1. Security and Compliance Overview

Entropy Partners, Inc. ("Company," "we," "us," or "our") is committed to maintaining the highest standards of security, data protection, and regulatory compliance. This document describes our comprehensive security posture, compliance programs, and safeguards designed to protect your data, intellectual property, and interests.

We implement controls aligned with industry standards and frameworks including NIST Cybersecurity Framework, ISO 27001, SOC 2 Type II, and GDPR. Our security program is comprehensive, continuously monitored, and regularly audited by independent third parties.

This document is intended for customers, partners, compliance officers, and security professionals evaluating our Service. For specific security questions or compliance certifications, contact security@entropyauction.com.

2. Security Architecture

2.1 Defense-in-Depth Approach

We employ a multi-layered security architecture to protect systems and data from multiple threat vectors:

• Perimeter Security: DDoS protection, firewalls, intrusion detection and prevention systems (IDS/IPS).
• Network Segmentation: Isolated security zones for databases, application servers, and administrative systems.
• Application Security: Web application firewalls (WAF), API security controls, input validation, output encoding.
• Data Protection: Encryption in transit and at rest, database activity monitoring, data loss prevention (DLP).
• Identity and Access Management: Multi-factor authentication, role-based access control (RBAC), principle of least privilege.
• Monitoring and Response: Security information and event management (SIEM), 24/7 SOC monitoring, incident response procedures.

2.2 Cloud Infrastructure

We leverage enterprise-grade cloud providers (AWS, Google Cloud Platform) that operate certified data centers meeting SOC 2, ISO 27001, and FedRAMP requirements. Our infrastructure benefits from their security investments, compliance certifications, and 24/7 managed security services.

2.3 Infrastructure as Code (IaC) and Immutable Servers

Our infrastructure is defined as code (Terraform, CloudFormation) enabling version control, change tracking, and consistent deployments. Servers are deployed from hardened base images and are immutable (replaced rather than modified), reducing attack surface and configuration drift.

3. Data Protection Measures

3.1 Data Classification

All data is classified according to sensitivity and regulatory requirements:

• Public: Marketing materials, public documentation, anonymized data.
• Internal: Business documents, employee information (access restricted to employees).
• Confidential: Customer data, license information, financial records (encryption and access controls required).
• Restricted/Sensitive: Personal data, payment information, compliance records (maximum protection: encryption, auditing, limited access).

3.2 Data Minimization

We collect and retain only the minimum Personal Data necessary to provide the Service and comply with legal obligations. Data is retained according to defined schedules (see Privacy Policy Section 8) and securely deleted when no longer needed.

3.3 Data Integrity and Authenticity

We implement cryptographic checksums and digital signatures to ensure data integrity. Dataset integrity is verified upon delivery, and tamper detection alerts are logged and investigated.

3.4 Secure Data Deletion

When data is deleted (per user request or retention schedule), we use certified secure deletion methods ensuring data cannot be recovered. Deletion procedures comply with NIST SP 800-88 guidelines and are subject to audit verification.

4. Access Controls and Authentication

4.1 Authentication Methods

• Multi-Factor Authentication (MFA): Required for all customer accounts and mandatory for administrative access. Supported methods include TOTP (Google Authenticator, Authy), security keys (FIDO2/WebAuthn), and SMS (phased out in favor of FIDO2).
• Single Sign-On (SSO): Enterprise customers may use SAML 2.0 or OpenID Connect (OIDC) for integrated authentication.
• API Keys and Tokens: Customers may generate API keys for programmatic access; tokens are securely generated, rotated regularly, and revocable.

4.2 Authorization and Access Control

Access is controlled via role-based access control (RBAC) implementing the principle of least privilege:

• Admin Role: Full system access (restricted to designated personnel).
• Data Manager: Can manage datasets, configure access, export data.
• User Role: Can access assigned datasets, download files, submit support tickets.
• Read-Only Role: View-only access to designated datasets (no modifications).
• Guest Role: Limited access to public information and trial datasets.

4.3 Session Management

Sessions are managed securely with automatic timeout (30 minutes of inactivity), secure session tokens (httpOnly, secure, sameSite flags), and protection against session fixation and hijacking attacks.

4.4 Privileged Access Management (PAM)

Administrative and database access is controlled through a centralized PAM solution requiring: (a) strong authentication (MFA); (b) request/approval workflows; (c) session recording and audit; (d) automatic credential rotation; (e) time-limited access windows.

5. Encryption Standards

5.1 Encryption in Transit

All data in transit is encrypted using TLS 1.2 or higher (modern implementations use TLS 1.3) with strong cipher suites:

• Website and API connections: TLS 1.3 with ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) for perfect forward secrecy.
• Email communications: TLS encryption (STARTTLS) where recipient infrastructure supports.
• Database connections: TLS encryption with certificate validation.
• File transfers: Encrypted via SFTP, SCP, or TLS-encrypted protocols (not unencrypted FTP or HTTP).

SSL/TLS certificates are issued by trusted Certificate Authorities and include domain validation; extended validation (EV) certificates are used for public-facing services.

5.2 Encryption at Rest

All sensitive data at rest is encrypted using AES-256 (Advanced Encryption Standard with 256-bit keys) or equivalent:

• Database Encryption: Transparent Data Encryption (TDE) or application-level encryption of sensitive columns.
• Storage Encryption: AWS KMS, Google Cloud KMS, or equivalent managed key services for block storage and object storage.
• Backup Encryption: All backups encrypted with unique keys; encryption keys are distinct from production keys.
• Key Management: Encryption keys are generated, stored, and managed by hardware security modules (HSMs) or managed key services; keys are never stored in application code or unencrypted configuration.

5.3 Key Management

We implement comprehensive key management controls:

• Key Generation: Cryptographically secure random key generation using CSPRNG (Cryptographically Secure Pseudo-Random Number Generator).
• Key Storage: Keys stored in HSMs or managed key services (never in code, logs, or configuration files).
• Key Rotation: Keys rotated regularly (annual minimum) or upon compromise suspicion.
• Key Separation: Data encryption keys are distinct from key encryption keys; keys are compartmentalized by environment and data classification.
• Access Control: Key access is restricted to authorized services and personnel via IAM policies.
• Key Escrow: For compliance purposes, key material may be escrowed with a trusted third party per legal agreement.

6. Network Security

6.1 DDoS Protection

We employ multi-layered DDoS protection:

• CloudFlare, AWS Shield, or equivalent managed DDoS mitigation services.
• Rate limiting and traffic throttling to prevent resource exhaustion.
• Automatic scaling to absorb traffic spikes.
• Geographic filtering and traffic pattern analysis.
• Incident playbooks and automated mitigation procedures.

6.2 Firewalls and Intrusion Detection

Network access is controlled via stateful firewalls and Web Application Firewalls (WAF):

• Inbound traffic: Restricted to necessary ports (HTTPS/443, HTTP/80, SSH/22 for admin only).
• Outbound traffic: Egress filtering prevents unauthorized data exfiltration and command-and-control communications.
• IDS/IPS: Network-based intrusion detection and prevention systems monitor for attack patterns.
• WAF: Protects against OWASP Top 10 vulnerabilities (SQL injection, XSS, CSRF, etc.).

6.3 Network Segmentation

Networks are segmented into security zones with controlled inter-zone traffic:

• DMZ (Demilitarized Zone): Public-facing web servers and APIs; isolated from internal systems.
• Application Tier: Application servers; access restricted from DMZ.
• Data Tier: Databases and sensitive storage; access restricted to application servers only.
• Administrative Zone: Management and monitoring systems; isolated from production with controlled jump-host access.

6.4 VPN and Secure Communication

Employees and authorized partners connect via VPN (Virtual Private Network) using: (a) strong encryption (IKEv2, OpenVPN, WireGuard); (b) certificate-based authentication; (c) MFA; (d) endpoint security verification (only compliant devices allowed).

7. Incident Response and Breach Notification

7.1 Incident Response Plan

We maintain a documented incident response plan addressing: (a) detection and alerting; (b) triage and escalation; (c) containment and eradication; (d) recovery and validation; (e) post-incident review and improvement.

Our Incident Response Team includes representatives from security, legal, operations, and executive leadership with defined roles and responsibilities.

7.2 Security Monitoring and Detection

We operate a 24/7 Security Operations Center (SOC) monitoring for suspicious activity:

• SIEM (Security Information and Event Management) aggregating logs from all systems.
• Automated alerts for anomalous activity (failed login attempts, unusual data access, unauthorized configuration changes).
• Threat intelligence feeds detecting known malicious indicators.
• Manual threat hunting for advanced persistent threats and insider threats.

7.3 Data Breach Notification

If we discover a confirmed or suspected data breach involving Personal Data, we will:

• Notify Affected Individuals: Without undue delay and no later than 72 hours (per GDPR) or as required by applicable law.
• Notify Regulatory Authorities: Where required (e.g., national Data Protection Authorities under GDPR, California Attorney General under CCPA).
• Notify Business Partners: Where your data may be impacted and you have contracted with third parties.
• Provide Breach Details: Description of the breach, data affected, likely impact, steps we are taking, and protective measures individuals can take.

7.4 Post-Incident Review

After incidents, we conduct root cause analysis, document findings, and implement preventive measures. Lessons learned are shared with the security team and integrated into our security program.

8. Business Continuity and Disaster Recovery

8.1 Business Continuity Planning

We maintain a comprehensive Business Continuity Plan (BCP) addressing:

• Identification of critical business functions and dependencies.
• Recovery Time Objective (RTO) and Recovery Point Objective (RPO) targets for each critical system.
• Incident escalation procedures and communication protocols.
• Alternative work site and remote work procedures.
• Customer notification and communication templates.
• Contingency resources (backup suppliers, alternative hosting, emergency fund).

8.2 Disaster Recovery (DR)

Our Disaster Recovery Plan includes:

• Backup Strategy: Automated daily backups with multiple copies (on-site and geographically dispersed off-site).
• Backup Encryption: All backups encrypted with encryption keys segregated from production keys.
• Backup Testing: Monthly restore tests to verify backup integrity and recovery procedures.
• Replication: Real-time data replication to secondary data center (RPO < 1 hour).
• Failover Procedures: Automated failover with manual override capabilities; tested quarterly.
• RTO/RPO Targets: Critical systems: RTO < 4 hours, RPO < 1 hour; non-critical systems: RTO < 24 hours, RPO < 24 hours.

8.3 Disaster Recovery Testing

We conduct quarterly disaster recovery drills simulating full-system failures, validating recovery procedures, and identifying improvement areas. Results are documented and shared with leadership.

8.4 Geographic Redundancy

Systems are deployed across geographically dispersed regions reducing single-point-of-failure risk. Primary and secondary data centers are separated by sufficient distance to survive regional disasters.

9. Vulnerability Management and Patch Management

9.1 Vulnerability Scanning

We perform continuous vulnerability scanning and assessments:

• Automated Scanning: Weekly network and application vulnerability scans using industry tools (Nessus, Qualys, Acunetix).
• Dependency Scanning: Automated scanning of software dependencies for known vulnerabilities using OWASP Dependency-Check and similar tools.
• SAST (Static Application Security Testing): Code analysis during development to identify vulnerabilities before deployment.
• DAST (Dynamic Application Security Testing): Runtime testing simulating attacker actions (penetration testing).
• Container Scanning: Docker and container image scanning for known vulnerabilities.

9.2 Vulnerability Assessment and Prioritization

Vulnerabilities are assessed and prioritized based on:

• CVSS (Common Vulnerability Scoring System) severity score.
• Exploitability (presence of public exploits, active attacks).
• Affected asset criticality and data sensitivity.
• Compensating controls reducing risk.

Critical vulnerabilities (CVSS > 9.0) are remediated within 24-48 hours; high severity (CVSS 7-9) within 7 days; medium (CVSS 4-6) within 30 days; low (< 4) within 60-90 days.

9.3 Patch Management

We maintain a comprehensive patch management program:

• Continuous monitoring of vendor security advisories and threat intelligence.
• Testing patches in pre-production environments before deployment.
• Staged rollout to production (dev → staging → production).
• Emergency hotfixes for zero-day vulnerabilities or active attacks.
• Automatic patching of non-critical systems; manual review for critical systems.
• Audit of patch deployment and compliance.

9.4 Third-Party Penetration Testing

We conduct annual third-party penetration testing by qualified security firms to identify vulnerabilities that automated tools may miss. Tests follow NIST guidelines and include both external and internal testing scenarios.

10. Regulatory Compliance Framework

10.1 Compliance Governance

We maintain a Compliance Program addressing applicable regulations through:

• Compliance Officer: Designated responsible for regulatory monitoring and implementation.
• Compliance Dashboard: Tracking implementation status and remediation of compliance gaps.
• Policy Framework: Documented policies for each applicable regulation.
• Training: Annual compliance training for all employees.
• Audit Schedule: Regular internal and external audits of compliance controls.
• Remediation Process: Systematic tracking and closure of audit findings.

10.2 Compliance Certifications

Entropy Partners maintains or works toward the following compliance certifications:

• SOC 2 Type II: Security, availability, processing integrity, confidentiality, and privacy attestation (annual audit).
• ISO 27001: Information Security Management System certification (annual audit).
• GDPR Compliance: Documented compliance with EU General Data Protection Regulation (see Section 11).
• CCPA Compliance: Documented compliance with California Consumer Privacy Act (see Section 12).

11. GDPR Compliance

11.1 Data Processing Addendum (DPA)

For EU/EEA customers, we execute a GDPR-compliant Data Processing Addendum (DPA) that governs Personal Data processing and includes:

• Specification of processing scope, duration, nature, and purpose.
• Data subject categories and types of Personal Data.
• Company as Data Processor; customer as Data Controller.
• Obligation to process data only on documented instructions.
• Confidentiality and security requirements for personnel.
• Sub-processor engagement with prior notice and approval.
• Data subject rights assistance (access, rectification, deletion, portability).
• Deletion or return of data upon termination.
• Audit and inspection rights.
• Data Protection Impact Assessment (DPIA) support.
• Breach notification procedures (72-hour notification).
• International transfer mechanisms (Standard Contractual Clauses).

11.2 Data Protection Officer (DPO)

A Data Protection Officer (DPO) is designated and available at privacy@entropyauction.com. The DPO: (a) monitors GDPR compliance; (b) serves as contact for data subjects and authorities; (c) conducts privacy impact assessments; (d) maintains records of processing activities.

11.3 Standard Contractual Clauses (SCCs)

For data transfers from EU to US, we implement Standard Contractual Clauses (Module Two: Controller to Processor) as approved by the EU Commission. SCCs are supplemented by Transfer Impact Assessments (TIA) evaluating US law surveillance and adequacy safeguards.

11.4 Data Subject Rights

We assist customers in fulfilling data subject requests including access (Article 15), rectification (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), and objection (Article 21) rights within 30 days.

11.5 Records of Processing Activities (ROPA)

We maintain comprehensive Records of Processing Activities (ROPA) documenting all Personal Data processing, including purposes, recipients, retention, and security measures, available for audit upon request.

12. CCPA Compliance

12.1 Consumer Rights

For California residents, we comply with CCPA consumer rights (see Privacy Policy Section 14):

• Right to Know (access), Right to Delete, Right to Correct, Right to Opt-Out of Sale/Sharing, Right to Limit Use.
• Right to Non-Discrimination for exercising privacy rights.
• Right to Authorized Agent representation.

12.2 Transparency and Disclosures

Our Privacy Policy discloses: (a) categories of Personal Information collected; (b) purposes of collection and use; (c) categories of third parties with whom we share information; (d) consumer rights; (e) contact information for privacy inquiries.

12.3 Opt-Out Mechanisms

Consumers may opt-out of data "sale" or "sharing" via: (a) "Do Not Sell or Share My Personal Information" link in website footer; (b) browser Global Opt-Out signal (CalOPPA); (c) email to privacy@entropyauction.com.

12.4 Verification and Response

We verify consumer identity before responding to rights requests and respond within 45 days (extendable by 45 days for complex requests). Verification may include: (a) email confirmation; (b) account information matching; (c) third-party identity verification service.

12.5 Sale/Sharing Restrictions

We do not sell Personal Information for monetary consideration. We may share Personal Information with advertising partners for targeted marketing; consumers may opt-out as described above.

13. AML/KYC Compliance

13.1 Anti-Money Laundering (AML) Program

We implement an AML program complying with FinCEN regulations and FATF recommendations:

• Know Your Customer (KYC): Verify customer identity during account creation; maintain records for 5 years.
• Customer Due Diligence (CDD): Understand customer business, beneficial ownership, and source of funds.
• Enhanced Due Diligence (EDD): For high-risk customers (politically exposed persons, jurisdictions with weak AML controls).
• Sanctions Screening: Screen customers against OFAC, BIS, State Department, and UN sanctions lists at account creation and ongoing (quarterly minimum).
• Transaction Monitoring: Monitor transactions for suspicious patterns (structuring, high-risk jurisdictions, unusual amounts).
• Suspicious Activity Reporting (SAR): File SARs with FinCEN for transactions indicating potential money laundering or terrorist financing.
• Record Retention: Maintain customer records and transaction logs for 10 years (or as required by law).

13.2 Sanctions Screening

We use automated sanctions screening tools to check customers and transactions against:

• OFAC SDN (Specially Designated Nationals) List.
• BIS Denied Parties List (DPL).
• State Department Debarred List.
• UN Security Council sanctions lists.
• INTERPOL, Europol, and other law enforcement lists.

13.3 AML Compliance Officer

A designated Compliance Officer oversees AML/KYC compliance, conducts annual compliance audits, maintains documentation, and serves as liaison with regulatory authorities. AML policies are reviewed annually and updated to reflect regulatory changes.

14. Export Control and Sanctions Compliance

14.1 Export Control Framework

We comply with US export control laws including Export Administration Regulations (EAR) and International Traffic in Arms Regulations (ITAR):

• Denied Parties Screening: Customers screened against BIS Denied Parties List (DPL) at account creation.
• Embargoed Country Restrictions: Access prohibited from embargoed countries (Iran, North Korea, Syria, Cuba, Crimea) via IP geolocation and account restrictions.
• Prohibited End-Uses: Service not permitted for nuclear, missile, chemical, or biological weapons applications.
• Technology Control Plans: For potential dual-use technology, we conduct reviews and obtain necessary licenses.
• License Documentation: Maintain records of export licenses, deemed exports, and compliance determinations.

14.2 Sanctions Compliance

We comply with OFAC sanctions programs:

• Comprehensive Sanctions Programs (countries and regions under embargo).
• Targeted Sanctions Programs (designated individuals and entities).
• Sectoral Sanctions (restrictions on trade with specific sectors in sanctioned countries).

Access is denied to individuals and entities on OFAC lists and from embargoed jurisdictions. Service in sanctioned countries is provided only where legally permitted.

14.3 Audit and Reporting

We maintain export control audit trails and, if required by regulation or license, submit compliance reports to relevant agencies (BIS, State Department, Treasury).

15. Audit Logging and Monitoring

15.1 Audit Logging

Comprehensive logging captures security-relevant events:

• Authentication: Login attempts (successful and failed), password changes, MFA events.
• Authorization: Permission changes, role assignments, access grants.
• Data Access: Dataset downloads, file access, query execution, export operations.
• Administrative Actions: Configuration changes, user management, system updates.
• Security Events: Firewall blocks, IDS/IPS alerts, vulnerability scanner findings.

Logs are immutable (tamper-evident), retained for minimum 12 months, and encrypted at rest.

15.2 Log Analysis and Alerting

Logs are centralized in SIEM (Security Information and Event Management) system with:

• Real-time alerting for security events (brute-force attacks, privilege escalation, unauthorized access).
• Automated correlation detecting attack patterns (e.g., reconnaissance activities).
• Manual threat hunting for advanced threats.
• Reporting and dashboards for security team and management.

15.3 Audit Trail Access

Customers may request audit logs of their account activity (downloads, access, modifications) for compliance and forensic purposes. Logs are provided in standardized format (CSV, JSON) within 15 business days of request.

16. Third-Party Security and Vendor Management

16.1 Vendor Assessment

All third-party vendors with access to systems or data are assessed for security and compliance:

• Security Assessment: Vendor security posture evaluated via questionnaire, documentation review, and on-site audit.
• Certifications: Preferred vendors maintain SOC 2 Type II, ISO 27001, or equivalent.
• Insurance: Vendors carry cyber liability, E&O, and general liability insurance.
• Data Processing Agreements: All vendors sign DPAs governing data access and security obligations.
• Financial Stability: Vendors assessed for financial viability and business continuity.

16.2 Data Processing Agreements (DPAs)

All vendor agreements include:

• Specification of data types and volumes.
• Security and encryption requirements.
• Access controls and personnel confidentiality.
• Sub-processor restrictions and approval requirements.
• Audit and inspection rights.
• Data return or destruction upon termination.
• Indemnification for data breaches.
• Compliance with applicable regulations (GDPR, CCPA, etc.).

16.3 Ongoing Vendor Monitoring

Vendors are monitored on an ongoing basis via:

• Annual security assessments and recertifications.
• Audit rights exercised periodically or upon request.
• Incident notification requirements and breach communication.
• Performance metrics and SLA monitoring.
• Regulatory update tracking and compliance changes.

16.4 Critical Vendor List

Critical vendors (cloud providers, payment processors, security tools) are subject to enhanced due diligence, more frequent audits, and contractual guarantees of business continuity and disaster recovery capabilities.

17. Employee Security and Training

17.1 Background Checks and Vetting

All employees and contractors undergo background checks including:

• Criminal history (7-year lookback minimum).
• Employment history verification.
• Reference checks.
• For certain roles: credit check (financial position), drug test.

17.2 Confidentiality and NDAs

All employees, contractors, and vendors sign Confidentiality Agreements (NDAs) and Non-Disclosure Agreements (NDAs) covering:

• Prohibition on unauthorized disclosure of customer data, source code, security practices.
• Prohibition on use of confidential information for personal gain or competitive advantage.
• Survival of obligations beyond employment termination.
• Liquidated damages and injunctive relief for breaches.

17.3 Security Training and Awareness

All employees receive mandatory security and privacy training:

• Onboarding: Security policies, acceptable use, incident reporting (within 30 days of hire).
• Annual: Updated security and compliance training, phishing simulations, password hygiene.
• Role-Specific: Additional training for roles with privileged access (administrators, developers, security team).
• Incident-Triggered: Security reminders following security incidents or policy violations.

17.4 Acceptable Use Policy

Our Acceptable Use Policy prohibits:

• Unauthorized access to systems or data.
• Sharing credentials or access tokens.
• Circumventing security controls.
• Downloading or copying customer data for unauthorized purposes.
• Use of company systems for personal/competitive purposes.
• Connection of unauthorized devices to company networks.

17.5 Offboarding Procedures

Upon employment termination, we promptly: (a) disable account access; (b) revoke API keys and tokens; (c) remove VPN certificates; (d) recover company equipment; (e) audit data access logs for unauthorized activity; (f) ensure signed non-compete and confidentiality obligations.

18. Security Certifications and Attestations

18.1 SOC 2 Type II

We maintain SOC 2 Type II compliance independently audited annually by Big Four accounting firms. SOC 2 attestation covers: Security, Availability, Processing Integrity, Confidentiality, and Privacy. Reports available to prospective and current customers under NDA.

18.2 ISO 27001

We pursue ISO 27001 (Information Security Management System) certification demonstrating systematic information security governance.

18.3 Compliance Certifications

Additional certifications include GDPR compliance documentation, CCPA attestations, and AML/KYC program certifications available upon request.

18.4 Attestation Access

Customers may request access to certifications, audit reports, and compliance attestations under mutual non-disclosure agreements. Enterprise customers typically receive audit reports; smaller customers may receive executive summaries or trust certificates.

19. Security Best Practices

19.1 Secure Development Lifecycle (SDLC)

Our development process incorporates security at each stage:

• Requirements: Security requirements defined for all features.
• Design: Threat modeling identifies potential vulnerabilities; secure design patterns applied.
• Development: Secure coding practices (input validation, output encoding, parameterized queries); code review by security team.
• Testing: Security testing includes SAST, DAST, and manual pen testing.
• Deployment: Security deployment checklist; staged rollout with monitoring.
• Maintenance: Ongoing vulnerability management and security updates.

19.2 Secure Configuration Management

Systems are deployed from hardened base configurations:

• Operating system hardening (unnecessary services disabled, minimal attack surface).
• Secure default settings (strong TLS cipher suites, secure headers, disable debug modes).
• Configuration as Code (IaC) ensuring consistency and change tracking.
• Configuration audits detecting drift from baseline.

19.3 Principle of Least Privilege (PoLP)

Users and systems are granted only minimum necessary access:

• Employees restricted to datasets and systems required for their role.
• Service accounts limited to necessary permissions (not admin/root).
• Database users segregated by role with minimal necessary permissions.
• Periodic access reviews removing unnecessary permissions.

19.4 Defense in Depth

Multiple layers of controls ensure that compromise of one layer does not expose systems. Controls include: firewalls, WAF, application-level validation, database encryption, audit logging, and incident response.

20. Responsible Disclosure Policy

20.1 Vulnerability Reporting

We welcome security researchers and the security community to report vulnerabilities responsibly. To report a vulnerability:

• Email security@entropyauction.com with detailed vulnerability information (not public).
• Include proof-of-concept or reproduction steps.
• Allow minimum 90 days for our team to develop and deploy a fix before public disclosure.
• Do not exploit or attempt unauthorized access beyond what is necessary to demonstrate the vulnerability.
• Do not disclose the vulnerability to third parties without our written consent.

20.2 Bounty Program

We may offer security research bounties for valid, high-severity vulnerabilities. Bounty amounts depend on severity, exploitability, and impact. Bounty program details available upon request for qualified researchers.

20.3 Vulnerability Handling

Upon receipt of a vulnerability report, we: (a) acknowledge receipt within 24 hours; (b) triage and assess impact; (c) develop and test a fix; (d) deploy fix with security update notification; (e) credit researcher (with permission) in security advisory.

20.4 No Legal Action

Researchers acting in good faith (responsible disclosure) will not face legal action for security research activities. We do not hold researchers liable for inadvertent data access incidental to vulnerability demonstration.

21. Contact and Reporting

For security questions, compliance inquiries, or to report vulnerabilities, please contact:

Entropy Partners, Inc.
Security and Compliance Team
Security Issues: security@entropyauction.com
Privacy and GDPR: privacy@entropyauction.com
Compliance: compliance@entropyauction.com
Legal: legal@entropyauction.com
General Support: support@entropyauction.com
Website: entropyauction.com

We aim to respond to security inquiries within 24 hours. For urgent security incidents, include "URGENT" in the subject line.

Security Update Notifications: Subscribe to our security advisory mailing list at security@entropyauction.com to receive notifications of security updates, patches, and advisory information.