Policy

trust-security

Trust & Security

AlphaGen Holdings Limited ("AlphaGen")

Companies House no. 17084844 — registered in England and Wales

Effective date: 2026-04-27

Version: 1.0.0

Contact: security@alpha-gen.ai (incidents) ·

trust@alpha-gen.ai (programme questions)

This page summarises AlphaGen's security and trust posture. It

is the public-facing companion to the internal **Information

Security Policy** and the technical-and-organisational measures

(TOMs) annexed to the Data Processing Addendum.

Enterprise customers can request the full security pack

(architecture diagrams, control matrix, audit reports) via NDA.

---

1. Architecture overview

AlphaGen runs on a multi-cloud, region-pinned infrastructure.

A Customer's data is processed only in the region(s) declared on

their Order Form (UK, EU, or — by exception — US). Cross-region

processing requires explicit Customer authorisation.

The system is composed of:

  • A Pass 0 redaction pipeline that removes faces, voice, OCR

text, license plates, and screens from raw video before any

downstream component (or any human) sees the content.

  • A detection / propagation pipeline built on a private

fork of the open Cutie / XMem / SAM3 mask-propagation engines,

hardened for production.

  • A world-state synthesis layer that calls third-party LLMs

(Anthropic Claude, OpenAI GPT) under contract with the

customer-data-not-used-for-training clause.

  • A HITL platform (web dashboard + mobile app) where vetted

operators correct mistakes and improve the models.

  • A per-customer LoRA fine-tuning system that lets each

Customer's domain-specific corrections improve their own

models without leaking corrections to other Customers.

For a comprehensive technical architecture, see

docs/architecture.md.

---

2. Encryption

| Layer | Algorithm | Key management |

|---|---|---|

| Data at rest (object storage, databases, backups) | AES-256-GCM | AWS KMS / GCP KMS by default; Customer-managed keys (HYOK) available on Enterprise tier |

| Data in transit (external) | TLS 1.2+ (TLS 1.3 preferred) | Public CA certificates, automated rotation |

| Data in transit (internal cluster) | mTLS | Internal CA, certificates rotated every 30 days |

| Database column-level (audit logs, hashed identifiers) | Application-layer AEAD | Per-tenant key isolation |

| Backups | AES-256-GCM | Same KMS as primary, separate key alias for rotation |

We do not store raw Customer footage unencrypted at any

stage of the pipeline.

---

3. Access control

3.1 Authentication

  • All operator and developer accounts require **multi-factor

authentication** with TOTP or hardware-backed WebAuthn.

  • AlphaGen staff use SSO via the corporate identity provider

(Okta / Microsoft Entra ID) with mandatory MFA.

  • Service-to-service authentication is via short-lived

workload-identity tokens; long-lived secrets are not used in

production.

3.2 Authorisation

  • Role-based access control (RBAC) with least-privilege

defaults at every layer.

  • **Customer Personal Data is not accessible to AlphaGen staff

by default.** Engineers do not have standing read access to

production data. Break-glass access requires:

1. A documented incident or support ticket;

2. Approval by an on-call manager;

3. Time-boxed (≤4 hours) elevated session;

4. Full audit-log entry visible to the Customer on request.

  • HITL operators see pixels only. Subject identifiers are

joined server-side; the operator never receives a real name,

email, or other direct identifier.

3.3 Audit

Every privileged action — login, configuration change,

break-glass access, sub-processor change, deletion, export — is

recorded in a cryptographically chained audit log. The chain

is hashed daily; tampering is detectable. Audit log access is

restricted to the DPO, the Head of Security, and named auditors.

---

4. Data lifecycle

| Phase | Behaviour |

|---|---|

| Ingest | Customer uploads raw video over TLS. Pass 0 runs in a sandboxed compute environment with no outbound network access except to the encrypted object store. |

| Redaction | Faces, voice, OCR text, license plates, and screens are blurred / masked / replaced before storage. The redaction manifest is signed and audit-logged. |

| Storage | Redacted footage is encrypted at rest. Raw footage is deleted within 30 minutes of successful Pass 0 (default; configurable per consent scope). |

| Processing | Detection / propagation / synthesis run on the redacted footage. No production component touches raw footage. |

| HITL | Operators see redacted pixels. Server-side subject linkage joins corrections to the data subject for downstream consent enforcement. |

| Export | Customer exports go through the Customer's authenticated session; export events are logged. Export region matches the Customer's pinned processing region by default. |

| Deletion | A delete instruction cascades to every store, cache, log pipeline, and backup tombstone. Backup tombstones cycle out within 90 days. |

---

5. Network and infrastructure security

  • Edge: DDoS protection (Cloudflare or equivalent), rate

limiting, WAF rules tuned for our API surface.

  • Network segmentation: public / private / restricted

subnets; production databases are not internet-accessible;

egress filtering on each compute tier.

  • Bastion-less access: AlphaGen engineers connect to

production via a zero-trust proxy (Tailscale / Cloudflare

Access) with device-posture checks; no SSH keys distributed

to laptops.

  • Vulnerability management: automated container-image

scanning on every build; weekly dependency-update PRs;

critical CVEs patched within 24 hours of vendor patch

availability, high CVEs within 7 days.

  • Secret management: secrets in HashiCorp Vault; never in

source code, never in container images.

---

6. Software supply chain

  • All production code is signed and built reproducibly through

CI.

  • Third-party dependencies are pinned and scanned (SCA via

Snyk / Dependabot equivalent) on every build.

  • A signed SBOM is produced for each release and stored

alongside the release artefact.

  • Container base images are sourced from distroless or hardened

upstreams; updated on a fixed cadence.

---

7. Incident response

AlphaGen operates a 24/7 on-call rota for security and

availability incidents. The runbook is at the internal

docs/legal/privacy/operational/breach-playbook.md and includes:

  • Classification: P0 (data breach / outage) → P3 (low-impact

bug) with response time SLAs.

  • Containment: stop-the-bleed actions per incident type.
  • Forensics: evidence-preservation steps for legal hold.
  • Notification: Customer notification within 48 hours of

any Personal Data Breach affecting Customer Personal Data

(per DPA §4.5). Regulator notification per Article 33 UK GDPR.

  • Post-mortem: blameless review; root-cause and corrective

actions tracked through to closure.

External vulnerability reports are welcomed at

security@alpha-gen.ai; we do not currently operate a paid bug

bounty but do publicly thank reporters in our security advisory

feed.

---

8. Resilience and continuity

  • Backup cadence: continuous WAL streaming + daily encrypted

snapshots of the primary database; weekly + monthly snapshots

retained per regulatory horizon.

  • Restore testing: quarterly full-restore drill into an

isolated staging environment; restore time objective (RTO) ≤

4 hours, recovery point objective (RPO) ≤ 15 minutes for the

primary tier.

  • Multi-AZ: production runs across at least two availability

zones in each region.

  • Failover region: pre-warmed for the EU and UK regions;

US is cold-standby on default Order Forms.

  • Business continuity plan: annually rehearsed; covers

scenarios from individual-component failure through full

region loss.

---

9. Compliance and certification

| Programme | Status |

|---|---|

| UK GDPR / EU GDPR | Fully implemented; DPO appointed; RoPA maintained. See Privacy Policy. |

| Cyber Essentials Plus (UK NCSC) | Targeted for 2026 Q3. |

| ISO/IEC 27001:2022 | Roadmap to certification 2027 Q2; gap-analysis complete; SOA in draft. |

| SOC 2 Type II (AICPA) | Type I targeted 2026 Q4; Type II 2027 Q3. |

| HIPAA | Available under signed BAA for healthcare Customers; AlphaGen is not currently HIPAA-listed by HHS. |

| Modern Slavery Act 2015 | Modern Slavery Statement published voluntarily; AlphaGen is below the £36 m statutory threshold. |

| DMCC Act 2024 | AI Transparency page published; no live chatbot at the time of writing. |

| WCAG 2.2 AA | Accessibility Statement — partially conformant pending advanced-visualisation remediation. |

The current attestation status is dated below; refer to the

audit report when available.

---

10. Sub-processors

The current list is at

docs/legal/privacy/subprocessors.md. We notify Customers of

new sub-processors at least 30 days in advance. Customers can

object to a new sub-processor on reasonable data-protection

grounds; if no mitigation can be agreed, the affected Order Form

may be terminated for convenience under the Master Agreement.

---

11. Customer-managed controls

Enterprise Customers can opt into:

  • Customer-managed encryption keys (HYOK): Customer holds

the KMS root; AlphaGen wraps data keys under that root. Key

revocation cuts off AlphaGen access immediately.

  • Region pinning: processing restricted to UK or EU only;

cross-region failover requires explicit consent.

  • Sub-processor restriction: Customer can pre-approve a

subset of the sub-processor list (e.g. Anthropic only, no

OpenAI).

  • No-training clause: Customer Data is never used for any

cross-Customer model training; opt-in only at the Customer's

discretion (see Responsible AI Policy).

  • Data-residency attestation: quarterly report demonstrating

that no Customer Personal Data left the pinned region(s) in

the last quarter.

---

12. Personnel security

  • Background checks (BPSS-equivalent or higher for staff

with privileged access) on hire.

  • Annual security training, reinforced with role-based

modules (developer secure-coding, DPO data-protection

refresher, on-call incident-response drills).

  • Joiner / mover / leaver procedure documented and audited;

access is provisioned least-privilege at start and revoked

within 1 business hour of departure.

  • Confidentiality agreements signed by every staff member

with access to production data or Customer Personal Data.

---

13. Reporting and disclosure

We publish:

  • Security advisories for any vulnerability we patch that

could materially affect Customer security, including a CVE

ID where applicable, on a dedicated advisory feed.

  • Incident retrospectives for any Customer-impacting P0/P1

incident, on the same feed (subject to legal review for

ongoing matters).

  • Quarterly trust report with high-level metrics (MFA

coverage, CVE patch SLAs, sub-processor changes).

---

14. Contact

  • Reporting a vulnerability: security@alpha-gen.ai (PGP key

on the website's /security.txt).

  • Customer security questions: trust@alpha-gen.ai (we

reply within 5 business days).

  • Emergency / suspected breach affecting your data: `security

@alpha-gen.ai` with subject "URGENT — Personal Data Breach"

triggers our 24/7 on-call.

---

Document control

| Version | Date | Author | Notes |

|---|---|---|---|

| 1.0.0 | 2026-04-27 | AlphaGen Security & Legal | Initial publication. Public summary; Enterprise customers receive full pack under NDA. |