Trust Center

Unified Systems Intelligence (USI) delivers the Unify suite as cloud software with a security program designed around least privilege, strong authentication for administrative paths, network segmentation, continuous monitoring, and a documented software development lifecycle. The following summary reflects commitments and system design described in our SOC 2 materials and is intended as a high-level overview for customers and prospects.

• Hosting & isolation: Production and non-production environments on Amazon Web Services (AWS) with VPCs, subnets, and security groups separating public-facing resources from internal and management components.
• Zero-trust alignment: Administrative access uses multi-factor authentication (MFA), IP-restricted paths, and bastion-hosted SSH for privileged operations—not a separate “certification,” but consistent with layered, verify-every-access design.
• Application security: User traffic to web applications uses TLS 1.2. AWS WAF and Amazon GuardDuty support edge protection and threat detection; AWS CloudTrail, Amazon CloudWatch, and Wazuh contribute to centralized logging and security monitoring.
• Data protection: Encryption at rest for databases and storage volumes; role-based access at the application and database layers combined with AWS IAM controls.
• Identity: AWS IAM for infrastructure with MFA for administrative accounts; corporate Microsoft Entra ID is used for email/productivity and is not integrated with AWS or third-party production systems in the described architecture—reducing blast radius from credential compromise.
• Secure development: Peer-reviewed changes, staging before production, CI/CD controls, OWASP-aligned secure coding standards, and AWS Config for configuration drift visibility.
• Operations: Documented incident response and business continuity / disaster recovery programs, including annual tabletop exercises; annual independent penetration testing with high-severity findings remediated within 30 days (per system description).
• Governance: Executive and CTO-led security governance, quarterly governance reviews, annual risk assessments, and a maintained risk register reviewed by leadership.
• Vendors: Subservice organization reliance on AWS (with complementary controls); annual review of assurance reports for subprocessors and high-risk vendors.

• SOC 2 Type I (Security & Availability): System description and controls designed to meet applicable Trust Services Criteria for the Unify SaaS environment on AWS.
• HIPAA: Applicability depends on your use case and agreements. Contact us if you need a regulated-health deployment assessment.
• GDPR / CCPA: We support alignment efforts (data subject requests, subprocessors transparency, DPA) where contracted—final obligations depend on your role and processing.
• Workforce & telecom context: Where your workflows touch OFCCP/DOL apprenticeship, E-Verify (e.g. Unify.CMS / I-9-related flows), or FCC 47 CFR Part 90 integrations, we describe capabilities at the product and agreement level—confirm scope with your compliance team.

Roadmap (public)

• SOC 2 Type II — targeted for June 1, 2026 (6/1/2026).
• FedRAMP Ready — evaluate if required for state broadband or federal-adjacent programs.
• NIST 800-171 readiness assessment for controlled unclassified information (CUI) scenarios.
• ISO 27001 management system certification path.

Application data is primarily user-generated—information your organization enters, uploads, or processes through Unify. Data flows through front-end and API components into managed database services; logs and monitoring telemetry are aggregated for security and operations.

• Encryption: TLS 1.2 for connections from users to our web applications; encryption at rest for databases and storage volumes, with AES-256 for backups in transit and at rest (per system description).
• Retention & deletion: Practices are defined in customer agreements and Data Processing Addendum (DPA). For data subject requests or deletion coordination, use Contact Us.
• Subprocessors & vendors: We maintain a third-party inventory for transparency and oversight. Request a current list through Contact Us or your account team.
• Monitoring: Centralized logging and SIEM/IDS/IPS capabilities support detection and investigation; alert review cadences are defined in our security operations materials.

• Privacy Policy— Live site policy

The in-scope system is AWS-hosted, with staging environments that mirror production in functionality and general architecture. Edge traffic is protected by AWS WAF; compute includes EC2 running Apache Tomcat-based applications interacting with managed databases (including MongoDB in the described data flows) and Amazon RDS-class patterns where applicable.

• High availability: Amazon Route 53 health checks monitor externally facing sites and services; Amazon CloudWatch monitors performance and operational events.
• Backups: Daily incremental and weekly full backups of production systems; quarterly backup integrity tests; failed backups alert engineers and are remediated.
• Encryption: Data at rest and in transit for backups per system description (AES-256).
• Authentication (APIs): Industry-standard patterns (e.g. OAuth2 / JWT) may be used depending on product surface—confirm in integration documentation for your app.
• Tenancy: Multi-tenant SaaS with logical separation and access controls as described in the system narrative.

High-level data flow (simplified)

Users → TLS → Web application → Application / API tier (EC2) → Databases & object storage; parallel paths for logging/SIEM (Wazuh, CloudWatch, CloudTrail, GuardDuty) and support tooling (Unify.CRM) consistent with the SOC 2 system description.

The following reflects common enterprise controls across Unify products. Exact availability can vary by edition and configuration—validate in your order form or security addendum.

• Audit logs for system and user actions (design varies by product).
• Multi-factor authentication where enabled for customer administrators.
• IP allowlisting for sensitive administrative paths (infrastructure pattern extends to product features where offered).
• SSO with SAML 2.0 / OIDC where supported for your tenant.
• Session management aligned to industry practice; configurable timeouts where the product supports them.
• SCIM provisioning where offered for your identity integration.
• API rate limiting & throttling to protect platform stability.
• Secrets management via approved mechanisms (no secrets in source).
• Sandbox / non-production environments for testing changes.
• Data classification patterns supported through roles, workspaces, and retention settings per product.
• Secure file uploads with validation appropriate to the product surface (e.g. type checks and malware scanning where implemented).

Unify.AI provides AI-enabled automation. Our SOC 2 system description references self-hosted LLM components and third-party LLM integrations connected through the application tier. Secure coding practices explicitly include AI-integrated services.

• Customer data & models: We commit that customer data is not used to train public foundation models except where you separately opt in to a clearly labeled program (default is no training use). Model behavior is governed by contract and product configuration.
• Tenant isolation: Logical separation of tenant data and configuration; agent and tool execution respects role-based access.
• Auditability: System and security logging supports investigation of agent and automation actions where products emit those events.
• Prompt injection & guardrails: Layered controls including input validation, policy enforcement, and human-in-the-loop workflows where you configure them.
• Hallucination mitigation: Retrieval-grounded workflows, confidence thresholds, and human review for high-risk outputs—exact controls depend on module.
• Transparency: We disclose model families in use per feature (e.g. hosted vs. named third-party APIs) in product documentation and release notes.

Unify.AI’s agent store and orchestration are designed as a controlled automation layer—combining governance, logging, and least-privilege tool access as a differentiator for regulated and operational workloads.

• 24/7 monitoring via automated tooling (e.g. GuardDuty, centralized SIEM) with daily alert review and weekly operational meetings for remediation planning.
• Incident Response Plan covering identification, containment, investigation, and remediation; severity classifications drive escalation.
• Customer notification provided as appropriate to contractual commitments when incidents affect your data or service.
• Tabletop exercises conducted annually with lessons learned fed back into the IR plan.
• Fraud / misuse: Monitoring of user activity logs and anomalies; confirmed issues documented and reported per contract.

• Frequency: Annual independent third-party penetration test of the environment described in our SOC 2 materials.
• Vulnerability scanning: Amazon Inspector on EC2 with prioritized remediation; patch posture tracked via AWS Systems Manager.
• Findings: High-risk penetration test findings are documented and remediated within 30 days with tracking and validation.
• Enterprise customers may request a summary or attestation letter through Contact Us subject to NDA.

• Monitoring: CloudWatch metrics and Route 53 health checks for availability signals.
• Backups & recovery: Daily incremental / weekly full backups with integrity testing as described under Infrastructure.

• Status page (coming soon)— Replace with Statuspage.io / Better Stack / custom URL when live

• Privacy Policy
• EULA
• Cookie Policy
• Security protocols (PDF)
• Data Processing Addendum (DPA)— Coming soon
• Acceptable Use Policy— Link when published
• SLA— Per customer agreement
• Contact Us— SOC 2 reports and related requests

We welcome responsible disclosure of security vulnerabilities. Please report issues through Contact Us with enough detail to reproduce (no public disclosure until we agree on coordinated disclosure).

• Scope in: *.myunifyai.com production and staging properties, APIs documented as public, and mobile/web clients we operate—only test accounts you control unless we authorize otherwise.
• Scope out: Social engineering of employees or customers, physical attacks, denial-of-service against production, third-party services not operated by USI, or out-of-date findings on assets already fixed.
• Safe harbor: We will not pursue legal action against researchers who act in good faith, follow this policy, and avoid privacy violations or data destruction.
• SLA: We aim to triage credible reports within 5 business days and keep you informed of status—critical issues prioritized sooner.

Enterprise security teams can request assurance artifacts and standardized questionnaire responses through the channels below.

• SIG Lite / CAIQ Lite (download)— Coming soon in Q3 2026. When ready, add the PDF under public/documents in the repo; it will be served at /documents/... on the site.