrastructure managed by our cloud infrastructure team. Only essential traffic is allowed, with all other traffic blocked via security groups and Network Access Control Lists (NACLs). Regular scans, both automated and manual, are conducted to identify vulnerabilities.

Patch Management

Eluu's patch management process is governed by applicable policies and standards to ensure that all patches, both security and otherwise, are deployed in accordance with defined SLAs.

5.21. Data Security

Data Leakage Prevention

Eluu prioritizes data security through robust policies and tools that encompass the identification, prevention, and monitoring of data leakage.

  • Endpoint Restrictions: All external USB ports on Eluu machines are restricted by default. Removable mass storage devices are also restricted and can only be enabled with appropriate approval and business justification.
  • Encryption: Hard drive encryption is deployed on all laptops to protect data. Content filtering is enabled, and user access is continuously monitored according to defined policies.

Encryption of Data in Transit and at Rest

Eluu ensures the encryption of restricted and confidential data both in transit and at rest.

  • Restricted Information: This includes the most sensitive forms of information, such as employee personal information, Personally Identifiable Information (PII), financial account data, and strategic plans. Such information is encrypted during transmission outside Eluu-owned or managed networks.
  • Confidential Information: This includes data distributed on a "Need to Know" basis, such as system security parameters, intellectual property, customer data, and business plans. Encryption is applied to network communications between customers and the Eluu platform until the session is terminated or the user logs out.

Information Deletion

Eluu adheres to stringent policies and procedures for the timely and secure deletion of confidential and restricted information to mitigate risks and maintain data integrity throughout its lifecycle.

Privacy and Protection of PII

Eluu prioritizes the privacy and protection of Personally Identifiable Information (PII) by implementing clear policies and procedures that ensure compliance with relevant laws and regulations, including the Australian Privacy Act 1988, GDPR, and CCPA.

Data Retention and Disposal

Eluu processes and stores customer data while providing services or when data is transmitted via the Eluu platform.

  • Data Retention: Eluu retains customer data provided during signup, including Personally Identifiable Information (PII) such as name, company name, and email address. This data is stored securely to facilitate customer identification and account management.
  • Data Disposal: Data disposal processes at Eluu adhere to industry best practices. Methods used for data disposal include digital wiping and physical shredding, ensuring that data is rendered unrecoverable.

5.22. Control Assurance

Eluu's control environment provides the foundation for all components of internal controls, including the management of logical and physical access, data security, incident response, change management, security and privacy operations, and monitoring. Eluu is committed to conducting business with the highest ethical standards and integrity. The Eluu Code of Conduct addresses potential ethical issues in business transactions, including compliance with laws, regulations, and internal policies.

Corporate Governance

Eluu is led by the Chief Executive Officer (CEO) with corporate oversight. The CEO provides strategic direction and corporate oversight, reviewing management activities related to overall company risk, audit, and governance.

Internal Audit and Compliance

The Governance, Risk, and Compliance (GRC) team within Eluu conducts internal audits annually for all defined processes and controls. Audit findings are reported directly to the ISCSC, which tracks and oversees the remediation of these findings until closure.

Vulnerability Assessment and Penetration Testing (VA & PT)

The Application Security team conducts ongoing vulnerability assessments and penetration testing on all Eluu product platforms in production environments.

5.23. Compliance

Eluu ensures that controls are in place to comply with all applicable statutory, regulatory, and contractual obligations, as well as internal company standards. We are committed to providing secure products and services by adhering to the requirements of GDPR, CCPA, the Australian Privacy Act 1988, and other privacy and data protection acts, both as a data controller and processor.

Compliance Policy and Procedure

Eluu has established a formal Compliance Policy and Procedure that addresses all aspects of compliance related to Eluu's Information Security and Privacy Policies.

Commitment to Legal and Regulatory Compliance

Eluu is dedicated to conducting business lawfully and consistently with its compliance obligations. The Legal and Regulatory Compliance Policy establishes the principles and commitment required for achieving compliance by:

  • Establishing a clear compliance framework.
  • Promoting rigorous compliance throughout the organization.
  • Facilitating compliance monitoring.
  • Ensuring good corporate governance.

Data Privacy and Protection

Eluu is committed to protecting the privacy of personal information belonging to its customers, employees, and third parties with whom it has agreements. Disclosure of such information is limited to statutory, contractual, regulatory, or legal requirements.

Intellectual Property Rights (IPR)

Eluu adheres to legal restrictions on the use of assets with Intellectual Property Rights (IPR), including copyright, software licenses, trademarks, and design rights. All software programs, documentation, and other information generated or provided by Eluu users, consultants, and contractors for Eluu's benefit are considered Eluu's property.

Compliance with Relevant Laws

Eluu explicitly defines the statutory, regulatory, and contractual requirements for its information assets, including but not limited to:

  • Australian Privacy Act 1988
  • Information Technology Laws
  • Software Licensing Requirements
  • Intellectual Property Rights (IPR) Laws
  • Labor and General Employment Laws
  • Health and Safety Laws

Compliance Standards and Information Security Program

Compliance requirements serve as a baseline for security and privacy within Eluu. The primary compliance standards include:

  • EU GDPR
  • CCPA
  • Australian Privacy Act 1988

Eluu's information security program is built on internationally recognized information security management standards and best practices, covering security, confidentiality, process integrity, availability, and privacy. Eluu agrees to implement appropriate technical and organizational measures to protect customer, employee, and third-party data as required by applicable data protection laws. Eluu also commits to regularly testing, assessing, and evaluating the effectiveness of its Information Security Program to ensure secure data processing.

Disciplinary Actions

Any employee found to have violated this policy may be subject to disciplinary and/or legal action according to the Eluu Code of Conduct and Disciplinary process.

Contact

Please feel free to share your questions at [email protected].

Version 1.0