Enterprise Trust Center
Building trust through security, transparency, and responsible AI.
At VixSiren, security is not a feature — it is the foundation of everything we build. This Trust Center is transparent about our security practices, privacy commitments, AI governance, operational resilience, and compliance roadmap.
Security posture
Pre-deployment hardening
Security incidents
None reported
Last security review
June 2026
Responsible disclosure
Open
01 · Security
How we secure our company and product.
Security philosophy
Security is built in from the first line of code, not bolted on. Our guiding principles:
Application security
- Secure coding & code reviewIn place
- Dependency & supply-chain scanning (automated)In place
- Secret scanning & secure CI/CDIn place
- OWASP-aligned developmentIn place
- SAST / DAST in the pipelineBy design
- Independent penetration testingPlanned
Scoped for an external engagement ahead of pilot.
- Vulnerability management & patch cadenceIn place
Infrastructure security
- Encryption at rest (AES-256-GCM) & in transit (TLS)In place
- Server hardening & least-privilege workloadsIn place
- Network segmentation & isolationBy design
- Backups, redundancy & disaster recoveryBy design
- Edge-resident, air-gap-capable deploymentIn place
- Centralized logging & monitoringIn place
Identity & access
- Multi-factor authentication (privileged roles)In place
- Role-based access control (RBAC)In place
- Tamper-evident, hash-chained audit logsIn place
- Strong password policy (argon2id hashing)In place
- Session management & account lockoutIn place
- Single sign-on (SSO) for enterprisePlanned
02 · Privacy
Your data stays yours.
VixSiren runs at the edge, inside your environment. Operational plant data is processed locally and is not exfiltrated to a central cloud. The website itself collects only what you choose to send us.
- Data minimization — we collect only what we needIn place
- No operational/customer plant data leaves your siteIn place
- Granular cookie controls & preference centerIn place
Per-category opt-in, re-openable anytime; consent recorded.
- Documented third-party services & subprocessorsIn place
Full detail — including the “what we collect” table and legal bases — in the Privacy Policy.
Data retention
We keep personal data only as long as needed for the purpose it was given. Email enquiries up to 24 months after last contact; analytics on provider defaults (~12–14 months); security logs short-term. Full table in the Privacy Policy.
Deletion & data-subject rights
You may request access, correction, deletion, restriction, or portability of your data, and object to processing. Email info@vixsiren.com — we respond within the legally required timeframe (Kenya DPA 2019 · GDPR principles).
International transfers
Where website/analytics data is processed across borders, we rely on our providers’ approved transfer mechanisms (e.g. Standard Contractual Clauses) and the safeguards required by applicable law.
Children’s privacy
This site is intended for a business and professional audience. It is not directed to children under 16, and we do not knowingly collect their data.
03 · Responsible AI
Explainable, accountable, and never in control of the grid.
AI principles
Explainable by design
- Every decision carries plain-language reasoningIn place
- Confidence scores on every verdictIn place
- Human verification — operators stay in controlIn place
- Alert explainability an analyst can auditIn place
- Read-only over the grid — the AI never actuatesIn place
AI governance
- Model lifecycle & versioningIn place
- Validation before deploymentIn place
- Performance monitoring & drift detectionBy design
- Controlled retraining with approval workflowBy design
- Independent bias & fairness reviewPlanned
04 · Compliance
Aligned today — certified next.
Currently aligned with
- NIST Cybersecurity FrameworkIn place
- NIST SP 800-82 (OT security)In place
- IEC 62443 principlesIn place
- NERC CIPIn place
- ERC Kenya Grid CodeIn place
- OWASP ASVS · secure SDLCIn place
Planned certifications
- ISO/IEC 27001 (information security)Planned
- ISO/IEC 27701 (privacy)Planned
- ISO/IEC 42001 (AI management)Planned
- SOC 2 Type IIPlanned
05 · Infrastructure
Resilient by architecture.
- Edge-resident & air-gap-capable hostingIn place
- High availability & redundancyBy design
- Encryption at rest & in transitIn place
- Backups & disaster recoveryBy design
- Monitoring & centralized loggingIn place
- Business continuity planningBy design
A sanitized architecture overview is On request for qualified enterprise and procurement teams.
06 · Availability
Built for uptime — measured once live.
VixSiren is engineered for high availability, with a target of 99.9%. We are pre-deployment, so we do not publish live operational metrics yet — doing so would be dishonest.
- High-availability target — 99.9%By design
- Live public status page (API · dashboard · website)Planned
Published with our first deployment.
- Uptime metrics & maintenance windowsPlanned
07 · Incident Response
A clear plan, before it’s ever needed.
Our incident-response approach follows a disciplined lifecycle:
A public summary of our Incident Response Policy is On request.
08 · Responsible Disclosure
Found something? We want to hear from you.
We welcome responsible disclosure of security issues. Report in good faith and we will work with you — no legal action against researchers who follow this policy (safe harbor).
- Report to security@vixsiren.comIn place
- Safe-harbor for good-faith researchIn place
- Coordinated disclosure timelineIn place
- Acknowledged response within a defined windowBy design
- Bug bounty programPlanned
Machine-readable policy at /.well-known/security.txt.
09 · Subprocessors
Who we rely on.
Because VixSiren runs at the edge, the operational system has minimal external dependencies. For our corporate and web operations we use a small set of reputable providers (e.g. cloud hosting, email). A current, itemized subprocessor list is On request for customers under agreement.
10 · Trust Documents
Documentation, transparently.
- Privacy PolicyIn place
- Terms of UseIn place
- Security OverviewOn request
- Responsible AI OverviewOn request
- Architecture Overview (sanitized)On request
- Data Processing Addendum (DPA)On request
- Vulnerability Disclosure PolicyOn request
- Business Continuity & DR SummaryOn request
- Compliance Roadmap · Subprocessor ListPlanned
11 · Legal
The fine print.
12 · Contact
Talk to us about security.
Enterprise Trust Portal
Planned — a private portal where enterprise customers under agreement will access NDA-protected architecture documents, security questionnaires, penetration-test summaries, audit reports, compliance evidence, and shared-responsibility documentation.