8ai is a cloud first application that takes data confidentiality and security extremely seriously. That’s why 8ai is transparent with its approach to security, so you can feel safe while using 8ai’s products and services.

Philosophy

8ai follows three principles in regard to security:

• Lead industry standards and our competitors in cloud and product security

• Always be open and transparent about how 8ai process, store, and use your (and your customer’s) data

• Use all the latest tools and techniques as a cloud based product to ensure that all services are up to date.

Who has access to your data

As per 8ai's Privacy Policy, 8ai does not sell or rent your personal information to third parties. Additionally, 8ai does not provide your personal information to your employer without your expression permission. 8ai operates under GDPR rules, and only collects the information that is needed to provide a personalised experience unique to each individual.

Where is your data stored and processed

Hosted completely in Microsoft Azure, 8ai leverages Microsoft's industry leading tools to secure your data. All product data (including personal information) is stored in Azure PostgreSQL Managed databases in SOC2 compliant data centres in Australia. Data in platform databases is encrypted at rest using Azure’s standard tools and replicated to a different Azure availability zones. 8ai automatically and securely makes backups of product data on a frequent basis and retains those backups for up to a year.

How is your data protected

Your data is encrypted at rest in PostgreSQL databases using the FIPS 140-2 validated cryptographic module. Data, including backups, are encrypted on disk, including the temporary files created while running queries. The service uses the AES 256-bit cipher included in Azure storage encryption, and the keys are system managed. Storage encryption is always on and can't be disabled.

All 8ai data is encrypted in transit over public networks using TLS 1.2 using SHA-256 RSA TLS certificates. All traffic is filtered to allow only ports required for operation of 8ai and log all network traffic to ensure adequate security posture. All production servers are protected using Azure Web Application Firewalls on Azure Front Door, which automatically blocks attack traffic identified by Azure and includes DDoS protection. 

What infrastructure does 8ai use?

8ai’s entire infrastructure is hosted on Microsoft Azure. 8ai leverages this to achieve global infrastructure uptime, resilience, and scalability - this includes Azure’s monitoring services to dynamically scale required compute resources when needed. Azure provides 24/7 security monitoring of all of 8ai’s infrastructure, including servers, storage resources, and databases. 

Since 8ai primarily uses PaaS solutions like Azure Functions, infrastructure-level antivirus or anti-malware installations are managed directly by Microsoft Azure. Azure PaaS offerings are built with extensive security measures, including malware detection and prevention systems that protect the underlying environment from potential threats. This includes continuous monitoring for known vulnerabilities, regular patching, and automatic updates to maintain a secure platform.

How is 8ai designed to be secure

8ai is an API-first platform designed to be accessed securely over the internet from the 8ai web applications. All 8ai data is encrypted in transit over public networks using TLS 1.2 using SHA-256 RSA TLS certificates.

All APIs that can access sensitive, except certain public endpoints used for end user conversations, require authentication. 8ai’s API uses short-lived JWT token-based authentication schemes managed by Auth0.

Account provisioning and termination are handled through Auth0, which supports seamless onboarding and de-provisioning for administrative users of the 8ai app. When an account is created, role-based permissions are assigned according to the user’s designated access needs, ensuring least-privilege access. Account deactivation or role adjustment occurs immediately upon a user’s departure or role change to maintain security integrity.

8ai employs Microsoft Azure Defender for cloud as its primary Intrusion Detection and Prevention System (IDS/IPS) to monitor and protect its cloud environment.

How often is 8ai updated

8ai aims to release new updates to the web applications frequently on a weekly basis. All our production releases require manual approval by a senior staff member and are completed seamlessly via a blue/green deployment pattern. In summary, updates to 8ai are an invisible non-event, you should never notice it.

Security within our organisation

To protect endpoints, 8ai mandates that all employee computers have up-to-date antivirus software installed. This antivirus solution runs real-time scans, detects malware, and provides additional protections such as web filtering and phishing protection to secure workstations from threats outside the cloud environment. Regular compliance checks ensure that antivirus protections on employee computers remain active and updated.

8ai utilises Microsoft Azure Active Directory (Azure AD) as its primary Identity and Access Management (IAM) solution to our production infrastructure. Azure AD enables secure authentication and authorization for all users and resources within the organisation. 8ai requires that MFA is used for organisation access where possible.

The resilience of 8ai’s service is vitally important, processes and systems are designed to allow remote disaster recovery and business continuity processes at all times. There are no dependencies on physical assets or locations that 8ai maintains for the operation of our organisation.  

Incident management 

8ai considers a security incident to be any event that negatively affects the confidentiality, integrity or availability of our customer’s data, 8ai’s data, or 8ai’s services. 

Microsoft Azure Defender for cloud provides real-time threat detection and automated response capabilities across 8ai’s Platform-as-a-Service (PaaS) resources, including Azure Functions. It continuously monitors network traffic and resource usage to identify potential intrusions, suspicious activity, and vulnerabilities within the environment. Logs are stored in our Azure Log Analytics workspaces and archived to our Azure storage account.

Incident management plans establish the recommended organisation, actions, playbooks, and procedures needed to recognise, respond, escalate, and recover to an incident. All incidents are automatically escalated to the CTO for handling.

8ai promises to notify the appropriate individuals, customers, and/or organisations about any significant incident where personal data may have been exposed and/or accessed by an unauthorised third-party within 4 hours of detection.

Any security vulnerabilities that are identified in production are raised to 8ai’s executive team. Fixes for most types of vulnerabilities and major issues can be expedited and deployed within an hour.