Security Addendum

Adjudica.AI — Glass Box Solutions, Inc.

Effective Date: February 23, 2026

Version: 1.0

1. Overview

This Security Addendum ("Addendum") describes the security measures, certifications, and practices that Glass Box Solutions, Inc. ("Provider") implements to protect Customer data within the Adjudica.AI platform (the "Service"). This Addendum is incorporated into the Master Subscription Agreement or Terms of Service.

2. Security Certifications and Compliance

2.1 Current Certifications

CertificationStatusScope
SOC 2 Type II[In Progress / Achieved]Security, Availability, Confidentiality
HIPAACompliantPHI handling and safeguards

2.2 Compliance Frameworks

Provider maintains compliance with:

  • HIPAA Security Rule (45 CFR Part 164, Subpart C)
  • HIPAA Privacy Rule (45 CFR Part 164, Subpart E)
  • CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act)
  • CalOPPA (California Online Privacy Protection Act)
  • CMIA (California Confidentiality of Medical Information Act)
  • SOC 2 Trust Service Criteria (Security, Availability, Confidentiality)

2.3 Third-Party Audits

  • Penetration Testing: Conducted annually by independent security firm
  • Vulnerability Assessments: Conducted quarterly
  • SOC 2 Audit: Conducted annually by licensed CPA firm
  • HIPAA Risk Assessment: Conducted annually

3. Infrastructure Security

3.1 Cloud Infrastructure

The Service is hosted on Google Cloud Platform (GCP), which maintains:

  • SOC 1/2/3 certification
  • ISO 27001, 27017, 27018 certification
  • FedRAMP Authorization
  • HIPAA BAA execution
  • PCI DSS compliance

3.2 Network Security

ControlImplementation
FirewallCloud-native firewall with default-deny policies
DDoS ProtectionCloud Armor DDoS mitigation
Network SegmentationVPC isolation between environments
Intrusion DetectionCloud-native IDS/IPS monitoring
WAFWeb Application Firewall for application layer protection

3.3 Physical Security

Google Cloud data centers provide:

  • 24/7 security personnel
  • Biometric access controls
  • Video surveillance
  • Environmental controls (fire suppression, climate control)
  • Redundant power systems

4. Data Security

4.1 Encryption

Data StateEncryption Standard
Data at RestAES-256
Data in TransitTLS 1.3 (minimum TLS 1.2)
Database EncryptionAES-256 with Google-managed keys
Backup EncryptionAES-256
API CommunicationsTLS 1.3 with certificate pinning

4.2 Key Management

  • Encryption keys managed via Google Cloud KMS
  • Automatic key rotation (annual minimum)
  • Separation of key management from data access
  • Hardware Security Module (HSM) backing for sensitive keys

4.3 Data Isolation

Isolation TypeImplementation
Tenant IsolationLogical separation with unique tenant identifiers
Database IsolationRow-level security policies
Storage IsolationSeparate storage containers per tenant
Processing IsolationContainerized workloads

4.4 Data Classification

ClassificationExamplesHandling
PHIMedical records, patient identifiersEncrypted, access-logged, minimum necessary
ConfidentialAttorney work product, case strategiesEncrypted, access-controlled
InternalSystem logs, analyticsEncrypted at rest
PublicMarketing materialsStandard protection

5. Access Control

5.1 Authentication

ControlImplementation
Password RequirementsMinimum 12 characters, complexity requirements
Multi-Factor AuthenticationTOTP, SMS, or hardware key (required for admin)
Single Sign-OnSAML 2.0, OAuth 2.0 (Enterprise)
Session ManagementAutomatic timeout, secure session tokens
Account Lockout5 failed attempts triggers temporary lockout

5.2 Authorization

  • Role-Based Access Control (RBAC): Permissions assigned by role
  • Principle of Least Privilege: Minimum necessary access
  • Segregation of Duties: Critical functions require multiple approvals
  • Regular Access Reviews: Quarterly review of user permissions

5.3 Administrative Access

ControlImplementation
Admin MFARequired for all administrative access
Privileged Access ManagementJust-in-time access, approval workflows
Admin Activity LoggingAll administrative actions logged and monitored
Background ChecksRequired for employees with data access

6. Application Security

6.1 Secure Development Lifecycle (SDLC)

PhaseSecurity Activities
DesignThreat modeling, security requirements
DevelopmentSecure coding standards, peer review
TestingSAST, DAST, dependency scanning
DeploymentInfrastructure as code, immutable deployments
OperationsRuntime protection, monitoring

6.2 Vulnerability Management

ActivityFrequency
Automated Vulnerability ScanningContinuous
Dependency ScanningEvery build
Penetration TestingAnnual (third-party)
Bug Bounty Program[Planned/Active]

6.3 Patch Management

SeverityPatch Timeline
Critical (CVSS 9.0+)24 hours
High (CVSS 7.0-8.9)7 days
Medium (CVSS 4.0-6.9)30 days
Low (CVSS 0.1-3.9)90 days

7. AI Security

7.1 AI Provider Security

Our AI provider (Google) is:

  • Bound by a Business Associate Agreement
  • Contractually prohibited from using customer data for model training
  • Required to delete data after processing
  • Subject to security assessment

7.2 AI-Specific Controls

ControlImplementation
Prompt Injection PreventionInput validation, output filtering
Data Leakage PreventionNo PHI or case content in model training
Output ValidationAutomated review of AI outputs
Audit LoggingAll AI interactions logged

7.3 Model Training Prohibition

PHI, document content, and confidential legal information are NEVER used for AI model training. This is enforced through:

  • Contractual prohibitions with AI providers
  • API configurations that disable training
  • Technical controls preventing data retention

Note: De-identified behavioral signals (classification corrections, quality feedback, usage patterns) may be used for platform improvement. These signals contain no PHI or case content. See Platform Improvement Data Policy for details.

8. Monitoring and Logging

8.1 Security Monitoring

Monitoring TypeCoverage
SIEMCentralized log analysis and alerting
Intrusion DetectionNetwork and host-based IDS
Anomaly DetectionBehavioral analysis for unusual activity
Real-time Alerting24/7 security event notification

8.2 Audit Logging

Log TypeRetentionContent
Authentication Logs6 yearsLogin attempts, MFA events, session activity
Access Logs6 yearsData access, document views, exports
Administrative Logs6 yearsConfiguration changes, user management
API Logs6 yearsAPI calls, request/response metadata
Security Logs6 yearsSecurity events, alerts, incidents

8.3 Log Protection

  • Logs are encrypted at rest and in transit
  • Write-once storage prevents tampering
  • Access to logs is restricted and audited
  • Logs are backed up to separate storage

9. Incident Response

9.1 Incident Response Program

Provider maintains a documented Incident Response Plan including:

  • Incident classification criteria
  • Response team roles and responsibilities
  • Communication procedures
  • Forensic investigation procedures
  • Post-incident review process

9.2 Incident Classification

SeverityDefinitionResponse Time
CriticalConfirmed breach of PHI or confidential dataImmediate
HighPotential breach or significant vulnerability1 hour
MediumSecurity event requiring investigation4 hours
LowMinor security event24 hours

9.3 Breach Notification

In the event of a security incident involving Customer data:

NotificationTimeline
Initial NotificationWithin 24 hours of confirmed breach
Detailed ReportWithin 72 hours
Final ReportWithin 30 days
HIPAA NotificationPer BAA requirements (within 10 days)

10. Business Continuity

10.1 Disaster Recovery

MetricTarget
Recovery Time Objective (RTO)4 hours
Recovery Point Objective (RPO)1 hour
Backup FrequencyContinuous + daily full backup
Geographic RedundancyMulti-region replication

10.2 Business Continuity Testing

  • DR Testing: Conducted annually
  • Tabletop Exercises: Conducted semi-annually
  • Backup Restoration Testing: Conducted quarterly

11. Personnel Security

11.1 Employee Security

ControlRequirement
Background ChecksRequired for all employees with data access
Security TrainingAnnual security awareness training
HIPAA TrainingAnnual HIPAA-specific training
Confidentiality AgreementsRequired for all employees and contractors
Access TerminationSame-day access revocation upon termination

11.2 Vendor Security

Third-party vendors with access to customer data must:

  • Complete security questionnaire
  • Sign confidentiality agreements
  • Maintain appropriate certifications
  • Undergo periodic security review

12. Customer Security Responsibilities

Customers are responsible for:

ResponsibilityDescription
Account SecurityProtecting login credentials, enabling MFA
User ManagementManaging authorized users, prompt deprovisioning
Data ClassificationIdentifying PHI and confidential information
Incident ReportingPromptly reporting suspected security issues
ComplianceEnsuring use complies with applicable law

13. Security Documentation

Upon request, Provider will provide:

DocumentAvailability
SOC 2 Type II ReportUnder NDA
Penetration Test Executive SummaryUnder NDA
Security Questionnaire ResponsesStandard SIG/CAIQ
HIPAA Compliance DocumentationPer BAA
Certificate of InsuranceUpon request

14. Security Contact

PurposeContact
Security Questionssecurity@adjudica.ai
Vulnerability Reportssecurity@adjudica.ai
Security Incident Reportssecurity@adjudica.ai (urgent: [PHONE])
Compliance Inquiriescompliance@adjudica.ai

15. Updates to This Addendum

Provider may update this Security Addendum to reflect improvements to security practices. Material changes will be communicated to Customers with at least 30 days' notice. Updates will not materially reduce security protections during an active subscription term.

This Security Addendum is effective as of [INSERT DATE].

Glass Box Solutions, Inc.