Security Policy

Security is at the core of FLEURET AI's mission. As a provider of AI-powered penetration testing solutions, we hold our own systems to the same rigorous standards we expect of our clients' systems.

We adopt a defense-in-depth approach covering our entire technology stack, from infrastructure to application code and organizational processes.

Our infrastructure is built on the following principles:

• European hosting: our production data is hosted in data centers located within the European Union, compliant with GDPR requirements.
• Encryption in transit: all communications are encrypted using TLS 1.2 or higher. We enforce HSTS (HTTP Strict Transport Security) across all our domains.
• Encryption at rest: stored data is encrypted with AES-256. Encryption keys are securely managed and regularly rotated.
• Restricted access: access to production systems follows the principle of least privilege, with mandatory multi-factor authentication.
• Continuous monitoring: our systems are monitored around the clock. Any suspicious activity triggers an immediate alert to the security team.

FLEURET AI is fully compliant with the General Data Protection Regulation (GDPR). Our practices include:

• Data isolation: each client's data is strictly isolated. No cross-client data access is possible.
• Data minimization: we only collect data strictly necessary for the delivery of the service.
• Limited retention: data is deleted upon expiration of the retention periods defined in our privacy policy.
• Processing records: we maintain a record of processing activities in accordance with Article 30 of the GDPR.

We encourage the security community to responsibly disclose any vulnerabilities discovered in our systems.

How to report a vulnerability:

• Send an email to security@fleuret.ai with a detailed description of the vulnerability.
• Include reproduction steps, potential impact, and if possible, a proof of concept.
• Use our public PGP key (available upon request) to encrypt sensitive information.

Our commitment:

• Acknowledgment within 48 business hours.
• Assessment and initial response within 5 business days.
• Transparent communication on remediation progress.
• We will not pursue legal action against security researchers acting in good faith and in compliance with responsible disclosure guidelines.

Rules to follow:

• Do not access, modify, or delete other users' data.
• Do not cause denial of service or service degradation.
• Do not publicly disclose the vulnerability before it is fixed and mutual agreement is reached.

FLEURET AI maintains a security incident response plan structured around the following stages:

• Detection and identification: continuous monitoring and automated alerting systems enabling rapid detection of any anomaly.
• Containment: immediate isolation of affected systems to limit the impact of the incident.
• Analysis and remediation: thorough root cause investigation, patching of identified vulnerabilities, and restoration of services.
• Notification: in the event of a personal data breach, notification to the CNIL within 72 hours and notification to affected individuals without undue delay, in accordance with Articles 33 and 34 of the GDPR.
• Post-mortem: post-incident analysis and procedure updates to prevent recurrence.

For any questions regarding the security of our services:

Security: security@fleuret.ai

General: contact@fleuret.ai

Address: 60 Rue François 1er, 75008 Paris, France