_uUncensoredAI

ISO 27001 Information Security Policy

Our commitment to information security management and protecting customer data.

Last updated: June 18, 2026

Policy owner: Dr. Elena Rodriguez, Chief Technology Officer

Version: 1.0

1. Purpose

UncensoredAI Inc. ("UncensoredAI", "we", "us") is committed to protecting the confidentiality, integrity, and availability of information assets. This Information Security Policy establishes the framework for our Information Security Management System (ISMS) aligned with ISO/IEC 27001:2022.

2. Scope

This policy applies to:

  • All employees, contractors, and third parties with access to UncensoredAI systems
  • All information assets processed through uncensored-ai.org and related services
  • Cloud infrastructure, application code, customer data, and internal business data
  • Development, operations, support, and administrative functions

3. Information Security Objectives

UncensoredAI maintains the following security objectives:

  • Protect customer account data, chat history, and payment information
  • Ensure service availability and resilience against unauthorized access
  • Comply with applicable data protection laws (GDPR, CCPA, and EU regulations)
  • Identify, assess, and treat information security risks on an ongoing basis
  • Continuously improve our ISMS through audits, reviews, and staff training

4. Governance & Roles

4.1 Executive Management

Executive management approves the ISMS, allocates resources, and reviews security performance at least annually.

4.2 Chief Technology Officer (CTO)

The CTO is responsible for ISMS implementation, risk assessments, control selection, and reporting to executive management.

4.3 All Personnel

Every team member is responsible for following security policies, reporting incidents promptly, and completing required security awareness training.

5. Risk Management

UncensoredAI conducts formal risk assessments at least annually and when significant changes occur (new features, infrastructure changes, or third-party integrations). Identified risks are evaluated, treated, and documented in our risk register. Residual risks are accepted only with documented management approval.

6. Key Security Controls

Our ISMS includes controls across the following domains:

  • Access control: Role-based access, MFA for administrative systems, least-privilege principle
  • Cryptography: TLS 1.2+ in transit, encryption at rest for sensitive data stores
  • Operations security: Change management, vulnerability scanning, patch management
  • Network security: Firewalls, DDoS protection via Cloudflare, network segmentation
  • Supplier relationships: Security assessments for cloud providers and payment processors
  • Incident management: Documented incident response plan with defined escalation paths
  • Business continuity: Backups, disaster recovery procedures, and recovery time objectives
  • Compliance: Regular internal audits and management review meetings

7. Data Classification & Handling

Information is classified into four levels:

  • Public: Marketing content, public documentation
  • Internal: Business operations data, non-sensitive internal communications
  • Confidential: Customer account data, chat logs, analytics
  • Restricted: Payment credentials, API keys, authentication secrets

Handling requirements increase with classification level. Restricted data is never stored in plaintext and access is logged and monitored.

8. Incident Response

Security incidents must be reported immediately to [email protected]. Our incident response process includes:

  1. Detection and reporting
  2. Containment and eradication
  3. Recovery and post-incident review
  4. Notification to affected users and regulators where legally required

9. Third-Party Security

Vendors and subprocessors (cloud hosting, payment processors, analytics) are evaluated for security posture before onboarding. Contracts include data processing agreements and security requirements. Current infrastructure is hosted on Cloudflare with industry-standard security certifications.

10. Training & Awareness

All personnel complete information security awareness training upon onboarding and annually thereafter. Developers receive additional secure coding training covering OWASP Top 10 vulnerabilities and secure API design.

11. Monitoring & Auditing

Security events are logged and monitored. Internal audits are conducted at least annually. Management reviews ISMS performance, audit findings, and improvement opportunities quarterly. External certification audits are planned as part of our ISO 27001 certification roadmap.

12. Policy Review

This policy is reviewed at least annually or following significant security incidents or organizational changes. Updates require approval from the CTO and executive management.

13. Contact

For security inquiries, vulnerability reports, or ISO 27001 compliance questions:

Security Team: [email protected]
Data Protection: [email protected]
Legal: [email protected]