Security & Data Protection

Last Updated: December 31, 2025

1. Security Approach and Philosophy

Trislaa is an early-stage cybersecurity consultancy building advanced AI products for cyber resilience. While we're growing toward formal certifications, we design and operate our systems according to recognized industry frameworks and best practices from day one.

1.1 Framework Alignment

Our security practices align with these established frameworks:

• ISO/IEC 27001: Information Security Management System principles
• NIST Cybersecurity Framework: Identify, Protect, Detect, Respond, Recover methodology
• OWASP: Secure application development for our AI products
• GDPR Requirements: EU data protection by design and by default
• Cloud Security Alliance (CSA): Cloud security best practices

1.2 Certification Roadmap

As we scale our operations and client base, we are working toward formal certifications:

• ISO 27001: Target: 2025-2026
• SOC 2 Type II: Target: 2026
• Cloud provider security certifications: Aligned with chosen infrastructure provider

2. Data Protection and Encryption

2.1 Data Classification

We classify all data to ensure appropriate protection levels:

• Public: Information approved for public disclosure (website content, marketing materials)
• Internal: Business information requiring basic protection
• Confidential: Client data, project details, and sensitive business information
• Highly Confidential: Security data, threat intelligence, authentication credentials

2.2 Encryption Standards

Data in Transit:

• TLS 1.3 for all web communications
• Encrypted email for sensitive client communications
• Secure file transfer protocols (SFTP, HTTPS)
• VPN for remote access when handling client systems

Data at Rest:

• AES-256 encryption for stored data
• Encrypted databases for client and product data
• Full-disk encryption on all devices
• Encrypted backups with secure key management

2.3 AI Product Security Data

For our cyber resilience AI products that process security and threat data:

• Data minimization: Collect only necessary security metadata
• Anonymization: Remove personally identifiable information where possible
• Secure processing: Isolated environments for threat analysis
• Access controls: Strict limitations on who can access raw security data
• Retention limits: Security data retained only as long as necessary for threat detection

3. Access Control and Authentication

3.1 Identity and Access Management

• Multi-Factor Authentication (MFA): Required for all system access
• Strong password policies: Minimum complexity requirements enforced
• Least privilege access: Users and contractors get only necessary permissions
• Regular access reviews: Quarterly review of who has access to what
• Immediate revocation: Access removed immediately upon contract termination

3.2 Contractor and Team Access

All contractors and team members:

• Sign comprehensive Non-Disclosure Agreements (NDAs)
• Receive security awareness training
• Use company-approved secure tools and platforms
• Access only systems necessary for their specific role
• Are subject to background verification for sensitive roles

4. Infrastructure and Cloud Security

4.1 Cloud Infrastructure

Our infrastructure leverages enterprise-grade cloud providers (AWS, Azure, or Google Cloud) with:

• Shared Responsibility Model: We secure what's in the cloud; providers secure the cloud infrastructure
• Regional data residency: EU data stored in EU regions (GDPR compliance)
• Infrastructure as Code: Reproducible, auditable infrastructure configurations
• Security groups and firewalls: Network-level access controls
• Private networks: Isolated environments for sensitive operations

4.2 Application Security

For our AI products and web applications:

• Secure development lifecycle: Security considered from design through deployment
• Code review: All code reviewed before deployment
• Dependency management: Regular updates and vulnerability scanning
• Input validation: Protection against injection attacks
• API security: Authentication, rate limiting, and monitoring
• Regular security testing: Penetration testing as we scale

5. Endpoint and Device Security

5.1 Device Requirements

All devices used for Trislaa business operations must have:

• Full-disk encryption enabled
• Automatic security updates
• Antivirus/anti-malware protection
• Screen lock with timeout
• Remote wipe capability for lost/stolen devices
• Up-to-date operating systems and software

5.2 Secure Remote Work

• VPN required for accessing sensitive systems
• Secure Wi-Fi practices and avoiding public networks for sensitive work
• Physical security awareness (screen privacy, device protection)

6. Monitoring and Incident Response

6.1 Security Monitoring

• Logging of system access and administrative actions
• Regular review of access logs and unusual activity
• Automated alerts for suspicious behavior
• Monitoring of our AI product infrastructure for anomalies

6.2 Incident Response

We maintain an incident response plan that includes:

• Detection: Identifying potential security incidents quickly
• Containment: Isolating affected systems to prevent spread
• Investigation: Understanding what happened and scope of impact
• Remediation: Fixing vulnerabilities and restoring normal operations
• Communication: Notifying affected parties as required by law (GDPR 72-hour breach notification)
• Lessons learned: Improving processes to prevent recurrence

6.3 GDPR Breach Notification

In the event of a personal data breach, we will:

• Notify the Finnish Data Protection Authority within 72 hours when required
• Notify affected individuals without undue delay if high risk to rights and freedoms
• Document all breaches and our response
• Take steps to mitigate harm and prevent future incidents

7. Backup and Business Continuity

7.1 Data Backup

• Regular backups: Automated daily backups of critical data
• Encrypted backups: All backups encrypted at rest
• Offsite storage: Backups stored in geographically separate locations
• Tested recovery: Regular testing to ensure backups can be restored
• Version control: Code and configurations under version control

7.2 Business Continuity

As we grow, we're developing comprehensive business continuity plans to ensure:

• Minimal disruption to client services
• Recovery procedures for different types of incidents
• Alternative communication channels
• Regular plan testing and updates

8. Vendor and Third-Party Security

8.1 Vendor Selection

We carefully evaluate security practices of vendors and service providers:

• Review of security certifications and compliance
• Assessment of data protection practices
• Evaluation of breach notification procedures
• Contractual security and privacy requirements

8.2 Data Processing Agreements

All vendors processing personal data on our behalf sign Data Processing Agreements (DPAs) that include:

• GDPR-compliant processing terms
• Security and confidentiality obligations
• Sub-processor management
• Breach notification requirements
• Data subject rights fulfillment

9. Security Awareness and Training

9.1 Team Security Training

• Security awareness training for all team members and contractors
• Phishing awareness and social engineering prevention
• Secure coding practices for developers
• GDPR and privacy training
• Incident reporting procedures

9.2 Security Culture

As a cybersecurity company, security is part of our DNA:

• Regular security discussions and knowledge sharing
• Staying current with emerging threats and best practices
• Encouraging reporting of security concerns without fear
• Continuous improvement of our security posture

10. Compliance and Regulatory Alignment

10.1 Current Compliance

We currently comply with:

• GDPR (General Data Protection Regulation): Full compliance as an EU-based company
• Finnish Data Protection Laws: National implementation of GDPR
• CCPA (California Consumer Privacy Act): For California-based clients

10.2 Industry-Specific Requirements

As we work with clients in various sectors, we adapt our security practices to meet industry-specific requirements when applicable (healthcare, finance, government, etc.).

11. Continuous Improvement

Security is never "finished." We continuously improve our security posture through:

• Regular security assessments and gap analysis
• Staying informed about new threats and vulnerabilities
• Learning from security incidents (ours and industry-wide)
• Adopting new security technologies and practices
• Client and partner feedback
• Working toward formal certifications as we scale

12. Client Security Collaboration

12.1 Security Questionnaires

We're happy to complete security questionnaires and assessments from clients. Contact us at contact@trislaa.com to request security documentation.

12.2 Custom Security Requirements

For clients with specific security requirements, we can:

• Implement additional security controls as contractually agreed
• Provide detailed security documentation
• Participate in security reviews and audits
• Adapt our practices to meet your organization's security standards

13. Transparency and Accountability

We believe in transparency about our security practices:

• Open communication: We're honest about our current capabilities and roadmap
• Documentation: We maintain documentation of our security practices
• Accountability: We take responsibility for protecting the data entrusted to us
• Responsible disclosure: We follow responsible disclosure practices for vulnerabilities

14. Contact Us

For security inquiries, to report security concerns, or to request additional security information:

Trislaa Security Team
Email: contact@trislaa.com

Security Vulnerability Reporting:
If you discover a security vulnerability in our systems or products, please report it responsibly to contact@trislaa.com. We appreciate responsible disclosure and will respond promptly.