Security

Our Commitment

At Genius Labs AI, security is foundational — not an add-on. We are committed to protecting the integrity, confidentiality, and availability of your business data in accordance with Canadian federal law (PIPEDA), the Ontario Consumer Protection Act, 2002, and where applicable, the EU General Data Protection Regulation (GDPR Article 32).

Pre-launch transparency: Genius Labs AI is currently in pre-launch. The security controls described in this document represent our design principles and the standards we are building toward. We will update this page as controls are verified and deployed in our production environment.

Data Residency

Customer data is stored and processed in Canada. We do not transfer your data outside of Canada without your knowledge except where required by law or where sub-processors are located in jurisdictions deemed adequate by the relevant privacy authority.

For customers in the European Economic Area, Canada is recognized by the European Commission as providing adequate protection for personal data under GDPR Article 45. We will always inform you of any material changes to data residency.

Security Frameworks and Standards

Our security design is informed by internationally recognized frameworks and regulations:

• NIST Cybersecurity Framework (CSF 2.0) — our security program is structured around the NIST Identify, Protect, Detect, Respond, and Recover functions
• OWASP Top 10 — applied across all application development and code review processes
• ISO/IEC 27001 principles — our information security management practices align with ISO 27001 design principles (formal certification is a roadmap objective)
• EU NIS2 Directive (2022/2555) — to the extent we provide digital services to EU users, we align with NIS2 security and incident reporting obligations
• Australian ACSC Essential Eight — our controls align with the Australian Cyber Security Centre's Essential Eight mitigation strategies
• Philippine National Cybersecurity Plan 2023–2028 — we align our incident response and data protection practices with the NPC and DICT cybersecurity guidelines for organizations processing Philippine personal data

Infrastructure Security

• Physical data centers with 24/7 security, biometric access controls, and environmental safeguards
• Network firewalls, intrusion detection systems, and DDoS mitigation
• Automated backups with point-in-time recovery capabilities
• Geographically redundant infrastructure to ensure high availability
• Regular penetration testing and third-party security audits
• Vulnerability scanning integrated into our deployment pipeline

Application Security

• Code reviews and static analysis as part of every deployment
• Dependency scanning for known vulnerabilities (CVEs)
• OWASP Top 10 mitigations applied across all products
• Secure session management with automatic expiry and token rotation
• Input validation and output encoding to prevent injection attacks
• Security testing conducted prior to every major release

Third-Party and Subprocessor Security

We work with third-party service providers (subprocessors) to operate our platform — including cloud infrastructure, analytics, and communication tools. All subprocessors are required to:

• Maintain security standards equivalent to or exceeding our own
• Sign data processing agreements (DPAs) that bind them to PIPEDA and, where applicable, GDPR obligations
• Restrict use of your data to the purposes we specify
• Notify us immediately of any security incident involving your data

A list of active subprocessors is available upon request at security@geniuslabsai.io.

Data Isolation

Customer data is logically isolated at the application layer. No customer can access another customer's data. Our engineering team operates under strict data access policies on a need-to-know basis, and all internal access to production data is logged and auditable.

Incident Response and Breach Notification

In the event of a security incident involving personal data, we comply with breach notification requirements across all relevant jurisdictions:

• 🇨🇦 Canada — PIPEDA (SOR/2018-64): We will notify the Office of the Privacy Commissioner of Canada (OPC) and affected individuals as soon as feasible after determining a breach poses a real risk of significant harm. We maintain an internal breach log for a minimum of 24 months as required by the Breach of Security Safeguards Regulations.
• 🇵🇭 Philippines — NPC Circular 16-03: We will notify the National Privacy Commission (NPC) and affected Philippine individuals within 72 hours of becoming aware of a personal data breach, as required under NPC Circular 16-03. The notification will include the nature of the breach, personal data involved, and remediation steps.
• 🇺🇸 United States — State Breach Notification Laws: We comply with applicable US state breach notification laws. California residents will be notified within 72 hours as required under the CCPA (Section 1798.150) for breaches involving unencrypted personal information. Other state-specific timelines (New York SHIELD Act, Texas BC Act, etc.) are honored accordingly. The FTC will be notified as required under the FTC Act.
• 🇦🇺 Australia — Notifiable Data Breaches (NDB) Scheme: Under the Privacy Act 1988 (Cth), we will notify the Office of the Australian Information Commissioner (OAIC) and affected Australian individuals within 30 days of becoming aware of an eligible data breach (one likely to result in serious harm). Notification will be made via the OAIC's online portal at www.oaic.gov.au.
• 🇪🇺 EU / 🇬🇧 UK — GDPR and UK GDPR: We will notify the relevant supervisory authority within 72 hours of becoming aware of a breach (GDPR Article 33). Affected EU and UK individuals will be notified without undue delay where the breach is likely to result in high risk to their rights and freedoms (GDPR Article 34). UK breaches are reported to the ICO.

Across all jurisdictions, we will provide a clear description of the nature, scope, and timeline of the incident, and the steps taken to contain, remediate, and prevent recurrence.

Responsible Disclosure

We take security research seriously. If you discover a potential security vulnerability in our platform, we ask that you report it to us privately before public disclosure. This allows us to investigate and remediate the issue without putting users at risk.

• Email: security@geniuslabsai.io
• We will acknowledge your report within 48 business hours
• We will keep you informed of investigation progress and expected remediation timeline
• We will not pursue legal action against researchers who act in good faith under this policy

Employee and Organizational Security

• All employees and contractors undergo background screening prior to hire
• Security awareness training is conducted at onboarding and reviewed annually
• Access to production systems is strictly controlled, logged, and reviewed quarterly
• Departing employees and contractors have access revoked immediately upon separation
• Confidentiality and data handling obligations are embedded in all employment contracts

Your Responsibilities

Security is a shared responsibility. To protect your account and data, we recommend:

• Using a strong, unique password for your Genius Labs AI account
• Enabling multi-factor authentication (MFA) when available
• Not sharing account credentials with unauthorized individuals
• Reporting any suspicious activity to security@geniuslabsai.io immediately

Contact

Security inquiries and vulnerability reports: security@geniuslabsai.io
Privacy and data requests: privacy@geniuslabsai.io
Legal: legal@geniuslabsai.io
Genius Labs AI Inc. · Burlington, Ontario, Canada