# Aither — Security Policy **Last reviewed:** 11 May 2026 · **Version:** 1.0 · **Owner:** Max Geurtsen (max@aithergrowth.com) Aither is a one-person Dutch AI automation studio (KvK 99470160, Rotterdam). We are not directly in scope of NIS2 (Directive 2022/2555), but we operate aligned with NIS2 controls so that clients in regulated sectors (energy, transport, banking, healthcare, public administration, digital infrastructure, ICT-service-management, postal, waste, food, manufacturing of critical products) can engage us as a sub-processor without a procurement red-flag. This policy is public so prospective clients can review it without an NDA. ## 1. Scope This policy covers all systems Aither operates to deliver client work: - Production website (`aithergrowth.com`) hosted on Vercel (EU edge) - API routes (`/api/*`) running as serverless functions - Customer database (Supabase, EU region) for course progress and account data - Email infrastructure (Brevo for transactional + lead routing) - Source code (private GitHub repository) - Operator workstation (MacBook with FileVault, hardware security key) Client systems Aither builds **always** live in the client's own cloud accounts. Aither does not host or take custody of client production data outside of the engagement window. ## 2. Risk management (NIS2 Art. 21.2.a) - Annual risk assessment in May using the OWASP Top 10 + STRIDE for new features. - Threat model documented per major release in `docs/threat-models/`. - Critical risks tracked in a private GitHub issue with the `security` label until mitigated. - Quarterly review of sub-processor risk register (see SUB-PROCESSORS.md). ## 3. Incident handling (NIS2 Art. 21.2.b) See `INCIDENT-RESPONSE.md` for the runbook. Key timelines: - **Detection** — Vercel Logs + Sentry-style error capture + Better Stack uptime monitor (5-min checks) - **Acknowledge** — within 2 hours during NL business hours, within 12 hours otherwise - **Initial mitigation** — within 24 hours of confirmed impact (NIS2 early-warning equivalent) - **Customer notification** — within 24 hours for any incident touching customer data; written report within 72 hours - **Post-mortem** — published to clients within 30 days, sanitised version added to security page ## 4. Business continuity (NIS2 Art. 21.2.c) - **Source code**: GitHub (with mirrors in client repos for delivered builds). Recovery test quarterly: clone fresh + boot dev server within 30 minutes. - **Customer data**: Supabase Point-in-Time Recovery enabled (7-day window). Backup restore tested quarterly to a staging instance. - **Email**: Brevo provides 99.9% SLA; fallback to direct mailto in critical chat flows (already implemented). - **Bus-factor**: Max is one person. Mitigation: - All client source goes to client's GitHub from day one (no Aither-owned production code at client side) - All client infra runs in client cloud accounts (Aither has no production credentials of theirs after handover) - Runbooks per delivered system are documented so a competent engineer can take over within 1-2 weeks - Aither's own systems are documented in `RECOVERY.md` so a designated successor can resume operations ## 5. Supply chain security (NIS2 Art. 21.2.d) - Public sub-processor list in `SUB-PROCESSORS.md`, reviewed quarterly - All sub-processors must hold their own DPA (signed copies on file) - Sub-processors must operate in EU data centres for any EU customer data, with the only documented exception being ElevenLabs voice synthesis (US-only, used for non-personal voice replies; no PII transmitted) - New sub-processor onboarding requires written security review; recorded in `vendor-reviews/` ## 6. Network and information system security (NIS2 Art. 21.2.e) - **Transport encryption**: TLS 1.3 enforced via Vercel + HSTS preload - **At-rest encryption**: Vercel storage AES-256, Supabase AES-256 - **Access control**: MFA required on all operator accounts (GitHub, Vercel, Supabase, Anthropic, OpenAI, ElevenLabs, Brevo, Stripe, Calendly, Cloudflare, domain registrar). Hardware security key for primary 2FA, TOTP backup. No password reuse; passwords managed in 1Password. - **Secrets**: never in source code; only in Vercel environment variables (encrypted at rest). Rotation cadence: every 6 months or immediately on suspected compromise. GitHub secret-scanning + push-protection enabled. - **Headers**: full security header set deployed (`_headers` file): HSTS, CSP, X-Frame-Options DENY, COOP, CORP, COEP credentialless, Referrer-Policy strict-origin-when-cross-origin, Permissions-Policy minimal allowlist - **Content Security Policy**: strict allowlist of script/style/img/connect sources; CSP violations reported to `/api/csp-report` - **Dependencies**: Dependabot weekly scans; major bumps reviewed within 7 days of advisory ## 7. Effectiveness of cybersecurity risk management (NIS2 Art. 21.2.f) - Self-assessment annually using ENISA NIS2 implementation guide checklist - Aither's website is itself a public demonstration — clients can audit the architecture, talk to the AI agent, and review every public artifact (llms.txt, ai.txt, security.txt, this policy) - One annual lightweight penetration test (third-party or supervised student) — findings published with remediation status ## 8. Awareness training (NIS2 Art. 21.2.g) - Operator (Max) completes annual phishing simulation and AVG/GDPR refresh training (Citadel or NCSC modules) - Records kept in `training-log.md` ## 9. Cryptography policy (NIS2 Art. 21.2.h) - TLS 1.3 only; older versions disabled at Vercel edge - Symmetric: AES-256-GCM - Asymmetric: Ed25519 / ECDSA-P256 for signing; X25519 for KEM - Hashing: SHA-256 minimum; bcrypt cost ≥12 for passwords - No custom cryptography. Standard libraries only (Web Crypto API, Node `crypto`, Supabase auth) ## 10. Human resources security & access control (NIS2 Art. 21.2.i) - Single operator (Max). Sub-processors do not have access to Aither's own production systems. - Freelance specialists (used for larger client projects) sign per-project NDAs and only get access to scoped client repos, never to Aither's customer data - Off-boarding: rotate all shared credentials within 24 hours of contract end ## 11. Multi-factor authentication (NIS2 Art. 21.2.j) - Hardware security key (YubiKey or built-in passkey) primary for all admin consoles - TOTP secondary - Recovery codes printed and stored in offline location - Customer-facing portal uses Supabase Auth with email magic links and optional TOTP 2FA ## 12. Use of voice/AI services - **ElevenLabs (TTS)** — text-to-speech for chatbot replies. No PII transmitted (only public marketing copy generated by Claude). Requests pass through Aither's own `/api/tts` proxy so the API key stays server-side. - **Anthropic Claude** — primary LLM. Uses EU endpoint where available. Customer queries are processed in real-time, not retained for training (Anthropic Zero-Retention API). System prompt forbids inventing customer data or facts not in the source material. - **Speech-to-text** — uses browser-native Web Speech API (runs locally on the user's device, no server roundtrip) ## 13. Reporting a vulnerability See `.well-known/security.txt`. Contact `security@aithergrowth.com` (or `max@aithergrowth.com`). 24h acknowledge, 72h mitigation target for critical findings. Free Pilot Build voucher (€795 value) for any high-severity finding we ship a fix for. ## 14. Audit log | Date | Reviewer | Notes | |------------|----------|------------------------------------------------------| | 2026-05-11 | Max G. | v1.0 published. NIS2 alignment baseline established. |