Security Practices

PartnerReadyAI is built on AWS with security as a foundational requirement. This page describes how we protect your data, our encryption posture, access controls, and what to do if you discover a vulnerability.

Encryption

• In transit: All connections use TLS 1.2+ (enforced at CloudFront and API Gateway). No plaintext HTTP endpoints exist.
• At rest: DynamoDB tables use AWS-managed encryption (AES-256). S3 buckets use SSE-S3 or SSE-KMS. Secrets Manager uses KMS envelope encryption.

Tenant Isolation

Every customer gets isolated resources: separate DynamoDB partition keys (prefixed by tenant ID), separate Cognito User Pool, separate API Gateway, separate S3 bucket, and separate CloudFront distribution. No shared-tenancy data paths exist between customers.

Authentication & Access Control

• All API access requires a valid Cognito JWT token (short-lived, 60-minute expiry, refreshed every 45 minutes).
• Role-based access control via Cognito groups (admin, migration-lead, channel-manager, exec).
• Cross-account access uses scoped IAM roles with ExternalId conditions — never long-lived credentials.

Audit Logging

• Every data-modifying action is logged with user ID, timestamp, IP address, and user-agent.
• Audit records are append-only (no DELETE permission on the audit partition).
• Retained for 7 years (SOC 2 alignment).
• CloudTrail captures all AWS API calls made by our deploy role in your account.

Data Handling

What we store	Where	Retention
Audit records (API calls, sign-offs)	DynamoDB, us-east-1	7 years
Legacy PC user CSV you upload	DynamoDB, us-east-1	30 days post-migration
Proposed + approved IAM maps, engagement metadata	DynamoDB, us-east-1	90 days post-migration
Migration report (PDF/JSON)	S3, us-east-1 (KMS encrypted)	90 days (or 7 years if governance product active)

No PII beyond work email and name. No payment data. No end-user data from your Partner Central system. On offboarding, we provide a full export and delete everything except the 7-year audit trail.

Incident Response

• Detection: Automated monitoring on all production services.
• Notification: Impacted customers notified within 30 minutes of detection.
• Post-incident: Written summary within 5 business days covering timeline, root cause, remediation, and follow-up actions.

Reporting a Vulnerability

If you discover a security issue related to PartnerReadyAI, please report it to:

security@gdna.io

We acknowledge reports within 24 hours and provide an initial assessment within 72 hours. We do not pursue legal action against good-faith security researchers.

Compliance

PartnerReadyAI is designed to support SOC 2 Type II evidence collection. The signed migration report, immutable audit trail, and quarterly access review features are built specifically for this purpose. We do not hold a SOC 2 certification ourselves at this time — we provide the tooling and evidence artifacts your auditor needs.