Security at Adgentia

Adgentia, Inc. is a Delaware corporation and a wholly owned subsidiary of Quantum Grade Analytics, Inc. ("QGA").

Adgentia provides an AI agents platform for SEO, digital ads, and website publishing. We operate a security program aligned to SOC 2 principles, with shared corporate services from QGA under intercompany confidentiality and data protection agreements.

Defense-in-depth: Layered controls across people, process, and technology.

Least privilege: Access is granted on a need-to-know, time-bound basis and is continuously reviewed.

Secure by design: Security is embedded in our SDLC, infrastructure, and operations.

Transparency: We publish our subprocessors and respond promptly to security inquiries and disclosures.

Data in transit: TLS 1.2+ with modern ciphers and perfect forward secrecy; HSTS enforced. Administrative endpoints require strong TLS configurations.

Data at rest: AES-256 (or stronger) encryption at rest using cloud-native key management. Keys and secrets are rotated and access-limited.

Data segregation: Logical multi-tenant isolation with scoped access controls and tenant-level authorization checks.

Data minimization: We collect only what is necessary to deliver the service; optional phone numbers are used only for MFA/SMS with consent.

Data residency: Primary hosting in the United States. Cross-border transfers use Standard Contractual Clauses (EU/UK) and vendor DPF participation where applicable.

SSO/MFA: SAML/OIDC single sign-on available. MFA is required for privileged internal accounts and strongly recommended for all customer admins.

Role-based access control (RBAC): Granular roles (admin, editor, viewer) with least-privilege defaults and permission scoping.

Production access: Limited to vetted engineering and SRE personnel via just-in-time elevation with change tickets, approval workflows, and full audit logging.

Session security: Secure cookies, short-lived tokens, server-side invalidation on logout/role change, and device/IP heuristics for anomaly detection.

Secure development lifecycle: Threat modeling, peer code reviews, and gated CI/CD with automated testing and policy checks.

Dependency and image scanning: Continuous SCA for known CVEs; container image and infrastructure-as-code scanning prior to deploy.

Static/dynamic testing: SAST/DAST integrated into CI; findings triaged and tracked to remediation.

Secrets management: Centralized secret storage with role-scoped access; no hard-coded credentials in source control.

Change management: Canary/blue-green releases with automated rollback and post-deploy monitoring.

Cloud security: Hosted on leading cloud providers with ISO 27001 and SOC 2 reports available from those providers. Network segmentation, security groups, and WAF protections in place.

Hardening and patching: Baseline OS and container hardening; critical patches prioritized. Target SLAs: Critical within 72 hours; High within 7 days; Medium within 30 days.

Monitoring and logging: Centralized logs (auth, admin actions, network, app) retained per policy; alerting on suspicious events; dashboards for uptime and error budgets.

High availability: Multi-AZ architecture for core services.

Backups: Encrypted backups with daily incrementals and periodic fulls; point-in-time recovery for primary data stores.

RPO/RTO targets: RPO of 24 hours or less; RTO of 24 hours or less for critical services.

DR exercises: Periodic restore tests and failover drills; lessons learned tracked to closure.

Discovery and triage: Central intake with CVSS-based severity scoring; ticketed remediation with management oversight.

Penetration testing: Independent third-party tests at least annually and after major architectural changes.

Customer notification: Material risk items that could affect customer data are prioritized and communicated consistent with our incident procedures.

Preparation: Documented runbooks, on-call rotation, and executive escalation paths.

Detection and analysis: 24/7 alerting for critical signals; rapid triage to confirm scope and impact.

Containment, eradication, recovery: Time-boxed playbooks, forensics as needed, and staged service restoration.

Notification: For confirmed security incidents impacting customer data, we notify affected customers without undue delay and within 72 hours of confirmation, providing known details and ongoing updates until closure.

Post-incident review: Root cause analysis, corrective actions, and control improvements.

Privacy: See our Privacy Policy for full details. We support CCPA/CPRA and other U.S. state privacy rights; GDPR requirements are supported where applicable.

DPA: A controller-processor Data Processing Addendum is available for customers and includes SCCs/UK Addendum for international transfers.

Subprocessors: We publish and maintain our subprocessor list with services and locations at adgentia.ai/subprocessors.

Shared services with QGA: Limited personal data may be processed by QGA for security incident management, finance, legal, and compliance under intercompany data protection terms.

Authentication and SSO: Enable SAML/OIDC and MFA for all admins.

Least privilege: Assign roles conservatively; review access regularly; deprovision promptly on role change or departure.

Consent and messaging: Obtain and maintain legally sufficient consent for any messaging activities; comply with CAN-SPAM, TCPA, CTIA, and applicable platform policies.

API keys: Rotate keys periodically and on suspicion of compromise; store keys securely.

Endpoint hygiene: Secure your endpoints (EDR/AV, disk encryption, patching) that access the platform.

Model operations: We do not use Customer Data to train public models. We may use de-identified or aggregated data to improve service quality and safety.

Prompt/response handling: Prompts and outputs are treated as Customer Data, subject to the same access controls and logging.

Safety controls: Input validation, rate limiting, and abuse detection reduce prompt injection and misuse risks.

Employee screening and training: Background checks (as permitted by law) for relevant roles; security and privacy training at onboarding and annually; targeted training for engineers and support.

Device and endpoint security: Full-disk encryption, MDM, automatic patching, and EDR for corporate devices; least-privilege local access and screen lock policies.

Access reviews: Quarterly reviews for privileged access and critical systems; immediate removal on role change or termination.

SPF, DKIM, and DMARC: Implemented for corporate and product sending domains to reduce spoofing.

Phishing protection: Security awareness training, phishing simulations, and inbound filtering.

Status and uptime: We publish real-time availability and incident history on our status page (linked from the app header or help center).

Security reviews: We accommodate reasonable security questionnaires and provide available audit artifacts under NDA.

We welcome reports from security researchers. Report suspected vulnerabilities to security@adgentia.ai with details and reproduction steps.

Safe harbor: If you follow our guidelines, test only against your own accounts, avoid privacy-invasive actions, and give us a reasonable time to remediate, we will not pursue legal action related to your good-faith research.

Default deletion: Customer account data is deleted or de-identified within 90 days after account closure, subject to backup aging and legal retention for billing/records.

Customer exports: Self-service export tools are available; additional exports can be coordinated with support.

Adgentia, Inc. is a wholly owned subsidiary of Quantum Grade Analytics, Inc.

Governing law and venue appear in our Terms of Service. Breach notifications and data processing are governed by our Privacy Policy and DPA.