Security Terms

1.1. Provider Liability for Data BreachesDuckie's contract and terms of service outline the liability in the event of a data breach or compromise of the customer's environment. Specific details regarding Duckie's liability can be found in the official terms of service document, which is accessible at https://www.duckie.ai/terms. It is recommended that customers review this document thoroughly to understand the full extent of Duckie's liability and the protections offered in case of a security incident.For the most up-to-date and accurate information on liability clauses, customers should refer directly to the terms of service at the provided URL.

1.2. Service Level Agreement (SLA) and Performance GuaranteesDuckie has an active Service Level Agreement (SLA) in place that outlines minimum performance standards and guarantees. Our SLA specifically addresses system availability and incident response times, ensuring a high level of service quality for clients.

1. Uptime Guarantee: Duckie commits to maintaining a 99.9% uptime for our services, ensuring minimal disruption to client operations.
2. Incident Response and Resolution: Our SLA defines specific response and resolution times for different severity levels of incidents. </rewritten_content>

1.3. Right of Termination for Material Breach of Privacy and Security ObligationsIn the event that a party materially breaches their privacy and security obligations as outlined in the terms of service, the other party retains the right to terminate the agreement.

2.1. Provider's Rights to Customer Data and Account InformationDuckie does not reserve any rights to use, disclose, or make public customers' account information or data.Our policy prohibits any unauthorized use, disclosure, or publication of customer data or account information. This applies to all forms of customer data, including but not limited to personal information, transaction records, and any other data stored within Duckie's systems.

2.2. Preservation of Customer Data Intellectual Property RightsIn accordance with our data ownership policies and practices, the intellectual property rights of our customers' data remain fully intact. Customers retain all rights, title, and interest in their data, including any intellectual property rights associated with that data.

2.3. Provider's Rights to Customer Data After RemovalIn accordance with our data ownership policies, Duckie does not retain any rights to customer data after it has been removed from our system.

3.1. Industry Standard Security CertificationsWe are actively working in the process of obtaining SOC-2 compliance. We have partnered with Thoropass, a reputable compliance automation platform, to support us.We will keep our clients and partners informed of our progress throughout the SOC-2 compliance process and will provide updates on any additional certifications we may pursue in the future to further strengthen our security and privacy practices.

3.2. Provision of Independent Audit Reports to CustomersIn accordance with our commitment to transparency and regulatory compliance, we confirm that customers will receive a copy of any independent audit reports upon their finalization.

4.1. Third-Party Service Providers and RelationshipsDuckie relies on several third-party service providers, which have been carefully selected and assessed to ensure they meet our security and compliance standards. The following outlines our key third-party relationships:

1. Amazon Web Services (AWS): Provides cloud hosting and infrastructure services.
2. Anthropic: Offers advanced AI capabilities.
3. OpenAI: Provides machine learning and natural language processing services.
4. Sentry: Utilized for application performance monitoring and error tracking.
5. Supabase: Offers database and backend-as-a-service solutions.
6. Weaviate: Provides vector database capabilities for efficient data storage and retrieval.

We have implemented the following measures:

1. Compliance Frameworks: All of our third-party providers adhere to recognized compliance frameworks, such as SOC 2.
2. Independent Assessments: We have conducted independent assessments of each vendor to verify their security posture and compliance with our requirements.
3. Documentation Availability: Detailed assessment reports for each third-party provider are available upon request to our customers.

4.2. Monitoring of Upstream Providers and Third-Party VendorsWe recognize the critical importance of maintaining service continuity, compliance, and security across our entire supply chain. To address potential risks associated with upstream providers and third-party vendors, we have implemented a robust monitoring system in collaboration with Thoropass.

5.1. Disaster Recovery Plan ImplementationWe has implemented a comprehensive disaster recovery plan to ensure business continuity and data protection in the event of unforeseen circumstances.

1. Regular Backups: The provider conducts systematic backups of critical data and systems to minimize potential data loss.
2. Failover Procedures: Established protocols are in place to swiftly transition operations to alternative systems or locations in case of primary system failure.
3. Data Restoration Processes: Procedures have been developed to efficiently restore data and services to their normal operational state following a disaster event.

5.2. Failover Site Certification and StandardsDuckie maintains robust disaster recovery measures, which include the implementation of failover sites.

Key points regarding our failover sites:

1. Availability: We have established multiple failover sites to support our operations in case of emergencies.
2. Cloud-based Infrastructure: Our failover sites are configured through our cloud service provider.
3. Geographic Distribution: To enhance resilience and minimize the risk of regional disruptions, our failover sites are distributed across multiple regions within the United States.
4. Security and Availability Standards: It is crucial to note that all our failover sites are held to the same security and availability standards as our primary facility.
5. Certification: The failover sites adhere to the same certification requirements as our primary facility.

6.1. Provider and Third-Party Access to Customer DataAccess to customer data and environments is strictly limited. Currently, two individuals within the Duckie organization have direct access to customer data:

1. Chief Technology Officer (CTO) - Joel Ritossa
2. Technical Lead - Xingfan Xia

In addition to internal access, we utilize services from two third-party vendors:

1. Amazon Web Services (AWS)
2. Supabase

6.2. Internal Access Control PracticesAccess to customer data is granted exclusively to internal engineering leads, who have been vetted and deemed necessary for operational purposes.To enforce these access control policies, we use comprehensive permission controls. These controls are designed to:

1. Implement the principle of least privilege, ensuring that employees have access only to the specific data and systems required for their roles.
2. Establish role-based access control, aligning access rights with job responsibilities and organizational hierarchy.
3. Regularly review and update access permissions to maintain the integrity of our access control system.

6.3. Deprovisioning of Access to Customer DataWe maintains a strict policy regarding the deprovisioning of access to customer data, environments, and applications that store customer data. We ensure that access is revoked within 24 hours after a user leaves or is terminated from our provider services.Duckie’s access management system is configured to automatically trigger the deprovisioning process upon notification of an employee's departure or termination.Regular reviews are conducted to verify the effectiveness of this deprovisioning process.

6.4. Public Internet Accessibility of Customer DataCustomer data and/or environment will not be accessible from the public internet. Duckie’s infrastructure and access controls are designed to prevent any direct connection between customer data and the public internet.

6.5. Multi-Factor Authentication for Remote AccessIn accordance with our security protocols, multi-factor authentication (MFA) is required for all Duckie employees accessing the customer's environment or data.

6.6. LLM Data Access and RetentionDuckie utilizes a combination of open-source and closed-source language models (LLMs) to provide its services. Our approach to LLM data access and retention is designed to maximize data security and privacy:

6.6.1. Open-source ModelsOpen-source models used by Duckie do not share data with third-party vendors, ensuring complete data isolation.

6.6.2. Closed-source ModelsBy default, for closed-source models, we use OpenAI and Anthropic:

1. We maintain a zero-day retention policy with OpenAI, ensuring that no customer data is stored beyond the immediate processing needs
2. Anthropic does not use customer data for training purposes, further protecting data privacy. Anthropic's commercial terms can be found at: https://www.anthropic.com/legal/commercial-terms

6.6.3. AWS Bedrock OptionCustomers can elect to use only models available in AWS Bedrock:

• AWS Bedrock maintains a zero retention policy for all customer data.
• No customer data is used for model training purposes.
• As stated in AWS documentation: "Amazon Bedrock doesn't store or log your prompts and completions. Amazon Bedrock doesn't use your prompts and completions to train any AWS models and doesn't distribute them to third parties." (https://docs.aws.amazon.com/bedrock/latest/userguide/data-protection.html)

6.6.4. Self-hosted OptionDuckie offers a fully self-hosted version for customers with heightened security requirements:

1. Customers can deploy Duckie on their own cloud infrastructure.
2. Customers have the ability to define their own model endpoints, providing complete control over data flow and storage.

6.6.5. Data Privacy AssuranceRegardless of the chosen deployment option (default, AWS Bedrock, or self-hosted), Duckie is committed to ensuring that customer data is not retained or used for training purposes without explicit consent. Our systems and partnerships are designed to maintain the highest standards of data privacy and security.

7.1. Dedicated Data Storage for Customer EnvironmentsDuckie’s system architecture employs silo'd data collections.

7.2. Data Transmission Protection and EncryptionTo ensure the security of transmitted data, we implement Transport Layer Security (TLS) protocols.

7.3. Data Protection through Encryption at RestWe implement data protection measures to ensure the security of stored information. The primary method employed is encryption at rest.

7.4. Vulnerability Assessments and Penetration TestingWe have implemented a schedule of vulnerability assessments and penetration testing:

1. We conduct thorough vulnerability assessments on a quarterly basis. These assessments are designed to identify potential security weaknesses in our systems, applications, and infrastructure.
2. In addition to vulnerability assessments, we also perform in-depth penetration testing on an annual basis.

7.5. Secure Application Development Standards and ProtocolsDuckie adheres to the Open Web Application Security Project (OWASP) guidelines for secure application development.As part of our commitment to these standards, we have implemented automated security testing procedures. These automated tests are integrated into our development pipeline.

7.6. Application Security Measures in Production EnvironmentOur production environment employs a set of application security measures and controls to ensure the integrity, confidentiality, and availability of our systems and data. These measures include:

1. Database Logging and Auditing: We implement robust database logging and auditing mechanisms to track and monitor all database activities.
2. Network Intrusion Detection/Prevention Systems (IDS/IPS): Our production environment is equipped with advanced network IDS/IPS to detect and prevent potential security threats and unauthorized access attempts in real-time.
3. Access Control Lists (ACLs): We utilize ACLs to restrict network traffic and enforce granular access controls.
4. Identity and Access Management (IAM) Policies: IAM policies are implemented to manage user identities, permissions, and access rights across our production environment.
5. Monitoring and Alerting: Monitoring and alerting systems are in place to provide real-time visibility into our production environment.
6. Backup and Recovery: We maintain backup and recovery procedures to ensure business continuity and data integrity in the event of system failures or security breaches.

7.7. Administrative Web Interface AccessAs part of our services, customers will be granted access to an administrative web interface to manage their data.

8.1. Security Incident and Breach Response PlanDuckie maintains security incident and breach response plans to address potential security threats and data breaches effectively.For further information or to request access to the detailed plan, please contact our security compliance team at founders@duckie.ai.

8.2. Customer Notification Process for Security IncidentsDuckie will notify customers in the event their environment or data is involved in a security incident. Security incident notifications are sent to customers via email.

Our security incident notifications include the following key information:

1. The nature of the security incident
2. Specific details about the affected customer data
3. Steps being taken to mitigate the issue and prevent future occurrences

8.3. Customer Incident Reporting MechanismCustomers can report any security-related issues by sending an email to founders@duckie.ai.This email address serves as the primary point of contact for all security incident reports and concerns from our customers.

8.4. Security and Audit Log RetentionSecurity logs are retained for a period of 6 months. These logs capture various security-related events and activities within our systems.Audit logs are maintained indefinitely.

9.1. Self-Hosted Solution AvailabilityWe offers a comprehensive self-hosted version of Duckie to meet the security and compliance needs of our clients.Key features of our self-hosted solution include:

1. On-premises deployment: The software can be installed and operated within the customer's own data centers or private cloud environments.
2. Data sovereignty: All data generated and processed by the software remains within the customer's environment, addressing data residency and privacy concerns.
3. Enhanced security: Customers can apply their existing security measures and policies to our solution.
4. Compliance adherence: The self-hosted solution supports customers in meeting various regulatory and compliance standards by maintaining full control over their data and processing.
5. Custom LLM models: The self-hosted solution can integrate and utilize custom language models. Customers can configure Duckie to use their own proprietary LLMs or fine-tuned models that have been specifically adapted to their domain or use case.