Security and Privacy at Groundlight

Introduction

Groundlight is committed to maintaining the highest standards of security. Our services involve processing and analyzing sensitive image data. This whitepaper outlines our robust security framework, designed to safeguard customer data against unauthorized access and cyber threats, while ensuring it is used solely for the intended purposes.



Governance and Compliance

At Groundlight, we take seriously our roles as stewards of our customers' data. We recognize the sensitivity of the images and related data we are entrusted to analyze. To ensure that these are protected, we have developed comprehensive security policies, and controls to ensure that these policies are continuously properly implemented. At the core of our security philosophy is the idea of "defense in depth", believing that no security system can ever be perfect, so we design the system to stay secure even if parts of our protection fail - there will be more protections in place at the next layer. Groundlight has established a rigorous governance framework to oversee our security measures, ensuring they meet and exceed industry standards. This approach not only protects our clients' data but also fortifies our systems against evolving cyber threats.



Data Protection

In safeguarding our operations at Groundlight, we categorize data into three distinct types: critical data, sensitive data, and metadata.

Critical Data: This includes personally identifiable information (PII), financial instruments, and other data requiring the most stringent protection.

Sensitive Data: Images provided by customers fall under this category and are treated with extreme care.

Metadata: This includes textual descriptions of queries, image labels, and other related data, including operational logs and data about how the service processes image queries.

Within this context, Groundlight employs the following strategies to protect customer data:

• Access Controls: Access to critical and sensitive data is stringently regulated. Only Groundlight employees with a legitimate operational or business need can access these data in bulk, and exclusively via continuously monitored and controlled equipment. Contract labelers have access to sensitive data on an as-needed basis for quality control and monitoring over ML models.

• Changes in authorization are tracked and managed by an explicit authorization workflow. The only exceptions allowed are for dealing with operational emergencies, after which a careful debrief will review and retroactively approve or revoke any emergency authorization changes.

• Data Encryption: All critical and sensitive customer data are encrypted while at rest to ensure maximal security.• Network Security: Data transmission occurs solely over secure networks, bolstering our defense against unauthorized access.• Intrusion Detection: Advanced intrusion detection systems are in place, providing real-time monitoring for potential security breaches.

• Secret management: All passwords, encryption keys, and other secrets are managed by security-hardened systems, specifically designed to protect these sensitive assets. These include AWS Secret Manager, and commercially-managed password managers. Secrets are distributed on an as-needed basis, with every employee and system having access limited to what is required to perform their function.

These practices are periodically audited and reviewed to stay abreast of evolving security challenges and technological advancements.



Product Security

At Groundlight, product security is integral to our commitment to protecting customer data. Our approach includes several key strategies:

Automated Vulnerability Scanning: We continuously scan our production systems for vulnerabilities. This automated process ensures that any potential security gaps are identified and addressed promptly.

Secure Development Lifecycle: Our development practices are designed to ensure security at every stage. All production code is deployed through automated Continuous Integration / Continuous Deployment (CI/CD) systems, with integration tests being fully automated, and deployments requiring operator oversight, to ensure a balance between automation efficiency and human supervision.

Library Vulnerability Scanning: We regularly scan libraries for vulnerabilities. This automated process is part of our effort to proactively identify and mitigate risks associated with third-party components.

Regular Patching: Systems handling customer data are regularly patched and updated. This routine maintenance is crucial in safeguarding against known vulnerabilities and ensuring the security and integrity of our systems.

These measures demonstrate our commitment to maintaining robust product security and protecting our customers' sensitive data.



Identity and Access Management

Groundlight's approach to identity and access management emphasizes strict control over who can access customer data. All systems with access to critical and sensitive data are fully managed and monitored by commercial Mobile Device Management (MDM) software. Moreover strict policies ensure that access is only granted to those who need it. This system is not only about restricting access but also about tracking and auditing data usage to maintain a secure environment.

We believe informed employees are our first line of defense against security threats. Groundlight ensures all employees are aware of the latest cybersecurity practices and potential threats.



Continuous Improvement and Monitoring

At Groundlight, we understand that security is an ongoing process. Our strategy includes continuous monitoring of our systems and regular updates to our security measures. We employ advanced monitoring tools to detect and respond to potential security incidents swiftly, ensuring a proactive stance in maintaining security integrity.



Conclusion

In conclusion, Groundlight is deeply committed to maintaining robust security protocols. Our approach encompasses a comprehensive strategy focused on advanced technology, employee training, and continuous improvement. We are dedicated to upholding the trust our customers place in us by safeguarding their data with the utmost care and diligence.



Reporting Concerns

If you have any information about security vulnerabilities or other concerns about Groundlight’s service, please email them to security@groundlight.ai