Last Update February 27, 2024
Title: Our commitment to security and privacy
Subtitle: Intuition is committed to building trust in our organization and platform by protecting customer data, models, and products.
Intuition complies with GDPR and CCPA. We can execute a Data Processing Agreement if your organization or use case requires it.
The team at Intuition is in the process of SOC 2 Type 2 compliance with the help of external auditors. Please check back for the latest updates.
Reporting security issues
Intuition invites its customers, security researchers, ethical hackers, and technology enthusiasts to report security issues:
Submit your security issue here:
Posted on intuition.us/security to accept security reports
Both current and previous customers of Intuition can request the removal of their personal information from Intuition and its products. We remove your account, messages, and associated activity when requested. You can request the removal by reaching out to email@example.com
Last update: September 21, 2023
- Objectives: Intuition shall implement data security measures that are consistent with industry best practices and standards such that Intuition:
- Protects the privacy, confidentiality, integrity, and availability of all data which is disclosed by the customer to or otherwise comes into the possession of Intuition, its affiliates, or sub-contractors, directly or indirectly as a result of these terms, including but not limited to customer’s confidential information and any customer personally identifiable information;
- Protects against accidental, unauthorized, unauthenticated, or unlawful access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of the customer data, including, but not limited to, identity theft;
- Complies with all federal, state, and local laws, rules, regulations, directives and decisions (each, to the extent having the force of law) that are relevant to the handling, processing, storing or use of customer data in accordance with these terms;
- Manages, controls and remediates any threats identified in the risk assessments findings that could result in unauthorized access, copying, use, processing, disclosure, alteration, transfer, loss or destruction of any of the customer data, including without limitation identity theft; and
- Complies with and implements the risk policies listed in this document, together with the data protection and confidentiality obligations of the terms.
- Organization Security Measures:
- Environment: Intuition shall provide assurance that it sets the foundation for the necessary tone, discipline, and structure to influence the control consciousness of its people necessary, and for the services provided to customer, and/or customer’s customers.
- Responsibility: Intuition shall assign responsibility for information security management to appropriate skilled and senior personnel.
- Qualification of Employees: Intuition shall implement and maintain appropriate security measures and procedures, including background checks following industry best practices, to restrict access to information systems used in connection with these terms or to customer information to only those personnel who are reliable, have sufficient technical expertise for the role assigned, and have personal integrity.
- Obligations of Employees: Intuition shall implement and maintain appropriate security measures and procedures in order to verify that any personnel accessing the customer information or information systems used in connection with these terms knows his or her obligations and the consequences of any security breach, and have read and agree to comply with all applicable customer information security policies and standards.
- Segregation of Duties: Intuition shall provide reasonable assurance the organization of personnel provides adequate segregation of duties between incompatible functions.
- Physical Security Measures:
- Physical Security and Access Control – Intuition shall ensure that all systems hosting customer data and/or providing services on behalf of customer are maintained consistent with industry best practices and standards in a physically secure environment that prevents unauthorized access, with access restrictions at physical locations containing customer data, such as buildings, computer facilities, and records storage facilities, designed and implemented to permit access only to authorized individuals and to detect any unauthorized access that may occur, including without limitation 24 x 7 security personnel at all relevant locations.
- Physical Security for Media–Intuition shall implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to prevent the unauthorized viewing, copying, alteration or removal of any media containing customer data, wherever located.
- Media Destruction – Intuition shall implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to destroy removable media and any mobile device (such as discs, USB drives, DVDs, back-up tapes, laptops and PDAs) containing customer data where such media or mobile device is no longer used, or alternatively to render customer data on such removable media or mobile device unintelligible and not capable of reconstruction by any technical means before re-use of such removable media is allowed.
- Computer System Access Control Measures:
- Access Controls – Intuition shall implement and maintain appropriate security measures and procedures consistent with industry best practices and standards to ensure the logical separation such that access to all systems hosting customer data and/or being used to provide services to customer shall: be protected through the use of access control systems that uniquely identify each individual requiring access, grant access only to authorized individuals and based on the principle of least privileges, prevent unauthorized persons from gaining access to customer data, appropriately limit and control the scope of access granted to any authorized person, and log all relevant access events.
- Access Rights Policies – Intuition shall implement appropriate policies and procedures regarding the granting of access rights to customer data in Intuition’s possession or control, in order to ensure that only the personnel expressly authorized pursuant to the terms or by customer in writing may create, modify or cancel the rights of access of the personnel. Intuition shall maintain an accurate and up to date list of all personnel who have access to the customer data and shall have the facility to promptly disable access by any individual personnel. For purposes of these terms, the term “personnel” as to customer or Intuition shall mean such party’s employees, consultants, subcontractor or other agents.
- Intrusion Detection/Prevention and Malware:
- Intuition shall use appropriate security measures and procedures (i) to ensure that customer data in Intuition’s possession and control, and /or systems being used to provide services, is protected against the risk of intrusion and the effects of viruses, Trojan horses, worms, and other forms of malware, and (ii) to monitor and record each and every instance of access to the Intuition’s assets and information systems and to customer data to detect the same, and to promptly respond to the same. If any malicious code is found to have been introduced by Intuition or any third party into any of Intuition’s information systems handling or holding customer data, Intuition shall take appropriate measures to prevent any unauthorized access or disclosure of any customer data and in any case (wherever such code originated), Intuition shall, at no additional charge to customer, remove such malicious code and eliminate the effects of the malicious code. If such malicious code causes a loss of operational efficiency or loss of data, Intuition shall monitor such losses and restore such lost data in accordance with the terms of the terms. Unless, and to the extent, prohibited by law enforcement authorities, Intuition shall immediately notify customer’s Chief Information Security Officer or equivalent if it knows or reasonably suspects that there has been an actual instances of unauthorized access to the customer data and/or systems holding or handling customer data and shall cooperate fully in assisting Customer as necessary to enable customer to comply with its statutory and other legal breach notice requirements, if any.
- Incident Response Measures – Intuition shall implement and maintain appropriate incident response measures and procedures for systems that handle or hold customer data, including, but not limited to:
- Operational problems and security incidents are detected, reported, logged, and resolved in a timely manner.
- Processing is appropriately authorized, scheduled, and that deviations from scheduled processing are detected, reported, logged, and resolved in a timely manner.
- System availability, performance and capacity are routinely monitored to help ensure potential issues are detected, reported, logged, and resolved in a timely manner.
- Networks are routinely monitored for availability and response times to help ensure potential issues are detected, reported, logged, and resolved in a timely manner.
- Data Management Controls Measures:
- Customer Data – Customer data must only be used by Intuition for the purposes specified in these terms.
- Customer Production Data – Where access is given to customer data on any customer production system, unless otherwise agreed to in writing by customer, Intuition must not and shall procure that its personnel and sub-contractors shall not copy, download or store such customer data on any desktop, server or other device at any Location, in Intuition’s or its personnel’s possession or otherwise.
- Data Integrity Controls – Implementing and maintaining appropriate security measures and procedures to protect the integrity of the customer data in Intuition’s possession or control, to prevent the unauthorized recording, alteration or erasure of such customer data, and to ensure that it is subsequently possible to determine when, by whom and which customer data were recorded, altered or erased.
- Data Destruction – Implementing and maintaining appropriate security measures and procedures to destroy customer data in Intuition’s possession or control when appropriate and in accordance with the terms. At the request of customer at any time, Intuition will: (i) promptly return to customer, in the format and on the media reasonably requested by customer, all or any part of customer data; and (ii) erase or destroy all or any part of customer data in Intuition’s possession, in each case to the extent so requested by customer.
- Software Patching – Implementing and maintaining appropriate security measures and procedures in order to ensure the regular update and patching of all computer software on systems that handle or hold customer data to eliminate vulnerabilities and remove flaws that could otherwise facilitate security breaches. Patching schedule and regular verification access and/or reporting shall be mutually agreed upon by customer and Intuition.
- Virus Management – Intuition shall implement and maintain appropriate security measures and procedures designed to provide antivirus and spyware software protection to Intuition’s systems that handle or hold customer data, using the most recently distributed version of software.
Responsible Disclosure Policy
Last update: September 21, 2023
Intuition is committed to ensuring the safety and security of our customers. We aim to foster an open partnership with the security community, and we recognize that the work the community does is important in continuing to ensure safety and security for all of our customers. We have developed this policy to both reflect our corporate values and to uphold our legal responsibility to good-faith security researchers that are providing us with their expertise.
Intuition’s Responsible Disclosure Policy covers the following product:
We intend to increase our scope as we build capacity and experience with this process. Researchers who submit a vulnerability report to us will be given full credit on our website once the submission has been accepted and validated by our product security team.
Intuition will not engage in legal action against individuals who submit vulnerability reports through our Vulnerability Reporting inbox. We openly accept reports for the currently listed Intuition product. We agree not to pursue legal action against individuals who:
- Engage in testing of systems/research without harming Intuition or its customers.
- Engage in vulnerability testing within the scope of our vulnerability disclosure program.
- Test on products without affecting customers, or receive permission/consent from customers before engaging in vulnerability testing against their devices/software, etc.
- Adhere to the laws of their location and the location of Intuition. For example, violating laws that would only result in a claim by Intuition (and not a criminal claim) may be acceptable as Intuition is authorizing the activity (reverse engineering or circumventing protective measures) to improve its system.
- Refrain from disclosing vulnerability details to the public before a mutually agreed-upon timeframe expires.
How to Submit a Vulnerability
To submit a vulnerability report to Intuition’s Product Security Team, please utilize the following email: firstname.lastname@example.org. Alternatively, you can fill out the form at https://intuition.us/security to submit any security vulnerabilities.
Preference, Prioritization, and Acceptance Criteria
We will use the following criteria to prioritize and triage submissions.
What we would like to see from you:
- Well-written reports in English will have a higher probability of resolution.
- Reports that include proof-of-concept code equip us to better triage.
- Reports that include only crash dumps or other automated tool output may receive lower priority.
- Reports that include products not on the initial scope list may receive lower priority.
- Please include how you found the bug, the impact, and any potential remediation.
- Please include any plans or intentions for public disclosure.
What you can expect from Intuition:
- A timely response to your email (within 2 business days).
- After triage, we will send an expected timeline, and commit to being as transparent as possible about the remediation timeline as well as on issues or challenges that may extend it.
- An open dialog to discuss issues.
- Notification when the vulnerability analysis has completed each stage of our review.
- Credit after the vulnerability has been validated and fixed.
- If we are unable to resolve communication issues or other problems, Intuition may bring in a neutral third party to assist in determining how best to handle the vulnerability.