Flecks Security Practices

Technical and Operational Security Detail

This document describes the technical and operational security practices implemented by Flecks, Inc. (“Flecks”) in connection with the Flecks Platform. It supplements the technical and organizational measures set forth in Annex II to the Flecks Data Protection Agreement (DPA).

This document is updated periodically to reflect the current state of Flecks’ security practices. The most recent version is available at flecks.ai/security or upon request. The contractual commitments governing Flecks’ security obligations are set forth in the DPA; this document provides additional detail for customers and security reviewers.

1. Platform Architecture

1.1 Customer-Isolation Architecture

The Flecks Platform is designed around a customer-isolation model in which each customer’s data is processed and stored within a dedicated logical environment (the “Customer-Isolated Environment”). Flecks personnel do not access customer data in the ordinary course of operating the Platform; access occurs only through documented Authorized Access mechanisms (see Section 4).

1.2 Client-Side Software

The Flecks Client-Side Software runs on customer endpoints and processes telemetry locally on customer systems. Only parsed event-timeline metadata (Security Metadata) is transmitted to the Platform. Raw forensic artifacts such as memory images, disk images, and registry hives are not transmitted to or stored within the Platform.

1.3 Tenant Isolation by Tier

Tenant isolation mechanisms vary by Customer subscription tier:

• Enterprise-tier Customers receive enhanced isolation including dedicated infrastructure resources.
• All tiers use logical separation mechanisms including separate storage buckets, row-level security in the database layer, and partitioned data structures.

2. Encryption

2.1 Encryption at Rest

Customer data is encrypted at rest using AES-256 with per-record salting via pgcrypto. Encryption keys are managed using AWS Key Management Service (AWS KMS). Application secrets, API credentials, and connection strings are managed separately using AWS Secrets Manager.

2.2 Encryption in Transit

All data transmitted between customer endpoints, the Platform, and Platform components is encrypted using TLS 1.3.

2.3 Key Management

Encryption keys are managed within AWS KMS on a per-region basis. Flecks personnel do not have routine operational access to decryption keys outside of automated system operations. Bring Your Own Key (BYOK) management is not currently available but may be offered to Enterprise-tier customers in the future.

3. Access Controls

3.1 Personnel Access

Flecks personnel do not have standing operational access to customer data. Role-based access controls limit access to systems hosting customer data on a need-to-know basis. Multi-factor authentication is required for administrative access. Access rights are reviewed periodically and revoked upon termination.

3.2 Administrative Access

Infrastructure personnel may have technical access to systems hosting customer data through administrative tooling. Such access is scoped to system-level operations and is not intended to involve access to decrypted customer data. Any inadvertent access to decrypted customer data during infrastructure operations is treated as a security event, logged, and included in the next periodic access log report provided to the customer.

3.3 Sub-processor Access

AWS personnel do not have access paths to decrypted customer data. Flecks sp. z o.o. personnel operate under the same no-default-access model as other Flecks personnel; access occurs only through Authorized Access mechanisms with audit logging.

4. Authorized Access Mechanisms

Flecks personnel access to customer data occurs only through the following mechanisms:

4.1 Customer-Created Access

The customer creates a Flecks user account with access privileges and duration defined by the customer.

4.2 Customer Support Request

The customer requests Flecks support requiring data access. As of this document’s effective date, support access is provisioned through customer-initiated temporary user creation. A just-in-time (JIT) access mechanism with explicit approval workflows is in development.

4.3 Audit Request Access

Flecks may access specific customer data to investigate or audit a specific data event in response to a customer request or regulatory inquiry. Such access is scoped to the specific event.

4.4 Maintenance Access

Flecks infrastructure personnel may access systems hosting customer data for Platform maintenance and operational continuity. Such access is scoped to system-level operations and is not intended to involve access to decrypted customer data. Maintenance access is logged. In the event that decrypted customer data is inadvertently accessed during a maintenance activity, such access is treated as a security event, included in the next periodic access log report provided to the customer, and assessed to determine whether Personal Data Breach notification is required.

5. Audit Logging

5.1 Logging of Personnel Access

All Flecks personnel access to customer data is recorded in immutable audit logs, including query-level information regarding what data was accessed.

5.2 Customer Visibility

Customers have visibility into Flecks personnel access events through the Platform’s data explorer interface. Full real-time customer visibility of access logs is targeted for general availability in Q3 2026. Customers may request a report of Flecks personnel access events affecting their data.

6. Data Residency

6.1 Supported Regions

Customer data is stored in the AWS region selected by the customer at Platform configuration. Flecks supports all AWS commercial regions, including regions in the United States, European Union, United Kingdom, Asia-Pacific, and other geographies.

6.2 Data Residency by Category

• Customer security findings, telemetry events, data-lake records, and OCSF-formatted events are stored exclusively in the customer-selected region, with backups also retained in the same region.
• Operational metadata (Platform configurations, asset inventory, use-case definitions, and similar non-content metadata) may be replicated across regions to support availability and disaster recovery. Such operational metadata is encrypted and is not intended to contain Customer Personal Data.
• Third-party tool configurations integrated with the Platform are stored encrypted and may be replicated multi-region.

7. Incident Detection and Response

7.1 Detection Capabilities

Flecks maintains automated security monitoring and incident detection capabilities designed to identify unauthorized access to Customer-Isolated Environments and other security events affecting the Platform.

7.2 Response Procedures

Flecks maintains documented incident response procedures including triage, investigation, containment, and notification of security events. The incident response plan is tested at least annually.

8. AI and Machine Learning

8.1 No Training on Customer Data

Flecks does not use customer data to train, fine-tune, or improve generally applicable AI or ML models. AI and ML models within the Platform analyze customer data for security purposes (threat detection, anomaly detection, output generation) within Customer-Isolated Environments. Customer data is not incorporated into models used for other customers.

8.2 Third-Party AI Services

Flecks uses AWS Bedrock (AWS Nova model family) for generative AI inference to generate natural-language summary descriptions from Aggregated Data. AWS Bedrock is configured with zero data retention, meaning no input or output data is retained by AWS following completion of an inference request. Aggregated Data sent to AWS Bedrock does not include customer-identifying information (customer names, usernames) or Personal Data. AWS Bedrock is part of the existing AWS sub-processor relationship and is listed in Annex III to the DPA.

9. Certifications and Audits

Flecks is pursuing SOC 2 Type II and ISO 27001 certifications. Customers may request the most recent summary audit reports upon execution of an appropriate confidentiality agreement.

10. Sub-processors and Internal Telemetry

The current list of authorized Sub-processors is set forth in Annex III to the DPA. This includes Amazon Web Services (infrastructure and AWS Bedrock AI inference), Flecks sp. z o.o. (affiliate operations and support), Google LLC (Google Workspace, for internal email and document collaboration), and Atlassian Pty Ltd (Jira Service Management, for support ticketing and Data Subject Rights workflows). Flecks operates internal telemetry collection using OpenTelemetry (OTEL) infrastructure. This infrastructure is operated by Flecks and is not provided by a third-party service.

11. Vulnerability Management

Flecks performs regular vulnerability scanning of production systems with remediation prioritized by severity. Annual penetration testing is conducted by qualified independent third parties, with remediation tracked to closure. Secure development lifecycle controls including code review, static analysis, dependency scanning, and security testing are applied prior to production release.

12. Physical Security

Customer data is hosted in AWS data centers, which maintain SOC 2, ISO 27001, and other recognized physical security certifications. AWS data center physical security is described in AWS’ publicly available compliance documentation.

13. Business Continuity

Backup and recovery procedures are designed to support continuity of the Platform. Recovery objectives are documented and tested. Backups of Customer security findings, telemetry events, and data-lake records are retained within the Customer-selected region.

14. Updates

Flecks may update this document from time to time to reflect changes in security practices, technical implementations, or organizational measures. Material updates that affect customer protections will be communicated through Flecks’ customary customer notification channels. The contractual commitments governing Flecks’ security obligations are set forth in the DPA; this document provides current implementation detail and does not modify the DPA.