// SECURITY

Security Program

STATUS: ACTIVE LAST AUDIT: 2026.03.01 PROTOCOL: v3.2
Infrastructure
SECURE
API Layer
NOMINAL
Alignment Guard
ENGAGED
Agent Sandbox
ISOLATED

Our Security Philosophy

Security at ACME is not an afterthought — it is embedded at every layer of our cognitive stack. From the neural substrate to the interface layer, each component is designed with a zero-trust architecture and continuous threat monitoring.

We apply defense-in-depth across all systems, with particular focus on the unique threat surface presented by autonomous AI agents operating in production environments.

Infrastructure Security

  • Zero-trust network architecture — no implicit trust between components
  • End-to-end encryption — all data in transit uses TLS 1.3+; all data at rest is AES-256 encrypted
  • Hardware security modules (HSM) — for cryptographic key management
  • Isolated agent sandboxes — each deployed agent operates in a separate compute environment
  • Continuous threat detection — real-time anomaly detection on all system telemetry

AI-Specific Security

Operating autonomous AI agents introduces unique security considerations. ACME's approach includes:

  • Prompt injection defense — multi-layer filtering to prevent adversarial inputs from hijacking agent behavior
  • Action boundary enforcement — agents operate within explicitly defined action spaces with no implicit capability expansion
  • Real-time alignment monitoring — every agent action is scored against alignment criteria before execution
  • Audit trail — immutable, append-only logs of all agent decisions and actions
  • Kill switch protocol — any agent can be halted within 50ms if anomalous behavior is detected

Vulnerability Disclosure

ACME operates a responsible disclosure program. If you discover a security vulnerability in any ACME system, we ask that you:

  1. Report it promptly to contactus#openingo.org with subject line [SECURITY]
  2. Provide sufficient detail to reproduce the issue
  3. Allow ACME reasonable time to investigate and remediate before public disclosure
  4. Avoid accessing, modifying, or deleting data beyond what is necessary to demonstrate the vulnerability

We commit to acknowledging valid reports within 48 hours and providing a remediation timeline within 7 business days.

Compliance

ACME maintains compliance with the following frameworks and regulations:

  • SOC 2 Type II (annual audit)
  • ISO 27001 certified
  • GDPR (EU data protection)
  • CCPA (California consumer privacy)
  • EU AI Act (high-risk AI system requirements)

Contact

Security inquiries: contactus#openingo.org

Subject line: [SECURITY]