Skip to content

Enterprise Trust Center

Building trust through security, transparency, and responsible AI.

At VixSiren, security is not a feature — it is the foundation of everything we build. This Trust Center is transparent about our security practices, privacy commitments, AI governance, operational resilience, and compliance roadmap.

Honest by design. VixSiren is at pre-deployment stage. Throughout this page we clearly mark what is In place today, what is By design, and what is Planned. We never imply a certification or capability we do not have.

Security posture

Pre-deployment hardening

Security incidents

None reported

Last security review

June 2026

Responsible disclosure

Open

01 · Security

How we secure our company and product.

Security philosophy

Security is built in from the first line of code, not bolted on. Our guiding principles:

Security-by-designPrivacy-by-designZero trustDefense in depthLeast privilegeSecure SDLCSecure defaultsContinuous monitoring

Application security

  • Secure coding & code review
    In place
  • Dependency & supply-chain scanning (automated)
    In place
  • Secret scanning & secure CI/CD
    In place
  • OWASP-aligned development
    In place
  • SAST / DAST in the pipeline
    By design
  • Independent penetration testing

    Scoped for an external engagement ahead of pilot.

    Planned
  • Vulnerability management & patch cadence
    In place

Infrastructure security

  • Encryption at rest (AES-256-GCM) & in transit (TLS)
    In place
  • Server hardening & least-privilege workloads
    In place
  • Network segmentation & isolation
    By design
  • Backups, redundancy & disaster recovery
    By design
  • Edge-resident, air-gap-capable deployment
    In place
  • Centralized logging & monitoring
    In place

Identity & access

  • Multi-factor authentication (privileged roles)
    In place
  • Role-based access control (RBAC)
    In place
  • Tamper-evident, hash-chained audit logs
    In place
  • Strong password policy (argon2id hashing)
    In place
  • Session management & account lockout
    In place
  • Single sign-on (SSO) for enterprise
    Planned

02 · Privacy

Your data stays yours.

VixSiren runs at the edge, inside your environment. Operational plant data is processed locally and is not exfiltrated to a central cloud. The website itself collects only what you choose to send us.

  • Data minimization — we collect only what we need
    In place
  • No operational/customer plant data leaves your site
    In place
  • Granular cookie controls & preference center

    Per-category opt-in, re-openable anytime; consent recorded.

    In place
  • Documented third-party services & subprocessors
    In place

Full detail — including the “what we collect” table and legal bases — in the Privacy Policy.

Data retention

We keep personal data only as long as needed for the purpose it was given. Email enquiries up to 24 months after last contact; analytics on provider defaults (~12–14 months); security logs short-term. Full table in the Privacy Policy.

Deletion & data-subject rights

You may request access, correction, deletion, restriction, or portability of your data, and object to processing. Email info@vixsiren.com — we respond within the legally required timeframe (Kenya DPA 2019 · GDPR principles).

International transfers

Where website/analytics data is processed across borders, we rely on our providers’ approved transfer mechanisms (e.g. Standard Contractual Clauses) and the safeguards required by applicable law.

Children’s privacy

This site is intended for a business and professional audience. It is not directed to children under 16, and we do not knowingly collect their data.

03 · Responsible AI

Explainable, accountable, and never in control of the grid.

AI principles

FairnessTransparencyHuman oversightExplainabilityAccountabilitySafetyReliabilityContinuous validation

Explainable by design

  • Every decision carries plain-language reasoning
    In place
  • Confidence scores on every verdict
    In place
  • Human verification — operators stay in control
    In place
  • Alert explainability an analyst can audit
    In place
  • Read-only over the grid — the AI never actuates
    In place

AI governance

  • Model lifecycle & versioning
    In place
  • Validation before deployment
    In place
  • Performance monitoring & drift detection
    By design
  • Controlled retraining with approval workflow
    By design
  • Independent bias & fairness review
    Planned

04 · Compliance

Aligned today — certified next.

Important: “Aligned with” means we are built to a standard’s principles. It does not mean we are certified. We list certifications separately, as a roadmap.

Currently aligned with

  • NIST Cybersecurity Framework
    In place
  • NIST SP 800-82 (OT security)
    In place
  • IEC 62443 principles
    In place
  • NERC CIP
    In place
  • ERC Kenya Grid Code
    In place
  • OWASP ASVS · secure SDLC
    In place

Planned certifications

  • ISO/IEC 27001 (information security)
    Planned
  • ISO/IEC 27701 (privacy)
    Planned
  • ISO/IEC 42001 (AI management)
    Planned
  • SOC 2 Type II
    Planned

05 · Infrastructure

Resilient by architecture.

  • Edge-resident & air-gap-capable hosting
    In place
  • High availability & redundancy
    By design
  • Encryption at rest & in transit
    In place
  • Backups & disaster recovery
    By design
  • Monitoring & centralized logging
    In place
  • Business continuity planning
    By design

A sanitized architecture overview is On request for qualified enterprise and procurement teams.

06 · Availability

Built for uptime — measured once live.

VixSiren is engineered for high availability, with a target of 99.9%. We are pre-deployment, so we do not publish live operational metrics yet — doing so would be dishonest.

  • High-availability target — 99.9%
    By design
  • Live public status page (API · dashboard · website)

    Published with our first deployment.

    Planned
  • Uptime metrics & maintenance windows
    Planned

07 · Incident Response

A clear plan, before it’s ever needed.

Our incident-response approach follows a disciplined lifecycle:

DetectionContainmentInvestigationRecoveryCustomer notificationPost-incident reviewLessons learnedEscalation procedures

A public summary of our Incident Response Policy is On request.

08 · Responsible Disclosure

Found something? We want to hear from you.

We welcome responsible disclosure of security issues. Report in good faith and we will work with you — no legal action against researchers who follow this policy (safe harbor).

  • Report to security@vixsiren.com
    In place
  • Safe-harbor for good-faith research
    In place
  • Coordinated disclosure timeline
    In place
  • Acknowledged response within a defined window
    By design
  • Bug bounty program
    Planned
Report a security issue

Machine-readable policy at /.well-known/security.txt.

09 · Subprocessors

Who we rely on.

Because VixSiren runs at the edge, the operational system has minimal external dependencies. For our corporate and web operations we use a small set of reputable providers (e.g. cloud hosting, email). A current, itemized subprocessor list is On request for customers under agreement.

10 · Trust Documents

Documentation, transparently.

  • Privacy Policy

    View

    In place
  • Terms of Use

    View

    In place
  • Security Overview
    On request
  • Responsible AI Overview
    On request
  • Architecture Overview (sanitized)
    On request
  • Data Processing Addendum (DPA)
    On request
  • Vulnerability Disclosure Policy
    On request
  • Business Continuity & DR Summary
    On request
  • Compliance Roadmap · Subprocessor List
    Planned
  • Privacy Policy

    View

    In place
  • Terms of Use

    View

    In place
  • Responsible AI Statement

    See section 03 above.

    In place
  • Cookie Policy

    View

    In place
  • Acceptable Use Policy

    View

    In place
  • Accessibility Statement

    View

    In place
  • Copyright & trademark — © VixSiren Ltd
    In place

12 · Contact

Talk to us about security.

Enterprise Trust Portal

Planned — a private portal where enterprise customers under agreement will access NDA-protected architecture documents, security questionnaires, penetration-test summaries, audit reports, compliance evidence, and shared-responsibility documentation.