top of page

NegotiateAI

Security

At NegotiateAI, the security and confidentiality of our customers’ data is our highest priority.

We follow industry-leading standards to ensure that our systems, infrastructure, and processes meet or exceed SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality.

Organizational Security

 

Information Security Program

 

NegotiateAI maintains a documented Information Security Program aligned with the SOC 2 Framework, developed by the American Institute of Certified Public Accountants (AICPA).

This program governs how we protect information across people, processes, and technology and is communicated throughout the organization.

 

Third-Party Audits

 

We undergo independent third-party SOC 2 Type II audits to validate the design and operating effectiveness of our controls related to data security, availability, and confidentiality.

 

Third-Party Penetration Testing

 

We engage an independent security firm to conduct annual penetration tests of our platform and cloud environment. Findings are reviewed, prioritized, and remediated promptly to maintain a strong security posture.

 

Roles and Responsibilities

 

Security roles and responsibilities are clearly defined and documented.

All NegotiateAI team members must review and acknowledge our security policies and code of conduct as part of onboarding and annually thereafter.

 

Security Awareness Training

 

All employees and contractors complete security awareness training at hire and at least annually thereafter, covering topics such as phishing, social engineering, secure data handling, and password management.

 

Confidentiality

 

Every team member signs a Confidentiality and Intellectual Property Agreement prior to their first day of work and is required to adhere to all related policies.

 

Background Checks

 

We perform pre-employment background checks on all employees in accordance with applicable local laws and regulations.

 

Data Hosting Security

 

All application data is stored in secure PostgreSQL and Snowflake databases hosted on GCP within the United States.

Our hosting providers manage physical security, redundancy, and environmental controls in accordance with industry best practices.

 

Vulnerability Scanning

 

We perform automated vulnerability scanning on our infrastructure and dependencies and continuously monitor for new security advisories and threats.

 

Logging and Monitoring

 

Comprehensive logging, monitoring, and alerting are implemented across production systems to detect unauthorized or anomalous activity.

Security logs are retained and reviewed as part of our continuous monitoring process.

Business Continuity & Disaster Recovery

 

We leverage GCP’s redundant and resilient infrastructure to mitigate downtime and data loss.

Automated backups of databases are taken daily and retained in accordance with our retention policy.

We maintain a Business Continuity and Disaster Recovery Plan (BC/DR) that is reviewed and tested at least annually.

Incident Response

 

NegotiateAI maintains a formal Incident Response Plan to ensure quick identification, escalation, containment, and remediation of any security event.

All incidents are logged, reviewed by management, and communicated to affected customers as required by law or contract.

Access Security

 

Permissions and Authentication

 

Access to production systems and sensitive data is role-based and limited to authorized personnel whose job functions require it.

All access is protected by Single Sign-On (SSO) and Multi-Factor Authentication (MFA).

 

Least-Privilege Access Control

 

We adhere to the principle of least privilege, ensuring employees only have the minimum level of access necessary.

 

Quarterly Access Reviews

 

We perform quarterly access reviews to validate that all system access remains appropriate.

 

Password Requirements

 

All users must comply with strong password requirements and rotate credentials regularly.

 

Password Managers

 

All company-issued devices use a password manager (e.g., 1Password) to store and manage credentials securely.

Vendor & Risk Management

 

Annual Risk Assessments

 

NegotiateAI conducts annual risk assessments to identify and address potential threats to our business, technology, and data.

Risks are documented, tracked, and mitigated through our security program.

 

Vendor Risk Management

 

We maintain a formal Vendor Management Policy.

Each new vendor undergoes a security and privacy review prior to engagement.

Vendors with access to company or customer data must meet security requirements equivalent to our own and sign appropriate data protection agreements.

Contact Us

 

If you have any questions about NegotiateAI’s security practices or would like to report a potential security issue, please contact us at:

 

📧 security@negotiateai.co

📬 NegotiateAI, Inc.

548 Market St,  

San Francisco, CA 94104 USA

Having said that, a privacy policy is a statement that discloses some or all of the ways a website collects, uses, discloses, processes, and manages the data of its visitors and customers. It usually also includes a statement regarding the website’s commitment to protecting its visitors’ or customers’ privacy, and an explanation about the different mechanisms the website is implementing in order to protect privacy. 


Different jurisdictions have different legal obligations of what must be included in a Privacy Policy. You are responsible to make sure you are following the relevant legislation to your activities and location.


 

bottom of page