Security Policy

Effective: [DATE]

At DBR77, security is foundational to everything we build. The IRIS AI-Native Plant Operating System handles critical industrial data, and we treat the protection of that data with the highest level of care. This Security Policy outlines the technical and organizational measures we implement to safeguard the IRIS platform and the data entrusted to us by our customers.

1. Our Commitment

We are committed to maintaining the confidentiality, integrity, and availability of the IRIS platform and all Customer Data. Our security program is built on the principles of defense in depth, least privilege, and continuous improvement. We invest in security at every layer — from infrastructure and application design to employee training and incident response.

2. Infrastructure Security

IRIS is hosted on enterprise-grade cloud infrastructure with the following safeguards:

  • Cloud hosting: production workloads run on SOC 2 and ISO 27001 certified cloud providers with data centers in the EU and the United States.
  • Network security: virtual private clouds (VPCs) with network segmentation, firewalls, intrusion detection systems (IDS), and DDoS protection.
  • Redundancy: multi-availability-zone deployments with automated failover to ensure high availability and disaster recovery.
  • Backups: automated, encrypted backups performed daily with point-in-time recovery capability. Backups are stored in geographically separate locations and tested regularly.
  • Container security: containerized workloads with image scanning, runtime protection, and immutable infrastructure practices.

3. Data Encryption

  • In transit: all data transmitted between clients and the IRIS platform is encrypted using TLS 1.2 or higher (TLS 1.3 preferred). We enforce HSTS and use strong cipher suites.
  • At rest: all Customer Data stored in databases, file storage, and backups is encrypted using AES-256 encryption. Encryption keys are managed through a dedicated key management service (KMS) with automatic key rotation.
  • Secrets management: API keys, credentials, and other secrets are stored in encrypted vaults and never committed to source code repositories.

4. Access Control

  • Authentication: JWT-based authentication with support for multi-factor authentication (MFA) and enterprise single sign-on (SSO) via SAML 2.0 and OpenID Connect.
  • Authorization: role-based access control (RBAC) with granular, field-level permissions. Customers can define custom roles tailored to their organizational structure.
  • Multi-tenancy: strict tenant isolation with row-level security policies ensuring that each customer's data is logically separated and inaccessible to other tenants.
  • Least privilege: internal access to production systems follows the principle of least privilege. Access is granted on a need-to-know basis, reviewed quarterly, and revoked promptly upon role change or departure.
  • API security: API key management with rate limiting, IP allowlisting, and OAuth 2.0 scoped tokens for third-party integrations.

5. Monitoring & Logging

  • Audit logging: comprehensive audit trails capture all user actions, administrative operations, and system events. Logs are immutable and retained for a minimum of 12 months.
  • Real-time monitoring: continuous monitoring of infrastructure, application performance, and security events with automated alerting for anomalies and potential threats.
  • SIEM integration: security events are aggregated in a Security Information and Event Management (SIEM) system for correlation, analysis, and threat detection.
  • Uptime monitoring: 24/7 synthetic monitoring of all critical service endpoints with automated escalation procedures.

6. Incident Response

We maintain a formal incident response plan that is tested and updated regularly. Our incident response process includes:

  • Detection: automated detection through monitoring, alerting, and anomaly detection systems.
  • Triage: incidents are classified by severity (P1–P4) and assigned to the appropriate response team.
  • Containment: immediate actions to contain the incident and prevent further impact.
  • Notification: affected customers are notified without undue delay and no later than 72 hours after becoming aware of a personal data breach, in accordance with GDPR Article 33. Notifications include the nature of the breach, likely consequences, and measures taken.
  • Remediation: root cause analysis, system remediation, and implementation of preventive measures.
  • Post-incident review: documented lessons learned and process improvements following every significant incident.

7. Penetration Testing & Vulnerability Management

  • External penetration testing: independent third-party penetration tests are conducted at least annually. Results and remediation plans are available to enterprise customers upon request under NDA.
  • Automated vulnerability scanning: continuous automated scanning of infrastructure, dependencies, and container images for known vulnerabilities.
  • Dependency management: automated monitoring of third-party libraries and dependencies for security advisories, with critical patches applied within 48 hours.
  • Secure development lifecycle: security reviews, code analysis, and threat modeling are integrated into our development process. All code changes undergo peer review before deployment.

8. Compliance & Certifications

We align our security program with recognized industry standards and frameworks:

  • ISO 27001: our information security management system (ISMS) is aligned with ISO/IEC 27001 requirements. Certification status: [TO BE FILLED].
  • SOC 2 Type II: we are pursuing SOC 2 Type II certification covering security, availability, and confidentiality trust service criteria. Certification status: [TO BE FILLED].
  • IEC 62443: as an industrial automation platform, IRIS is designed with consideration for IEC 62443 (Industrial Automation and Control Systems Security) requirements, supporting customers in meeting their own compliance obligations.
  • GDPR: full compliance with the EU General Data Protection Regulation, including data protection by design and by default.

Copies of certifications and audit reports are available to enterprise customers upon request under NDA. Contact security@dbr77.com for details.

9. Responsible Disclosure

We welcome and appreciate responsible disclosure of security vulnerabilities. If you discover a potential security issue in the IRIS platform, please report it to us so we can address it promptly.

How to report: send a detailed report to security@dbr77.com. Please include:

  • A description of the vulnerability and its potential impact.
  • Steps to reproduce the issue.
  • Any proof-of-concept code or screenshots, if available.
  • Your contact information for follow-up.

Our commitment to reporters:

  • We will acknowledge receipt of your report within 48 hours.
  • We will provide regular updates on the status of the investigation and remediation.
  • We will not take legal action against researchers who report vulnerabilities in good faith and comply with this policy.
  • We ask that you do not publicly disclose the vulnerability until we have had a reasonable opportunity to address it (typically 90 days).
  • We ask that you do not access, modify, or delete data belonging to other users during your research.

10. Contact

For security-related inquiries, vulnerability reports, or to request compliance documentation:

Security Team
Email: security@dbr77.com

DBR77 Sp. z o.o.
ul. Legnicka 55, 54-203 Wrocław, Poland