Trust & Compliance
Security Built Into Every Layer
Your data security and regulatory compliance are non-negotiable. See how EmpowerGPT protects your business.
Overview
Resources
Controls
Subprocessors
FAQ

Compliance

Audit Logs: Complete audit trails for all user activities and AI interactions.
Data Processing Agreements: Standard DPAs available for all enterprise customers.
Certifications
GDPR
SOC 2
ISO 27001

Resources

ISO 27001:2022 Official Certificate
Data Processing Agreement (DPA)
SOC 2 Type II Report
EmpowerGPT Data Flow Diagram

Controls

Platform & Network Security

Encryption key lifecycle managed
Production system access governed by least privilege
Network segmentation enforced across workloads
Remote access requires MFA and encrypted channel

Access Management & Identity

Role-based access model applied platform-wide
Enterprise identity federation supported
Multi-factor authentication enforced for all accounts
Privileged access uses time-limited elevation

Data Protection & Privacy

Data encrypted at rest across all storage layers
Data in transit protected with layered encryption
Customer data isolated between tenants
AI providers barred from training on customer data

Governance & Compliance

SOC 2 Type II audit programme sustained annually
Board oversight of cybersecurity and privacy risk
Business continuity and DR plans tested annually
Whistleblower and ethical reporting channel in place
ISO 27001:2022 Official Certificate
Request access
Data Processing Agreement (DPA)
View
SOC 2 Type II Report
Request access
EmpowerGPT Data Flow Diagram
View
Subprocessor List (current)
View
Choose Tool
All
60
Platform security
11
Access & identity
7
Data protection
8
People & organisation
7
Change & configuration
7
Risk & incident
7
Vendor & supply chain
5
Governance & compliance
8
Platform & Network Security
Infrastructure hardening, network architecture, and perimeter controls.
Encryption key lifecycle managed
Active
Encryption keys are issued, rotated, and revoked according to a documented lifecycle policy. Access is limited to authorised platform services with a verified operational requirement.
All keys are stored in Azure Key Vault and injected into Kubernetes pods via External Secrets — never embedded in code or config files. Key rotation is automated. Access is governed by Azure RBAC with just-in-time elevation for break-glass scenarios, and every key usage event is logged.
Production system access governed by least privilege
Active
Access to production compute, application servers, and platform components is granted only to personnel with an approved operational need, and is reviewed on a scheduled basis.
Access is provisioned through a formal request workflow. All access is scoped to the minimum required for the role. Temporary elevated access requires approval and is auto-revoked after a defined window. Quarterly access reviews are conducted by system owners.
Production database access controlled
Active
Direct access to production databases is restricted to authorised engineers. Authentication uses Azure AD-managed identities rather than static credentials, eliminating credential-based risks.
Static database passwords are not permitted. Application services connect via managed identity tokens issued by Azure AD. Human access requires a formal time-bounded request that is fully logged. Database access logs are retained for the audit trail.
Operating system layer access restricted
Active
Privileged access to production OS layers is limited to authorised personnel. All access is authenticated, session-recorded, and subject to periodic review.
Production nodes run on Azure Kubernetes Service. Direct node access is disabled for routine operations. Emergency access uses short-lived credentials from a PAM workflow with full session recording. Nodes are hardened against CIS benchmarks and automatically patched.
Production network access controlled
Active
Production network access is limited to authorised personnel and services. Network boundaries are defined and enforced through explicit allow-lists and segment policies.
Azure VNets enforce strict inbound/outbound rules. Production subnets are unreachable from the public internet without passing through the WAF and firewall rule sets. Changes that alter network boundaries require security team sign-off before deployment.
Firewall rules governed and periodically reviewed
Active
Firewall configuration is restricted to authorised security personnel. Rules are documented, version-controlled, and audited to remove unnecessary access on a regular schedule.
All firewall changes go through peer-reviewed pull requests before deployment. Unused rules are flagged and removed during quarterly reviews. Azure NSG flow logs are exported to the SIEM for continuous threat analysis.
Network segmentation enforced across workloads
Active
The production network is divided into distinct zones. Customer workloads and data are isolated from internal tooling, development environments, and third-party systems.
Kubernetes network policies restrict pod-to-pod communication to explicitly declared paths. Azure VNet peering and private endpoints ensure storage and database traffic never traverses the public internet. Namespace-level isolation is enforced at the compute layer.
Remote access requires MFA and encrypted channel
Active
Access to production infrastructure from outside the internal network requires multi-factor authentication and an approved encrypted connection. Unencrypted or single-factor remote access is blocked.
VPN and bastion access require phishing-resistant MFA (FIDO2 or TOTP). Conditional Access in Azure AD enforces MFA for all production-scoped accounts regardless of network location. SSH with certificate-based authentication is the only approved server access protocol. Legacy protocols (RDP over internet, Telnet, FTP) are blocked by firewall policy.
Unique identities required on all production systems
Active
Shared or generic accounts are not permitted on production systems. Every human user and service principal has a unique, individually scoped identity.
Automated account audits detect and flag shared accounts. Service accounts use Azure Managed Identities or Workload Identity. Human accounts are linked to a named individual in Azure AD. Accounts inactive for 90 days are automatically disabled pending access review.
Edge and DDoS protection active
Active
All inbound platform traffic is routed through edge protection that detects and mitigates volumetric and application-layer attacks before they reach production systems.
Cloudflare provides L3/L4 DDoS mitigation, WAF rule enforcement, and rate limiting at the edge. Azure DDoS Protection Standard is enabled at the VNet level. Traffic anomalies trigger automated alerting and response playbooks that are reviewed post-incident.
Security event monitoring and alerting in place
Active
Security-relevant events from all production systems are collected and correlated in a centralised monitoring platform. Defined alert thresholds trigger on-call escalation within SLA.
Logs from AKS, Azure Firewall, Key Vault, and application services stream to a centralised SIEM. Alert rules cover authentication anomalies, privilege escalation, unusual data egress, and failed access patterns. On-call runbooks define response procedures for each alert class. All alerts are reviewed post-resolution and tuned to reduce false positives.
Access Management & Identity
Authentication, authorisation, and identity lifecycle controls.
Role-based access model applied platform-wide
Active
Access to EmpowerGPT features and data is governed by defined role templates. Permissions are not individually negotiated — they follow a documented matrix that enforces least privilege at every tier.
Three application roles (Organisation Administrator, Workspace Administrator, Regular User) and three content roles (Viewer, Contributor, Controller) cover the majority of use cases. Custom roles can be created within a pre-approved permission matrix. All role assignments are logged and auditable.
Enterprise identity federation supported
Active
Organisations can federate EmpowerGPT authentication with their existing identity provider using OIDC or SAML 2.0, enabling centralised access governance and consistent policy enforcement.
EmpowerGPT supports federation with Azure AD, Okta, Google Workspace, and any compatible IdP. When federated, authentication — including MFA — is delegated entirely to the customer's IdP. Session tokens issued by Keycloak are short-lived and validated on every request.
Multi-factor authentication enforced for all accounts
Active
All user accounts require MFA at login and for sensitive operations. MFA cannot be disabled by end users and is enforced regardless of network location.
For enterprise users with an IdP, MFA is enforced by the customer's identity provider. For local authentication accounts, TOTP-based MFA via Keycloak is mandatory. Organisation Administrators can require phishing-resistant MFA policies for their tenants.
Access provisioning and de-provisioning managed through formal
process
Active
User access is provisioned via a controlled workflow and revoked promptly on role change or departure. Orphaned accounts are detected automatically and flagged for review.
SCIM provisioning supports automated user lifecycle management from the customer's IdP. Platform accounts inactive for 90 days are flagged. Organisation Administrators can immediately revoke access and terminate active sessions. EmpowerGPT access revocation is a required step in the internal offboarding checklist.
Privileged access uses time-limited elevation
Active
Administrative access to sensitive platform components is not permanently assigned. Engineers request time-bounded elevation that requires approval, is logged, and expires automatically.
Azure AD Privileged Identity Management (PIM) governs elevated access to production resources. Permanent owner or contributor roles are not permitted on production subscriptions. All elevated access requires a justification, a second-engineer approval, and expires within 8 hours maximum.
Access rights reviewed on a defined schedule
Active
All access assignments — human and service — are reviewed by system owners periodically. Unnecessary or stale access is revoked as part of the review, not deferred.
Quarterly access reviews cover all production systems. Reviewers receive structured access reports and must certify each assignment as still required or flag it for removal. Review outcomes are documented and retained for SOC 2 evidence. Accounts unused for 60+ days are prioritised for review.
Password policy enforced on all credential-based accounts
Active
Accounts using password authentication are subject to a policy enforcing minimum complexity, prohibiting reuse, and requiring rotation after confirmed compromise.
Keycloak enforces a 12-character minimum, complexity requirements, and a 12-cycle reuse prohibition. Passwords are stored as salted bcrypt hashes — never in plaintext. Admin accounts are required to use an approved password manager. Progressive backoff blocks accounts after repeated failed attempts.
Data Protection & Privacy
Encryption, data handling, retention, residency, and GDPR obligations
Data encrypted at rest across all storage layers
Active
All customer data, conversation history, and embeddings stored by EmpowerGPT are encrypted at rest using AES-256, independent of access controls.
Azure Storage and PostgreSQL use AES-256 at rest with customer-managed keys in Azure Key Vault. Disk-level encryption is enabled on all compute nodes. Backups are encrypted with the same key hierarchy. Separation of duties ensures that accessing encrypted data requires both storage access rights and key vault access rights.
Data in transit protected with layered encryption
Active
All data moving between clients, internal services, and third parties is encrypted. EmpowerGPT applies transport-layer and application-layer encryption in combination.
TLS 1.3 is enforced on all public endpoints. Additionally, application-layer AES-256 encryption using ephemeral session keys is applied to request payloads — keys are derived locally and never transmitted, protecting content even in the event of TLS compromise. HSTS is enforced. TLS 1.2 and below are rejected.
Customer data isolated between tenants
Active
Data belonging to one customer organisation cannot be accessed by another. Tenant isolation is enforced at the application, database query, and storage layers.
Every API request carries a tenant-scoped JWT validated by Keycloak. Database queries include mandatory tenant_id predicates enforced at the ORM layer — bypassing them triggers a security exception. Storage containers are partitioned by tenant. Cross-tenant isolation is included as an explicit objective in annual penetration tests.
Data minimisation applied throughout the platform
Active
EmpowerGPT collects only data necessary to deliver the service. AI conversation content is not used for analytics or retained beyond operational need.
User profile data is limited to name, email, and organisation. No ad targeting or behavioural profiling is performed. PostHog analytics captures only product usage events — never prompt content. Data subjects can request export or deletion through the platform's privacy portal at any time.
Data residency enforced in the EU by default
Active
All customer data is processed and stored within the European Union by default. Cross-border processing only occurs when explicitly configured by the customer.
Primary hosting is Azure Germany West Central. Azure OpenAI inference uses the same region. Google Cloud AI is configured to EU-only endpoints. Selecting a globally-deployed model (the only path to non-EU inference) is clearly labelled and logged in the audit trail.
AI providers contractually prohibited from training on customer data
Active
EmpowerGPT's AI model providers are contractually barred from using customer prompts, completions, or embeddings to train or improve any AI models.
Microsoft's Azure OpenAI Service agreement explicitly prohibits training on customer data and sharing with OpenAI. The same restriction applies to Google Cloud AI. EmpowerGPT itself does not use customer conversation data for model fine-tuning without explicit written consent from the customer organisation.
Automated backup and tested recovery procedures maintained
Active
Customer data is backed up daily on an automated schedule. Backups are encrypted, geo-redundant, and tested for recoverability. Retention aligns with contractual and regulatory requirements.
Automated daily backups with point-in-time recovery cover the previous 30 days. Backups are stored in a geographically separate Azure region. Recovery procedures are documented and tested annually. RTO and RPO targets are defined in the disaster recovery plan and available to enterprise customers on request.
Data subject rights fulfilment process documented
Active
Documented procedures ensure GDPR data subject rights — access, rectification, erasure, portability — are fulfilled within mandated timeframes.
Requests are accepted via the platform privacy portal or DPO email, acknowledged within 72 hours, and fulfilled within 30 days (GDPR Article 12). Organisation Administrators can export or delete all user data directly from the admin panel. Deletion cascades to all storage layers including backups after the retention window expires.
People & Organisational Security
Personnel screening, security training, endpoint controls, and acceptable use.
Background screening conducted for roles with production access
Active
Personnel who will access production systems or handle customer data undergo background verification appropriate to the sensitivity of their role before access is provisioned.
Checks are conducted through a certified screening provider covering identity verification, right to work, and employment history. Enhanced checks apply to elevated-access roles. Results are reviewed by HR and the CISO before onboarding is completed. Re-screening is triggered by significant role changes.
Security awareness training delivered and tracked
Active
All employees and contractors complete structured security awareness training at onboarding and annually thereafter, with role-specific modules for engineering and administrative staff.
Training is delivered through a managed platform with completion tracking. Modules include phishing recognition, data handling, incident reporting, and acceptable use. Role-specific content covers secure coding and secrets management for engineers. Quarterly phishing simulations supplement formal training. Completion rates are reported to management and the board.
Confidentiality obligations acknowledged by all personnel
Active
All employees and contractors sign binding confidentiality obligations before accessing any EmpowerGPT systems, data, or proprietary information.
Employees sign a confidentiality clause as part of their employment contract. Contractors and vendors sign a standalone NDA before receiving system access. Obligations survive termination of the working relationship. Acknowledgement records are retained in the HR system and are auditable.
Endpoints enrolled in MDM with security baseline enforced
Active
All devices used to access production systems or process customer data are enrolled in a Mobile Device Management platform that enforces encryption, screen lock, patch level, and remote wipe capability.
Corporate laptops and mobile devices must be enrolled in Microsoft Intune before authenticating to production systems. MDM policy enforces: full-disk encryption, minimum OS patch currency, 5-minute screen lock, and EDR agent installation. Unmanaged devices are blocked by Azure AD Conditional Access.
Removable media restricted and encrypted where permitted
Active
Portable storage media used in connection with EmpowerGPT systems or customer data must be encrypted. Unencrypted removable media is prohibited for handling sensitive information.
Policy prohibits storing customer data on unencrypted removable media. MDM enforces encryption on any permitted USB storage device. Personnel training covers acceptable media use at onboarding. Policy violations trigger an automatic alert to the security team.
Annual performance reviews completed for all staff
Active
All employees undergo formal annual performance reviews. Security responsibilities and compliance behaviours are included as review dimensions for roles with production access.
Annual reviews use a structured framework administered by line managers. Security-relevant behaviours — training completion, incident reporting, access hygiene — are included in role profiles for technical and operational staff. Review outcomes inform access recertification decisions where relevant.
Acceptable use policy applied and acknowledged annually
Active
All personnel are bound by an acceptable use policy covering system use, data handling, and credential management. Compliance is acknowledged at onboarding and on each annual update.
The AUP covers: restrictions on unapproved software installation, prohibited content, credential sharing, and customer data handling. Acknowledgement is tracked in the HR system. Violations are subject to disciplinary procedures up to and including termination.
Change & Configuration Management
Secure development, deployment pipelines, dependency management, and configuration governance.
Infrastructure defined as code with mandatory peer review
Active
All production infrastructure is defined in version-controlled code. Changes require peer review and automated security validation before deployment, preventing unauthorised or misconfigured changes.
Terraform and Helm charts define all Azure and Kubernetes infrastructure. Changes go through pull requests requiring approval from at least one senior engineer and must pass automated security linting (tfsec, checkov) before merge. Direct infrastructure modification outside the IaC pipeline is blocked and monitored.
Security scanning integrated into every deployment pipeline
Active
Every code change is automatically scanned for vulnerabilities before it can be deployed. Critical findings block releases until remediated.
The CI/CD pipeline includes: SAST via Semgrep, dependency scanning via Dependabot and OWASP Dependency-Check, container image scanning via Trivy, and infrastructure security scanning. Critical and high findings block deployment. Scan results are tracked in the vulnerability management backlog with assigned owners.
Formal change management process applied to all production releases
Active
Production changes follow a defined process that includes risk assessment, approval, test plan, and rollback planning. Emergency changes have an expedited but equivalent oversight path.
Standard changes require a ticket, test plan, authorised change approver sign-off, and a documented rollback procedure. Emergency changes are approved by on-call engineering leads and reviewed post-deployment. Change records are retained for audit purposes. Failed deployments auto-create an incident ticket.
Software dependencies monitored and patched within defined SLAs
Active
Open-source and third-party dependencies are continuously monitored for published vulnerabilities. Patching SLAs are defined by severity and tracked against a vulnerability register.
Dependabot scans all repositories daily and raises pull requests for vulnerable dependencies. SLAs: Critical — 72 hours; High — 7 days; Medium — 30 days. Patch status is reviewed weekly by the security team. Exceptions require CISO approval with a documented compensating control.
System security baselines applied and drift monitored
Active
All production systems are configured according to documented security baselines. Deviation from baseline is detected automatically and triggers a remediation workflow.
Baselines for AKS nodes, Azure VM images, and container base images are aligned to CIS benchmarks. Azure Policy enforces compliant configurations and alerts on drift. Compliance is reported monthly to the security team. Non-compliant resources are remediated within the defined SLA or escalated.
Secrets managed outside source code and container images
Active
Credentials, API keys, certificates, and other secrets are never stored in source code or built into container images. All secrets are injected at runtime from a managed secrets store.
Pre-commit hooks and CI scanning reject commits matching credential patterns or private key formats. Application secrets are stored in Azure Key Vault and retrieved at pod startup via External Secrets Operator. Kubernetes Secrets are encrypted at rest using a Key Vault-managed key. Secret rotation is automated where technically feasible.
Material platform changes communicated to customers in advance
Active
Customers are notified ahead of planned changes that may affect platform availability, data processing behaviour, or security posture, with timelines defined in service agreements.
Planned maintenance windows are published on the EmpowerGPT status page with a minimum of 48 hours notice. Changes to subprocessors, data flows, or material security controls are communicated via in-app notification and email to the designated customer security contact. Emergency maintenance is communicated as soon as practicable.
Risk, Vulnerability & Incident Management
Risk assessment, penetration testing, incident response, and breach notification
Information security risk assessment conducted regularly
Active
A structured risk assessment is performed at least annually and when material changes to the platform or threat landscape occur. All identified risks have assigned owners and treatment plans.
The risk methodology is aligned to ISO 27001 Annex A and follows an asset-based approach. Risk owners are assigned for each identified risk. Treatment plans (accept, mitigate, transfer, avoid) are documented and reviewed quarterly. The risk register is summarised in the annual board security briefing.
Independent penetration testing conducted annually
Active
The EmpowerGPT platform undergoes external penetration testing at least annually by accredited third-party specialists. Critical findings are remediated on an expedited timeline.
Annual black-box and grey-box tests cover application security, API security, authentication bypass, privilege escalation, and cross-tenant isolation. Critical findings are remediated within 72 hours; high findings within 30 days. Test reports are available to enterprise customers under NDA. Findings and remediation status are reported to the board.
Responsible vulnerability disclosure programme maintained
Active
A responsible disclosure programme allows security researchers to safely report vulnerabilities. Reports are triaged, tracked, and resolved within severity-based timelines.
EmpowerGPT maintains a security disclosure email. Incoming reports are acknowledged within 5 business days. Severity-based remediation timelines apply. Researchers who report qualifying issues in good faith are publicly acknowledged unless they prefer otherwise.
Incident response plan documented and exercised
Active
A documented incident response plan defines roles, escalation paths, communication procedures, and recovery steps for security incidents. The plan is tested at least annually.
The plan follows the NIST framework phases. Roles include Incident Commander, Security Lead, Communications Lead, and Legal. Annual tabletop exercises involve engineering, security, and leadership. Lessons learned from exercises and real incidents are incorporated into plan updates.
Security alerts monitored with on-call escalation SLA
Active
Security events are evaluated against threat detection rules in a SIEM. Alerts are tiered by severity and trigger on-call escalation within defined response time targets.
Detection rules cover: authentication anomalies, unusual API call volumes, data egress spikes, privilege escalation, and lateral movement. Alert severity tiers (P1–P4) map to defined response targets. On-call rota ensures a qualified security responder is reachable around the clock. Alert tuning is reviewed after each incident.
Internal control effectiveness assessed before each audit cycle
Active
EmpowerGPT performs internal control self-assessments at least annually to verify that documented controls are operating as designed and to identify gaps before formal external audits.
Assessments are structured against the SOC 2 Trust Service Criteria and ISO 27001 Annex A. Control owners conduct walkthroughs and provide evidence samples. Gaps are logged as remediation items with owners and target dates. Self-assessment results inform the annual external audit scope.
Data breach notification procedures documented and tested
Active
Documented procedures define how EmpowerGPT assesses, contains, and notifies affected parties in the event of a confirmed or suspected personal data breach, within GDPR Article 33 timelines.
The breach response procedure covers: initial triage to determine scope; a 72-hour decision checkpoint on supervisory authority notification; customer notification procedures; and escalation to the DPO and legal counsel. Breach records are maintained per GDPR Article 30. All production-access personnel are trained on breach identification and internal reporting obligations.
Vendor & Supply Chain Management
Risk assessment, penetration testing, incident response, and breach notification
Vendor security assessment required before onboarding
Active
All vendors and subprocessors that will process customer data or access production systems undergo a security and compliance assessment before being approved for use.
The assessment evaluates: security certifications (SOC 2, ISO 27001, or equivalent), data residency locations, sub-processor disclosure, breach notification commitments, and right-to-audit clauses. Results are reviewed by the security team. High-risk vendors require CISO approval before onboarding.
Data processing agreements in place with all subprocessors
Active
A current DPA is in place with every subprocessor that handles personal data. Agreements reflect GDPR Article 28 requirements including purpose limitation, security obligations, and audit rights.
DPAs cover: purpose limitation, data minimisation, security obligations, deletion timelines, audit rights, and breach notification requirements. Where subprocessors are outside the EEA, Standard Contractual Clauses or equivalent mechanisms are in place. The subprocessor list is reviewed annually and published on the EmpowerGPT trust page.
Subprocessor changes communicated to customers in advance
Active
Customers receive advance notice of any material changes to the subprocessor list, including additions or replacements of subprocessors processing personal data.
Enterprise customers receive email notification of subprocessor changes with a minimum of 30 days notice. The notice includes the nature of the subprocessor, data categories processed, and processing location. An objection process is available to customers with specific contractual rights under GDPR Article 28(2).
Third-party access time-limited and governed
Active
Vendors requiring access to EmpowerGPT systems for support or integration are granted minimum necessary access, time-bounded, and subject to the same controls as internal employees.
Vendor access uses a separate account type with explicitly scoped permissions. Permanent vendor access is not permitted. All sessions are logged. Access is terminated immediately upon completion of engagement. Active-engagement vendors undergo quarterly access reviews.
AI model provider data commitments verified contractually and technically
Active
Contractual and technical controls with AI model providers are verified to confirm customer data cannot be used for model training and that data residency commitments are fulfilled.
Microsoft's Azure OpenAI agreement confirms: no training on customer data, no sharing with OpenAI, regional processing within the selected Azure region, and customer ownership of fine-tuned models. These commitments are reviewed annually and on any material change to the provider's terms. Equivalent reviews apply to Google Cloud AI.
Governance, Compliance & Business Continuity
Policy framework, board oversight, certifications, and continuity planning
Information security policy framework maintained and reviewed
Active
A structured set of policies governs all aspects of EmpowerGPT's security programme. Policies are reviewed annually and on material change, and approved by senior management.
The framework includes: Information Security Policy, Acceptable Use Policy, Data Classification Policy, Incident Response Policy, Access Control Policy, Vulnerability Management Policy, and Change Management Policy. Policies are versioned and published to all personnel. Review is triggered by significant organisational or regulatory changes and on a fixed annual cycle.
Board oversight of cybersecurity and privacy risk
Active
The board of directors or equivalent oversight body receives a structured briefing on cybersecurity and privacy risk posture at least annually and provides governance direction to management.
The annual briefing covers: risk register status, control effectiveness, significant incidents, audit findings, and upcoming regulatory or threat landscape developments. The board includes or engages members with sufficient technical expertise to evaluate the briefing. Security-related board minutes are retained.
Board charter and oversight responsibilities documented
Active
The oversight body operates under a documented charter defining its responsibilities for information security and privacy governance, including decision authority and escalation thresholds.
The charter specifies: quorum requirements, meeting frequency, decision-making authority, escalation thresholds for security incidents, and the process for engaging external security expertise. The charter is reviewed annually. A copy is available to enterprise customers on request.
Organisational chart and security responsibilities documented
Active
EmpowerGPT maintains a current organisational chart reflecting security-relevant roles, responsibilities, and reporting lines. Security role assignments are formally documented.
The organisational chart is maintained in the HR system and reviewed quarterly. Security roles — CISO, DPO, System Owners, Data Custodians — are formally assigned with documented responsibilities. RACI matrices exist for key security processes. The CISO reports directly to the CEO with a dotted line to the board.
Cybersecurity insurance coverage maintained
Active
EmpowerGPT holds cybersecurity insurance coverage addressing financial exposure from data breaches, business interruption, and third-party liability.
Coverage is reviewed annually to ensure limits remain proportionate to the business risk profile and contractual obligations. Insurance certificates are available to enterprise customers on request. The underwriting renewal process itself provides independent validation of key security controls.
Business continuity and disaster recovery plans tested
Active
Documented BCM and DR plans define how EmpowerGPT will maintain and restore service in the event of a significant disruption. Plans are tested at least annually with formal outcomes documented.
The DR plan defines RTO and RPO targets by service tier. Recovery procedures cover primary Azure region failure, database corruption, and key personnel unavailability. Annual DR tests include failover simulation and backup restoration validation. Test results are reviewed by management and included in the annual security summary available to enterprise customers.
Whistleblower and ethical reporting channel in place
Active
All personnel and contractors can report security concerns, policy violations, or ethical issues through an anonymous, protected channel without fear of retaliation.
The channel is managed by a third-party provider to ensure anonymity. Reports are reviewed by the DPO and CISO. Retaliation against reporters is explicitly prohibited in employment and contractor agreements and treated as a disciplinary matter. The channel is communicated at onboarding and in annual security training.
SOC 2 Type II audit programme sustained annually
Active
EmpowerGPT undergoes an independent SOC 2 Type II audit each year covering Security, Availability, and Confidentiality Trust Service Criteria. The latest report is available to enterprise customers.
The audit is conducted by an accredited CPA firm over a 12-month period of continuous control operation. The System Description is maintained and reviewed at the start of each audit cycle. The Type II report — demonstrating operating effectiveness over time — is available to enterprise customers under NDA upon request.
Platform & Network Security
Infrastructure hardening, network architecture, and perimeter controls.
Encryption key lifecycle managed
Active
Encryption keys are issued, rotated, and revoked according to a documented lifecycle policy. Access is limited to authorised platform services with a verified operational requirement.
All keys are stored in Azure Key Vault and injected into Kubernetes pods via External Secrets — never embedded in code or config files. Key rotation is automated. Access is governed by Azure RBAC with just-in-time elevation for break-glass scenarios, and every key usage event is logged.
Production system access governed by least privilege
Active
Access to production compute, application servers, and platform components is granted only to personnel with an approved operational need, and is reviewed on a scheduled basis.
Access is provisioned through a formal request workflow. All access is scoped to the minimum required for the role. Temporary elevated access requires approval and is auto-revoked after a defined window. Quarterly access reviews are conducted by system owners.
Production database access controlled
Active
Direct access to production databases is restricted to authorised engineers. Authentication uses Azure AD-managed identities rather than static credentials, eliminating credential-based risks.
Static database passwords are not permitted. Application services connect via managed identity tokens issued by Azure AD. Human access requires a formal time-bounded request that is fully logged. Database access logs are retained for the audit trail.
Operating system layer access restricted
Active
Privileged access to production OS layers is limited to authorised personnel. All access is authenticated, session-recorded, and subject to periodic review.
Production nodes run on Azure Kubernetes Service. Direct node access is disabled for routine operations. Emergency access uses short-lived credentials from a PAM workflow with full session recording. Nodes are hardened against CIS benchmarks and automatically patched.
Production network access controlled
Active
Production network access is limited to authorised personnel and services. Network boundaries are defined and enforced through explicit allow-lists and segment policies.
Azure VNets enforce strict inbound/outbound rules. Production subnets are unreachable from the public internet without passing through the WAF and firewall rule sets. Changes that alter network boundaries require security team sign-off before deployment.
Firewall rules governed and periodically reviewed
Active
Firewall configuration is restricted to authorised security personnel. Rules are documented, version-controlled, and audited to remove unnecessary access on a regular schedule.
All firewall changes go through peer-reviewed pull requests before deployment. Unused rules are flagged and removed during quarterly reviews. Azure NSG flow logs are exported to the SIEM for continuous threat analysis.
Network segmentation enforced across workloads
Active
The production network is divided into distinct zones. Customer workloads and data are isolated from internal tooling, development environments, and third-party systems.
Kubernetes network policies restrict pod-to-pod communication to explicitly declared paths. Azure VNet peering and private endpoints ensure storage and database traffic never traverses the public internet. Namespace-level isolation is enforced at the compute layer.
Remote access requires MFA and encrypted channel
Active
Access to production infrastructure from outside the internal network requires multi-factor authentication and an approved encrypted connection. Unencrypted or single-factor remote access is blocked.
VPN and bastion access require phishing-resistant MFA (FIDO2 or TOTP). Conditional Access in Azure AD enforces MFA for all production-scoped accounts regardless of network location. SSH with certificate-based authentication is the only approved server access protocol. Legacy protocols (RDP over internet, Telnet, FTP) are blocked by firewall policy.
Unique identities required on all production systems
Active
Shared or generic accounts are not permitted on production systems. Every human user and service principal has a unique, individually scoped identity.
Automated account audits detect and flag shared accounts. Service accounts use Azure Managed Identities or Workload Identity. Human accounts are linked to a named individual in Azure AD. Accounts inactive for 90 days are automatically disabled pending access review.
Edge and DDoS protection active
Active
All inbound platform traffic is routed through edge protection that detects and mitigates volumetric and application-layer attacks before they reach production systems.
Cloudflare provides L3/L4 DDoS mitigation, WAF rule enforcement, and rate limiting at the edge. Azure DDoS Protection Standard is enabled at the VNet level. Traffic anomalies trigger automated alerting and response playbooks that are reviewed post-incident.
Security event monitoring and alerting in place
Active
Security-relevant events from all production systems are collected and correlated in a centralised monitoring platform. Defined alert thresholds trigger on-call escalation within SLA.
Logs from AKS, Azure Firewall, Key Vault, and application services stream to a centralised SIEM. Alert rules cover authentication anomalies, privilege escalation, unusual data egress, and failed access patterns. On-call runbooks define response procedures for each alert class. All alerts are reviewed post-resolution and tuned to reduce false positives.
Access Management & Identity
Authentication, authorisation, and identity lifecycle controls.
Role-based access model applied platform-wide
Active
Access to EmpowerGPT features and data is governed by defined role templates. Permissions are not individually negotiated — they follow a documented matrix that enforces least privilege at every tier.
Three application roles (Organisation Administrator, Workspace Administrator, Regular User) and three content roles (Viewer, Contributor, Controller) cover the majority of use cases. Custom roles can be created within a pre-approved permission matrix. All role assignments are logged and auditable.
Enterprise identity federation supported
Active
Organisations can federate EmpowerGPT authentication with their existing identity provider using OIDC or SAML 2.0, enabling centralised access governance and consistent policy enforcement.
EmpowerGPT supports federation with Azure AD, Okta, Google Workspace, and any compatible IdP. When federated, authentication — including MFA — is delegated entirely to the customer's IdP. Session tokens issued by Keycloak are short-lived and validated on every request.
Multi-factor authentication enforced for all accounts
Active
All user accounts require MFA at login and for sensitive operations. MFA cannot be disabled by end users and is enforced regardless of network location.
For enterprise users with an IdP, MFA is enforced by the customer's identity provider. For local authentication accounts, TOTP-based MFA via Keycloak is mandatory. Organisation Administrators can require phishing-resistant MFA policies for their tenants.
Access provisioning and de-provisioning managed through formal
process
Active
User access is provisioned via a controlled workflow and revoked promptly on role change or departure. Orphaned accounts are detected automatically and flagged for review.
SCIM provisioning supports automated user lifecycle management from the customer's IdP. Platform accounts inactive for 90 days are flagged. Organisation Administrators can immediately revoke access and terminate active sessions. EmpowerGPT access revocation is a required step in the internal offboarding checklist.
Privileged access uses time-limited elevation
Active
Administrative access to sensitive platform components is not permanently assigned. Engineers request time-bounded elevation that requires approval, is logged, and expires automatically.
Azure AD Privileged Identity Management (PIM) governs elevated access to production resources. Permanent owner or contributor roles are not permitted on production subscriptions. All elevated access requires a justification, a second-engineer approval, and expires within 8 hours maximum.
Access rights reviewed on a defined schedule
Active
All access assignments — human and service — are reviewed by system owners periodically. Unnecessary or stale access is revoked as part of the review, not deferred.
Quarterly access reviews cover all production systems. Reviewers receive structured access reports and must certify each assignment as still required or flag it for removal. Review outcomes are documented and retained for SOC 2 evidence. Accounts unused for 60+ days are prioritised for review.
Password policy enforced on all credential-based accounts
Active
Accounts using password authentication are subject to a policy enforcing minimum complexity, prohibiting reuse, and requiring rotation after confirmed compromise.
Keycloak enforces a 12-character minimum, complexity requirements, and a 12-cycle reuse prohibition. Passwords are stored as salted bcrypt hashes — never in plaintext. Admin accounts are required to use an approved password manager. Progressive backoff blocks accounts after repeated failed attempts.
Data Protection & Privacy
Encryption, data handling, retention, residency, and GDPR obligations
Data encrypted at rest across all storage layers
Active
All customer data, conversation history, and embeddings stored by EmpowerGPT are encrypted at rest using AES-256, independent of access controls.
Azure Storage and PostgreSQL use AES-256 at rest with customer-managed keys in Azure Key Vault. Disk-level encryption is enabled on all compute nodes. Backups are encrypted with the same key hierarchy. Separation of duties ensures that accessing encrypted data requires both storage access rights and key vault access rights.
Data in transit protected with layered encryption
Active
All data moving between clients, internal services, and third parties is encrypted. EmpowerGPT applies transport-layer and application-layer encryption in combination.
TLS 1.3 is enforced on all public endpoints. Additionally, application-layer AES-256 encryption using ephemeral session keys is applied to request payloads — keys are derived locally and never transmitted, protecting content even in the event of TLS compromise. HSTS is enforced. TLS 1.2 and below are rejected.
Customer data isolated between tenants
Active
Data belonging to one customer organisation cannot be accessed by another. Tenant isolation is enforced at the application, database query, and storage layers.
Every API request carries a tenant-scoped JWT validated by Keycloak. Database queries include mandatory tenant_id predicates enforced at the ORM layer — bypassing them triggers a security exception. Storage containers are partitioned by tenant. Cross-tenant isolation is included as an explicit objective in annual penetration tests.
Data minimisation applied throughout the platform
Active
EmpowerGPT collects only data necessary to deliver the service. AI conversation content is not used for analytics or retained beyond operational need.
User profile data is limited to name, email, and organisation. No ad targeting or behavioural profiling is performed. PostHog analytics captures only product usage events — never prompt content. Data subjects can request export or deletion through the platform's privacy portal at any time.
Data residency enforced in the EU by default
Active
All customer data is processed and stored within the European Union by default. Cross-border processing only occurs when explicitly configured by the customer.
Primary hosting is Azure Germany West Central. Azure OpenAI inference uses the same region. Google Cloud AI is configured to EU-only endpoints. Selecting a globally-deployed model (the only path to non-EU inference) is clearly labelled and logged in the audit trail.
AI providers contractually prohibited from training on customer data
Active
EmpowerGPT's AI model providers are contractually barred from using customer prompts, completions, or embeddings to train or improve any AI models.
Microsoft's Azure OpenAI Service agreement explicitly prohibits training on customer data and sharing with OpenAI. The same restriction applies to Google Cloud AI. EmpowerGPT itself does not use customer conversation data for model fine-tuning without explicit written consent from the customer organisation.
Automated backup and tested recovery procedures maintained
Active
Customer data is backed up daily on an automated schedule. Backups are encrypted, geo-redundant, and tested for recoverability. Retention aligns with contractual and regulatory requirements.
Automated daily backups with point-in-time recovery cover the previous 30 days. Backups are stored in a geographically separate Azure region. Recovery procedures are documented and tested annually. RTO and RPO targets are defined in the disaster recovery plan and available to enterprise customers on request.
Data subject rights fulfilment process documented
Active
Documented procedures ensure GDPR data subject rights — access, rectification, erasure, portability — are fulfilled within mandated timeframes.
Requests are accepted via the platform privacy portal or DPO email, acknowledged within 72 hours, and fulfilled within 30 days (GDPR Article 12). Organisation Administrators can export or delete all user data directly from the admin panel. Deletion cascades to all storage layers including backups after the retention window expires.
People & Organisational Security
Personnel screening, security training, endpoint controls, and acceptable use.
Background screening conducted for roles with production access
Active
Personnel who will access production systems or handle customer data undergo background verification appropriate to the sensitivity of their role before access is provisioned.
Checks are conducted through a certified screening provider covering identity verification, right to work, and employment history. Enhanced checks apply to elevated-access roles. Results are reviewed by HR and the CISO before onboarding is completed. Re-screening is triggered by significant role changes.
Security awareness training delivered and tracked
Active
All employees and contractors complete structured security awareness training at onboarding and annually thereafter, with role-specific modules for engineering and administrative staff.
Training is delivered through a managed platform with completion tracking. Modules include phishing recognition, data handling, incident reporting, and acceptable use. Role-specific content covers secure coding and secrets management for engineers. Quarterly phishing simulations supplement formal training. Completion rates are reported to management and the board.
Confidentiality obligations acknowledged by all personnel
Active
All employees and contractors sign binding confidentiality obligations before accessing any EmpowerGPT systems, data, or proprietary information.
Employees sign a confidentiality clause as part of their employment contract. Contractors and vendors sign a standalone NDA before receiving system access. Obligations survive termination of the working relationship. Acknowledgement records are retained in the HR system and are auditable.
Endpoints enrolled in MDM with security baseline enforced
Active
All devices used to access production systems or process customer data are enrolled in a Mobile Device Management platform that enforces encryption, screen lock, patch level, and remote wipe capability.
Corporate laptops and mobile devices must be enrolled in Microsoft Intune before authenticating to production systems. MDM policy enforces: full-disk encryption, minimum OS patch currency, 5-minute screen lock, and EDR agent installation. Unmanaged devices are blocked by Azure AD Conditional Access.
Removable media restricted and encrypted where permitted
Active
Portable storage media used in connection with EmpowerGPT systems or customer data must be encrypted. Unencrypted removable media is prohibited for handling sensitive information.
Policy prohibits storing customer data on unencrypted removable media. MDM enforces encryption on any permitted USB storage device. Personnel training covers acceptable media use at onboarding. Policy violations trigger an automatic alert to the security team.
Annual performance reviews completed for all staff
Active
All employees undergo formal annual performance reviews. Security responsibilities and compliance behaviours are included as review dimensions for roles with production access.
Annual reviews use a structured framework administered by line managers. Security-relevant behaviours — training completion, incident reporting, access hygiene — are included in role profiles for technical and operational staff. Review outcomes inform access recertification decisions where relevant.
Acceptable use policy applied and acknowledged annually
Active
All personnel are bound by an acceptable use policy covering system use, data handling, and credential management. Compliance is acknowledged at onboarding and on each annual update.
The AUP covers: restrictions on unapproved software installation, prohibited content, credential sharing, and customer data handling. Acknowledgement is tracked in the HR system. Violations are subject to disciplinary procedures up to and including termination.
Change & Configuration Management
Secure development, deployment pipelines, dependency management, and configuration governance.
Infrastructure defined as code with mandatory peer review
Active
All production infrastructure is defined in version-controlled code. Changes require peer review and automated security validation before deployment, preventing unauthorised or misconfigured changes.
Terraform and Helm charts define all Azure and Kubernetes infrastructure. Changes go through pull requests requiring approval from at least one senior engineer and must pass automated security linting (tfsec, checkov) before merge. Direct infrastructure modification outside the IaC pipeline is blocked and monitored.
Security scanning integrated into every deployment pipeline
Active
Every code change is automatically scanned for vulnerabilities before it can be deployed. Critical findings block releases until remediated.
The CI/CD pipeline includes: SAST via Semgrep, dependency scanning via Dependabot and OWASP Dependency-Check, container image scanning via Trivy, and infrastructure security scanning. Critical and high findings block deployment. Scan results are tracked in the vulnerability management backlog with assigned owners.
Formal change management process applied to all production releases
Active
Production changes follow a defined process that includes risk assessment, approval, test plan, and rollback planning. Emergency changes have an expedited but equivalent oversight path.
Standard changes require a ticket, test plan, authorised change approver sign-off, and a documented rollback procedure. Emergency changes are approved by on-call engineering leads and reviewed post-deployment. Change records are retained for audit purposes. Failed deployments auto-create an incident ticket.
Software dependencies monitored and patched within defined SLAs
Active
Open-source and third-party dependencies are continuously monitored for published vulnerabilities. Patching SLAs are defined by severity and tracked against a vulnerability register.
Dependabot scans all repositories daily and raises pull requests for vulnerable dependencies. SLAs: Critical — 72 hours; High — 7 days; Medium — 30 days. Patch status is reviewed weekly by the security team. Exceptions require CISO approval with a documented compensating control.
System security baselines applied and drift monitored
Active
All production systems are configured according to documented security baselines. Deviation from baseline is detected automatically and triggers a remediation workflow.
Baselines for AKS nodes, Azure VM images, and container base images are aligned to CIS benchmarks. Azure Policy enforces compliant configurations and alerts on drift. Compliance is reported monthly to the security team. Non-compliant resources are remediated within the defined SLA or escalated.
Secrets managed outside source code and container images
Active
Credentials, API keys, certificates, and other secrets are never stored in source code or built into container images. All secrets are injected at runtime from a managed secrets store.
Pre-commit hooks and CI scanning reject commits matching credential patterns or private key formats. Application secrets are stored in Azure Key Vault and retrieved at pod startup via External Secrets Operator. Kubernetes Secrets are encrypted at rest using a Key Vault-managed key. Secret rotation is automated where technically feasible.
Material platform changes communicated to customers in advance
Active
Customers are notified ahead of planned changes that may affect platform availability, data processing behaviour, or security posture, with timelines defined in service agreements.
Planned maintenance windows are published on the EmpowerGPT status page with a minimum of 48 hours notice. Changes to subprocessors, data flows, or material security controls are communicated via in-app notification and email to the designated customer security contact. Emergency maintenance is communicated as soon as practicable.
Risk, Vulnerability & Incident Management
Risk assessment, penetration testing, incident response, and breach notification
Information security risk assessment conducted regularly
Active
A structured risk assessment is performed at least annually and when material changes to the platform or threat landscape occur. All identified risks have assigned owners and treatment plans.
The risk methodology is aligned to ISO 27001 Annex A and follows an asset-based approach. Risk owners are assigned for each identified risk. Treatment plans (accept, mitigate, transfer, avoid) are documented and reviewed quarterly. The risk register is summarised in the annual board security briefing.
Independent penetration testing conducted annually
Active
The EmpowerGPT platform undergoes external penetration testing at least annually by accredited third-party specialists. Critical findings are remediated on an expedited timeline.
Annual black-box and grey-box tests cover application security, API security, authentication bypass, privilege escalation, and cross-tenant isolation. Critical findings are remediated within 72 hours; high findings within 30 days. Test reports are available to enterprise customers under NDA. Findings and remediation status are reported to the board.
Responsible vulnerability disclosure programme maintained
Active
A responsible disclosure programme allows security researchers to safely report vulnerabilities. Reports are triaged, tracked, and resolved within severity-based timelines.
EmpowerGPT maintains a security disclosure email. Incoming reports are acknowledged within 5 business days. Severity-based remediation timelines apply. Researchers who report qualifying issues in good faith are publicly acknowledged unless they prefer otherwise.
Incident response plan documented and exercised
Active
A documented incident response plan defines roles, escalation paths, communication procedures, and recovery steps for security incidents. The plan is tested at least annually.
The plan follows the NIST framework phases. Roles include Incident Commander, Security Lead, Communications Lead, and Legal. Annual tabletop exercises involve engineering, security, and leadership. Lessons learned from exercises and real incidents are incorporated into plan updates.
Security alerts monitored with on-call escalation SLA
Active
Security events are evaluated against threat detection rules in a SIEM. Alerts are tiered by severity and trigger on-call escalation within defined response time targets.
Detection rules cover: authentication anomalies, unusual API call volumes, data egress spikes, privilege escalation, and lateral movement. Alert severity tiers (P1–P4) map to defined response targets. On-call rota ensures a qualified security responder is reachable around the clock. Alert tuning is reviewed after each incident.
Internal control effectiveness assessed before each audit cycle
Active
EmpowerGPT performs internal control self-assessments at least annually to verify that documented controls are operating as designed and to identify gaps before formal external audits.
Assessments are structured against the SOC 2 Trust Service Criteria and ISO 27001 Annex A. Control owners conduct walkthroughs and provide evidence samples. Gaps are logged as remediation items with owners and target dates. Self-assessment results inform the annual external audit scope.
Data breach notification procedures documented and tested
Active
Documented procedures define how EmpowerGPT assesses, contains, and notifies affected parties in the event of a confirmed or suspected personal data breach, within GDPR Article 33 timelines.
The breach response procedure covers: initial triage to determine scope; a 72-hour decision checkpoint on supervisory authority notification; customer notification procedures; and escalation to the DPO and legal counsel. Breach records are maintained per GDPR Article 30. All production-access personnel are trained on breach identification and internal reporting obligations.
Vendor & Supply Chain Management
Risk assessment, penetration testing, incident response, and breach notification
Vendor security assessment required before onboarding
Active
All vendors and subprocessors that will process customer data or access production systems undergo a security and compliance assessment before being approved for use.
The assessment evaluates: security certifications (SOC 2, ISO 27001, or equivalent), data residency locations, sub-processor disclosure, breach notification commitments, and right-to-audit clauses. Results are reviewed by the security team. High-risk vendors require CISO approval before onboarding.
Data processing agreements in place with all subprocessors
Active
A current DPA is in place with every subprocessor that handles personal data. Agreements reflect GDPR Article 28 requirements including purpose limitation, security obligations, and audit rights.
DPAs cover: purpose limitation, data minimisation, security obligations, deletion timelines, audit rights, and breach notification requirements. Where subprocessors are outside the EEA, Standard Contractual Clauses or equivalent mechanisms are in place. The subprocessor list is reviewed annually and published on the EmpowerGPT trust page.
Subprocessor changes communicated to customers in advance
Active
Customers receive advance notice of any material changes to the subprocessor list, including additions or replacements of subprocessors processing personal data.
Enterprise customers receive email notification of subprocessor changes with a minimum of 30 days notice. The notice includes the nature of the subprocessor, data categories processed, and processing location. An objection process is available to customers with specific contractual rights under GDPR Article 28(2).
Third-party access time-limited and governed
Active
Vendors requiring access to EmpowerGPT systems for support or integration are granted minimum necessary access, time-bounded, and subject to the same controls as internal employees.
Vendor access uses a separate account type with explicitly scoped permissions. Permanent vendor access is not permitted. All sessions are logged. Access is terminated immediately upon completion of engagement. Active-engagement vendors undergo quarterly access reviews.
AI model provider data commitments verified contractually and technically
Active
Contractual and technical controls with AI model providers are verified to confirm customer data cannot be used for model training and that data residency commitments are fulfilled.
Microsoft's Azure OpenAI agreement confirms: no training on customer data, no sharing with OpenAI, regional processing within the selected Azure region, and customer ownership of fine-tuned models. These commitments are reviewed annually and on any material change to the provider's terms. Equivalent reviews apply to Google Cloud AI.
Governance, Compliance & Business Continuity
Policy framework, board oversight, certifications, and continuity planning
Information security policy framework maintained and reviewed
Active
A structured set of policies governs all aspects of EmpowerGPT's security programme. Policies are reviewed annually and on material change, and approved by senior management.
The framework includes: Information Security Policy, Acceptable Use Policy, Data Classification Policy, Incident Response Policy, Access Control Policy, Vulnerability Management Policy, and Change Management Policy. Policies are versioned and published to all personnel. Review is triggered by significant organisational or regulatory changes and on a fixed annual cycle.
Board oversight of cybersecurity and privacy risk
Active
The board of directors or equivalent oversight body receives a structured briefing on cybersecurity and privacy risk posture at least annually and provides governance direction to management.
The annual briefing covers: risk register status, control effectiveness, significant incidents, audit findings, and upcoming regulatory or threat landscape developments. The board includes or engages members with sufficient technical expertise to evaluate the briefing. Security-related board minutes are retained.
Board charter and oversight responsibilities documented
Active
The oversight body operates under a documented charter defining its responsibilities for information security and privacy governance, including decision authority and escalation thresholds.
The charter specifies: quorum requirements, meeting frequency, decision-making authority, escalation thresholds for security incidents, and the process for engaging external security expertise. The charter is reviewed annually. A copy is available to enterprise customers on request.
Organisational chart and security responsibilities documented
Active
EmpowerGPT maintains a current organisational chart reflecting security-relevant roles, responsibilities, and reporting lines. Security role assignments are formally documented.
The organisational chart is maintained in the HR system and reviewed quarterly. Security roles — CISO, DPO, System Owners, Data Custodians — are formally assigned with documented responsibilities. RACI matrices exist for key security processes. The CISO reports directly to the CEO with a dotted line to the board.
Cybersecurity insurance coverage maintained
Active
EmpowerGPT holds cybersecurity insurance coverage addressing financial exposure from data breaches, business interruption, and third-party liability.
Coverage is reviewed annually to ensure limits remain proportionate to the business risk profile and contractual obligations. Insurance certificates are available to enterprise customers on request. The underwriting renewal process itself provides independent validation of key security controls.
Business continuity and disaster recovery plans tested
Active
Documented BCM and DR plans define how EmpowerGPT will maintain and restore service in the event of a significant disruption. Plans are tested at least annually with formal outcomes documented.
The DR plan defines RTO and RPO targets by service tier. Recovery procedures cover primary Azure region failure, database corruption, and key personnel unavailability. Annual DR tests include failover simulation and backup restoration validation. Test results are reviewed by management and included in the annual security summary available to enterprise customers.
Whistleblower and ethical reporting channel in place
Active
All personnel and contractors can report security concerns, policy violations, or ethical issues through an anonymous, protected channel without fear of retaliation.
The channel is managed by a third-party provider to ensure anonymity. Reports are reviewed by the DPO and CISO. Retaliation against reporters is explicitly prohibited in employment and contractor agreements and treated as a disciplinary matter. The channel is communicated at onboarding and in annual security training.
SOC 2 Type II audit programme sustained annually
Active
EmpowerGPT undergoes an independent SOC 2 Type II audit each year covering Security, Availability, and Confidentiality Trust Service Criteria. The latest report is available to enterprise customers.
The audit is conducted by an accredited CPA firm over a 12-month period of continuous control operation. The System Description is maintained and reviewed at the start of each audit cycle. The Type II report — demonstrating operating effectiveness over time — is available to enterprise customers under NDA upon request.
Microsoft Azure
Germany West Central
Core infrastructure: compute, storage, networking. Azure OpenAI Service (LLM inference and embeddings). Azure Speech Service (voice-to-text). Azure Key Vault (secrets management). Azure Active Directory (authentication and RBAC).
Google Cloud AI (via GCP)
EU region only (GCP EU deployment)
Alternative LLM inference. EU-only data processing by default — inference outside the EU occurs only if the customer actively selects an LLM with "global deployment" in the platform settings. This choice is clearly labelled and logged in the audit trail.
E2B, Inc.
Vendor-managed (sandboxed)
Secure sandboxed code execution environment (code interpreter). Processes user-submitted code, execution outputs, and temporary runtime data. No persistent customer data is stored outside the sandbox session.
Cloudflare
Global edge network
DNS, CDN, Web Application Firewall (WAF), and DDoS protection. Processes IP addresses and request metadata only — no AI prompt content or sensitive data passes through Cloudflare unencrypted.
PostHog
EU (configured deployment)
Product and usage analytics. Processes event data and usage metadata only — AI prompt content and sensitive data are never tracked. All analytics are routed to EU-hosted PostHog infrastructure.
Where is the EmpowerGPT app and database hosted ?
EmpowerGPT is hosted on Microsoft Azure in the Germany West Central region. This region ensures data sovereignty for European customers and GDPR data residency compliance. All core infrastructure — compute, storage, networking, and databases — resides within this region by default. Storage accounts and databases are accessed through private endpoints and are never exposed to the public internet.
Will any AI models be trained with my data ?
No. EmpowerGPT uses Azure OpenAI Service, which provides a contractual commitment that your data is never used to train or improve AI models. Your prompts, completions, and embeddings are processed only to deliver the service to you and are never shared with other customers or with OpenAI. Fine-tuned models, if any, remain exclusively yours.
What does EmpowerGPT do to be GDPR compliant ?
EmpowerGPT implements a comprehensive set of GDPR compliance measures:
Data Minimisation: Only name and email are collected. AI prompt content is not retained beyond operational need.
Data Residency: All customer data is processed within the EU by default (Azure Germany West Central).
Data Processing Agreements: Standard GDPR Article 28 DPAs are available for all enterprise customers.
Audit Logs: Complete audit trails of all user activities and AI interactions are maintained.
Right to Erasure: Customer data can be deleted on request under GDPR Article 17.
Subprocessor Transparency: The current subprocessor list is published. All are EU-based or covered by Standard Contractual Clauses.
Is EmpowerGPT ISO 27001 certified ?
EmpowerGPT is developed and operated by INTECH Automation & Intelligence GmbH, which holds ISO 27001:2022 certification. The information security management practices governing EmpowerGPT’s development and operations have been independently audited and certified against the international standard. The certificate and Surveillance Audit Report are available to enterprise customers on request.
What encryption does EmpowerGPT use ?
EmpowerGPT applies multiple layers of encryption:
Data in Transit: TLS 1.3 at the transport layer, plus application-layer AES-256 with ephemeral session keys — protecting content even if TLS is compromised.
Data at Rest: AES-256 for all databases, file storage, and backups.
Session Cookies: HTTP-only, SameSite, and Secure attributes enforced. Cookies are further encrypted with server-side keys never exposed to the client.
Key Management: All encryption keys stored in Azure Key Vault and injected at runtime via External Secrets — never hardcoded.
What authentication options does EmpowerGPT support ?
EmpowerGPT supports flexible enterprise authentication:
Enterprise SSO via Identity Provider: OIDC and SAML 2.0 federation with Azure AD, Okta, Google Workspace, and any compatible IdP. MFA enforcement is delegated to the customer’s IdP.
Local Authentication with MFA: Keycloak-based TOTP multi-factor authentication for organisations without an external IdP.
Role-Based Access Control: Three application roles and three content roles, with support for custom roles — all enforcing least privilege.
How does EmpowerGPT handle security incidents ?
EmpowerGPT maintains a formal incident response programme:
Continuous Monitoring: All infrastructure and application events are logged and analysed in a SIEM with 24/7 on-call coverage.
Incident Response Plan: Documented NIST-aligned procedures tested in annual tabletop exercises with engineering, security, and leadership.
Penetration Testing: Annual tests by independent specialists. Critical findings are remediated within 72 hours.
Breach Notification: Documented GDPR Article 33 procedures for supervisory authority notification within 72 hours of confirmed breach.
Backup & Recovery: Daily automated backups with 30-day retention and annually tested disaster recovery procedures.
Who do I contact for security enquiries ?
For security questions, vulnerability disclosures, DPA requests, or audit report access:


EmpowerGPT Security Team: contact@empowergpt.ai

INTECH Security / DPO: empowergpt@intechww.com

Smarter work. Better results.

From smart chat to specialized AI apps, EmpowerGPT saves time and gives your team an edge to be more productive and innovative.
Platform
Chat
Workspaces
Assistants
Apps
Advanced Search
Use Cases
Resources
Pricing
Changelog
Roadmap
Enabling AI in Every Industry
Security and Integration
Trust Center
Documentation
Company
About Us
Contact Us
Careers
Events
Blogs and Whitepapers
Legal Notice
Privacy Policy
Terms of Service
contact@empowergpt.ai
+49 89 14379966
Moosacher Str. 82a, 80809 Munich, Germany
©2026 EmpowerGPT