Æ
AETHER INTELLIGENCE
Security Policy
Effective Date: February 14, 2026 | Version 1.0
Commitment: Aether Intelligence is committed to protecting the confidentiality, integrity, and availability of user data. This policy outlines our security practices and controls.
1. Governance and Risk Management
1.1 Security Responsibility
The Chief Executive Officer (CEO) serves as the designated security officer responsible for:
- Overseeing information security practices
- Reviewing and updating security policies annually
- Responding to security incidents
- Ensuring compliance with applicable regulations
Security Contact: Rahul Talwar, CEO — rahul@aetherlabs.live
1.2 Risk Assessment
Aether conducts ongoing risk assessments to identify, evaluate, and mitigate information security risks. Key risk areas include:
- Unauthorized access to user financial data
- Data breaches or leaks
- Service availability disruptions
- Third-party integration vulnerabilities
2. Infrastructure Security
2.1 Cloud Infrastructure
Aether operates on enterprise-grade cloud platforms with built-in security controls:
| Provider | Purpose | User Access | Security Features |
|---|
| Google Cloud Platform (GCP) | User-facing application, API services, user data storage | Yes — all user interactions | Cloud Run (serverless), IAM, Firestore encryption, Cloud Load Balancing |
| Amazon Web Services (AWS) | Internal research systems, market analysis (no user data) | No — internal only | VPC isolation, security groups, encryption at rest |
| Cloudflare | DNS, CDN, DDoS protection | Proxy layer | WAF, SSL/TLS termination, threat mitigation |
Data Isolation: All user data, including financial account information from Plaid integrations, is processed and stored exclusively on Google Cloud Platform. Internal research systems on AWS do not have access to user personal or financial data.
2.2 Network Security
- Encryption in Transit: All data transmitted between users and Aether services is encrypted using TLS 1.2 or higher
- Encryption at Rest: All stored data is encrypted using AES-256 encryption provided by our cloud infrastructure
- Firewall Protection: Network access is restricted through security groups and firewall rules
- DDoS Mitigation: Cloudflare provides automatic DDoS protection for all public endpoints
3. Access Control
3.1 Administrative Access
- SSH Key Authentication: Server access requires SSH key-based authentication; password authentication is disabled
- Multi-Factor Authentication (MFA): MFA is required for all cloud console access (AWS, GCP)
- Principle of Least Privilege: Access rights are limited to the minimum necessary for job functions
- Access Reviews: Administrative access is reviewed quarterly
3.2 User Authentication
- User accounts are protected by access codes during beta phase
- Google OAuth/SSO integration planned for production
- Session tokens expire after period of inactivity
3.3 Third-Party Access
Aether integrates with third-party services for specific functions:
| Service | Purpose | Data Shared |
|---|
| Plaid | Account aggregation | Read-only access to holdings and balances |
| Alpaca | Brokerage integration | Trade execution (user-initiated only) |
| Anthropic | AI services | Anonymized conversation data |
4. Data Protection
4.1 Data Classification
| Classification | Description | Handling |
|---|
| Sensitive | Financial account data, holdings, balances | Encrypted, access-controlled, logged |
| Personal | Name, email, preferences | Encrypted at rest, limited access |
| Public | Market data, educational content | No special handling required |
4.2 Data Retention
- User Data: Retained while account is active; deleted within 30 days of account closure upon request
- Conversation Logs: Retained for 90 days for service improvement, then anonymized or deleted
- Financial Data: Cached temporarily for display purposes; refreshed from source on each session
- Audit Logs: Retained for 1 year for security and compliance purposes
4.3 Data Deletion
Users may request deletion of their data by contacting rahul@aetherlabs.live. Upon verified request:
- Account and personal data deleted within 30 days
- Third-party connections (Plaid, Alpaca) revoked immediately
- Backup copies purged within 90 days
5. Vulnerability Management
5.1 Patching and Updates
- Operating system security updates applied within 7 days of release
- Critical vulnerabilities patched within 48 hours
- Dependencies monitored for known vulnerabilities
5.2 Security Monitoring
- Cloud provider security alerts enabled and monitored
- Application logs reviewed for anomalies
- Failed authentication attempts tracked and rate-limited
6. Incident Response
6.1 Incident Classification
| Severity | Description | Response Time |
|---|
| Critical | Data breach, unauthorized access to user data | Immediate (within 1 hour) |
| High | Service outage, potential vulnerability exploit | Within 4 hours |
| Medium | Suspicious activity, minor service degradation | Within 24 hours |
| Low | Policy violations, non-urgent security issues | Within 7 days |
6.2 Incident Response Process
- Detection: Identify and confirm the incident
- Containment: Isolate affected systems to prevent spread
- Eradication: Remove the threat and patch vulnerabilities
- Recovery: Restore systems to normal operation
- Post-Incident Review: Document lessons learned and improve controls
6.3 Breach Notification
In the event of a data breach affecting user information:
- Affected users notified within 72 hours
- Relevant regulators notified as required by law
- Third-party partners (Plaid, etc.) notified per contractual obligations
7. Business Continuity
7.1 Backup and Recovery
- Database backups performed daily
- Backups stored in geographically separate region
- Recovery procedures tested quarterly
- Target Recovery Time Objective (RTO): 4 hours
- Target Recovery Point Objective (RPO): 24 hours
8. Compliance
8.1 Regulatory Framework
Aether operates as an educational research platform and maintains compliance with:
- Privacy: Aligned with CCPA principles for California users
- Financial Services: Non-custodial model; does not hold user funds
- Data Protection: User consent obtained for all data collection
Important: Aether Intelligence is NOT a registered investment advisor (RIA), broker-dealer, or financial institution. We provide educational tools and research; all investment decisions are made by users.
9. Policy Review
This Security Policy is reviewed and updated:
- Annually, at minimum
- Following any significant security incident
- When material changes occur to our systems or practices
10. Contact
For security concerns, vulnerability reports, or questions about this policy:
Email: rahul@aetherlabs.live
Subject Line: [SECURITY] Your concern