Information Security Policy

Effective Date: April 18, 2026

Buji Development Corporation, doing business as Agent Midas, maintains this Information Security Policy to protect the confidentiality, integrity, and availability of all data processed through the Agent Midas platform. This policy operationalizes the security commitments made in our Terms of Service (Section 6), Privacy Policy (Section 4), and Data Processing Addendum (Sections 4 and 8).

1. Scope

This policy applies to all information assets owned, operated, or managed by the Company, including: production infrastructure, development environments, subscriber data, source code, internal communications, employee devices, and all third-party services integrated with the Agent Midas platform.

2. Data Classification

Confidential: Subscriber personal data (PII), payment information, API keys, OAuth tokens, subscriber Dossiers, RAG documents, CRM data, meeting transcripts, financial records, and legal documents. Access restricted to authenticated subscribers (own data only) via row-level security.

Internal: Source code, system architecture documentation, internal communications, deployment configurations, encryption keys, and incident reports. Access restricted to authorized personnel.

Public: Marketing materials, published blog posts, podcast episodes, public MidasCard profiles, course landing pages, and API documentation. Accessible without authentication.

3. Access Controls

3.1 Authentication

All subscriber access requires email-based authentication with secure password hashing. Administrative access to production systems requires SSH key-based authentication. Multi-factor authentication is enforced for all administrative and infrastructure access. Session tokens expire after 24 hours of inactivity.

3.2 Authorization

The Agent Midas platform enforces row-level security (RLS) at the database layer as described in our Terms of Service, Section 6.1. Every database query is scoped to the authenticated subscriber. Application-level authorization checks validate subscriber identity and tier permissions on every API request. No subscriber can access another subscriber's data under any circumstance.

3.3 Principle of Least Privilege

Personnel and systems are granted the minimum level of access necessary to perform their functions. Production database access is limited to the service role (automated) and the Incident Commander (emergency). Development environments use separate credentials from production. Source code access is controlled through GitHub with branch protection rules and CODEOWNERS file enforcement.

4. Encryption Standards

4.1 Data in Transit

All data in transit is encrypted using TLS 1.2 or higher, as specified in our Terms of Service (Section 6.2) and DPA (Section 4.2). HTTPS is enforced on all public endpoints via Cloudflare with HSTS enabled (max-age 6 months, includeSubdomains, preload). HTTP Strict Transport Security prevents protocol downgrade attacks.

4.2 Data at Rest

All subscriber data at rest is encrypted using AES-256 encryption as specified in our Terms of Service (Section 6.2). API keys and third-party credentials stored by subscribers are encrypted using AES-256-GCM with per-subscriber encryption keys. Database backups are encrypted and access-restricted. Encryption keys are managed through a dedicated key management process with regular rotation.

5. Network Security

The Agent Midas production infrastructure is protected by multiple network security layers: Cloudflare Web Application Firewall (WAF) with managed rulesets and OWASP Core Rule Set, Cloudflare DDoS protection, rate limiting on API endpoints (100 requests per 10 seconds per IP), Bot Fight Mode blocking automated attacks, browser integrity checking, and private networking between internal services. Database servers are not directly accessible from the public internet. Internal services communicate over private networks with strict firewall rules as specified in our Privacy Policy, Section 4.4.

6. Application Security

The Agent Midas codebase follows secure development practices: all code changes require peer review through GitHub pull requests with CODEOWNERS approval, automated static analysis and dependency auditing run on every commit, input validation and parameterized queries prevent injection attacks, Content Security Policy headers mitigate cross-site scripting, and CSRF protection is enforced on all state-changing endpoints. The SENTINEL fraud detection suite (SENTINEL-PAY rule engine + SENTINEL-AI behavioral scoring) monitors all financial transactions for anomalous patterns.

7. AI-Specific Security

As specified in our Privacy Policy (Section 10) and DPA (Section 8), subscriber data processed through AI models is subject to additional protections: no subscriber data is used for AI model training by the Company or any sub-processor, AI inputs are minimized to only necessary data, AI outputs containing personal data are not retained beyond service delivery, and all AI sub-processors (Anthropic, OpenAI, Google Cloud) are contractually bound to refrain from using subscriber data for model training. The Company is actively deploying Harpocrates, a private LLM infrastructure, to further isolate subscriber data from third-party AI providers.

8. Physical and Environmental Security

Agent Midas infrastructure is hosted on DigitalOcean and Cloudflare, both of which maintain SOC 2 Type II certifications and comprehensive physical security controls at their data centers, including biometric access controls, 24/7 surveillance, environmental monitoring, redundant power and cooling, and fire suppression systems.

9. Business Continuity

The Agent Midas platform employs multi-AI redundancy as described in our Terms of Service (Section 6.3). If one AI provider experiences downtime, requests are automatically routed to an alternate provider. Database backups are performed regularly with encrypted offsite storage. The Company targets 99% monthly uptime as specified in our Terms of Service (Section 7.1), with defined service credit provisions for failures.

10. Employee Security

All personnel with access to subscriber data or production systems are bound by confidentiality obligations as specified in our DPA (Section 4.3). Security awareness training is provided to all personnel. Access is revoked immediately upon termination of employment or contractor engagement. Background checks are conducted for personnel with administrative access to production systems.

11. Vendor and Sub-Processor Management

All third-party sub-processors are vetted for security compliance before engagement and are bound by data processing agreements with protections no less stringent than those in our DPA. The current authorized sub-processor list is maintained in DPA Section 5.2 and includes: Stripe, Supabase, Vercel/DigitalOcean, Anthropic, OpenAI, Google Cloud, Twilio, Cloudflare, Plaid, Sentry, and PostHog. Changes to sub-processors require 30-day advance notice to subscribers as specified in DPA Section 5.3.

12. Compliance Framework

Agent Midas maintains compliance with: GDPR (for EEA/UK/Swiss subscribers), CCPA/CPRA (for California residents), Colorado AI Act (SB 24-205), EU AI Act (Regulation 2024/1689), NIST AI Risk Management Framework (AI RMF 1.0), PCI DSS (via Stripe — no card data stored), and Plaid security standards for financial data integration. Detailed compliance disclosures are provided in our Terms of Service (Section 10) and Privacy Policy (Sections 8, 9, and 13).

13. Policy Review

This Information Security Policy is reviewed and updated annually, or upon significant changes to infrastructure, threat landscape, or regulatory requirements. All revisions are documented and communicated to relevant personnel.