logoAgentBeluga
← Back to home

Security & Data Protection

Last updated: May 23, 2026

This page summarises the technical and organisational measures Beluga AI Ltd uses to protect data across our websites, the Agent Beluga platform, and the mytradebuddy product.

1. Infrastructure

  • Cloud-hosted application infrastructure with network-level protections.
  • Managed services for data storage and operational workloads.
  • Logical separation of development, staging, and production environments.
  • DDoS mitigation and a global content delivery network in front of public endpoints.

2. Encryption

  • TLS 1.2+ for data in transit (APIs, service communications, and web traffic).
  • Encryption at rest provided by managed infrastructure (AES-256 where applicable).
  • Customer secrets (API keys, OAuth tokens) stored encrypted with key management services.

3. Access controls

  • Role-based access control (RBAC) and least-privilege defaults.
  • Multi-factor authentication (MFA) required for administrative access.
  • Audit logging for administrative actions with periodic review.
  • Just-in-time access for production systems where feasible.

4. Secrets and API security

  • Secrets stored using environment-based secret management.
  • API keys are not exposed client-side.
  • Authenticated and rate-limited integration endpoints.
  • Regular rotation of long-lived credentials.

5. Monitoring and incident response

  • Structured logging and centralised error monitoring.
  • Operational alerting on anomalous patterns and security signals.
  • Documented incident response procedures for containment, eradication, recovery, and post-incident review.
  • 72-hour breach notification commitment to affected controllers in line with UK GDPR.

6. Backup and disaster recovery

  • Automated, encrypted backups for production data stores.
  • Periodic restore tests to validate recoverability.
  • Documented recovery point and recovery time objectives.

7. People & training

  • Confidentiality obligations in all staff and contractor agreements.
  • Mandatory security and data protection training.
  • Background checks for staff with production access where permitted by law.

8. Vendor management

We perform due diligence on every sub-processor we engage and review the assurance reports they make available (such as SOC 2 Type II and ISO 27001 certifications) where applicable. See Annex B of the DPA for the categories of sub-processors we use.

9. Responsible disclosure

We welcome reports of potential security issues. Please email support@agentbeluga.com with details. Please give us a reasonable time to investigate and remediate before public disclosure.

10. Contact

For security enquiries, contact support@agentbeluga.com.