Security Exhibit
Effective Date: December 10, 2025 • Document Version: 1.1
This Security Exhibit ("Exhibit") is incorporated into and forms part of the Talent& Services Agreement (the "Agreement") between Solo Eleven, Inc ("Talent&") and Customer.
1. Security Program Overview
1.1 Security Commitment
Talent& maintains a comprehensive information security program designed to protect Customer Content against unauthorized access, use, disclosure, alteration, or destruction. This program is based on industry-recognized frameworks and is appropriate for the nature, size, and complexity of Talent&'s operations and the sensitivity of the data processed.
1.2 Framework Alignment
Talent&'s security program is aligned with:
- NIST Cybersecurity Framework (CSF) 2.0
- SOC 2 Type II Trust Service Criteria (Security, Availability, Confidentiality)
- ISO 27001:2022 Information Security Management System principles
- CIS Controls v8 Critical Security Controls
1.3 Security Governance
| Role | Responsibility |
|---|---|
| CEO / Founder | Executive accountability for security program |
| Security Lead | Day-to-day security operations and incident response |
| External Security Advisor | Periodic security assessments and guidance |
2. Infrastructure Security
2.1 Cloud Infrastructure
Talent&'s Services are hosted on Google Cloud Platform (GCP), leveraging GCP's security certifications and controls:
| GCP Certification | Scope |
|---|---|
| SOC 1/2/3 | Data center operations |
| ISO 27001, 27017, 27018 | Information security management |
| FedRAMP | U.S. government cloud requirements |
| PCI DSS Level 1 | Payment card industry |
2.2 Data Center Security
GCP data centers provide:
- Physical Security: 24/7 security personnel, biometric access controls, CCTV surveillance
- Environmental Controls: Redundant power, cooling, fire suppression
- Network Security: DDoS protection, intrusion detection, network segmentation
- Compliance: Regular third-party audits and certifications
2.3 Data Residency
| Data Type | Storage Location |
|---|---|
| Customer Content | United States (GCP us-central1) |
| Backups | United States (GCP multi-region) |
| Logs | United States |
Talent& will not transfer Customer Content outside the United States without Customer's prior written consent, except as necessary to provide the Services using authorized subprocessors.
3. Data Protection
3.1 Encryption
| Data State | Encryption Standard | Key Management |
|---|---|---|
| In Transit | TLS 1.2+ (TLS 1.3 preferred) | Automatic certificate rotation |
| At Rest | AES-256 | Google Cloud KMS, customer-managed keys available |
| Backups | AES-256 | Separate encryption keys |
Certificate Management:
- TLS certificates issued by trusted Certificate Authorities
- Automatic renewal before expiration
- HSTS (HTTP Strict Transport Security) enabled
- Certificate Transparency logging
3.2 Data Segregation
- Logical Separation: Customer data is logically separated using unique identifiers
- Database Isolation: Each customer's data is isolated within dedicated collections
- Access Controls: Role-based access ensures personnel cannot access data across customers
3.3 Data Handling
| Practice | Implementation |
|---|---|
| Data Classification | Customer Content classified as Confidential |
| Data Minimization | Collect only data necessary for Services |
| Purpose Limitation | Use data only for specified purposes |
| Storage Limitation | Delete data per retention policy |
4. Access Control
4.1 Authentication
Customer Authentication:
- Email/password with strong password requirements
- Multi-factor authentication (MFA) available
- SSO integration (SAML 2.0, OIDC) available for Enterprise plans
- Session timeout after 30 minutes of inactivity
Internal Authentication:
- Unique user accounts for all personnel
- Multi-factor authentication required
- SSH key-based authentication for infrastructure
- No shared credentials
4.2 Authorization
| Control | Implementation |
|---|---|
| Least Privilege | Access limited to minimum necessary |
| Role-Based Access Control (RBAC) | Defined roles with specific permissions |
| Separation of Duties | Critical functions require multiple approvals |
| Access Reviews | Quarterly review of access rights |
4.3 Password Policy
| Requirement | Standard |
|---|---|
| Minimum Length | 12 characters |
| Complexity | Uppercase, lowercase, number, special character |
| History | Managed by Firebase Auth |
| Expiration | Not enforced (Firebase Auth managed) |
| Lockout | 5 failed attempts triggers 30-minute lockout |
5. Network Security
5.1 Network Architecture
- VPC (Virtual Private Cloud): Isolated network environment
- Network Segmentation: Separate subnets for different tiers
- Private Connectivity: Internal services communicate via private networks
- Load Balancing: GCP Cloud Load Balancing with SSL termination
5.2 Perimeter Security
| Control | Implementation |
|---|---|
| Firewall | GCP VPC firewall rules, default deny |
| DDoS Protection | GCP Cloud Armor |
| WAF | Web Application Firewall rules |
| Intrusion Detection | GCP Security Command Center |
5.3 API Security
- Rate Limiting: Request limits per API key
- Input Validation: Server-side validation of all inputs
- Output Encoding: Prevention of injection attacks
- API Key Management: Secure generation, rotation, and revocation
6. Application Security
6.1 Secure Development Lifecycle (SDLC)
| Phase | Security Activities |
|---|---|
| Design | Threat modeling, security requirements |
| Development | Secure coding standards, peer review |
| Testing | SAST, DAST, dependency scanning |
| Deployment | Infrastructure as Code, immutable deployments |
| Operations | Monitoring, logging, incident response |
6.2 Code Security
- Static Analysis (SAST): Automated scanning for vulnerabilities
- Dependency Scanning: Monitoring for vulnerable dependencies
- Code Review: All changes require peer review before merge
- Branch Protection: Main branch protected, requires approvals
6.3 Vulnerability Management
| Activity | Frequency |
|---|---|
| Dependency Updates | Weekly automated scanning, immediate for critical |
| Vulnerability Scanning | Automated via Dependabot and npm audit (CI pipeline) |
| Penetration Testing | Planned |
| Security Assessments | Ongoing internal review |
6.4 Third-Party AI Security
Talent& uses OpenAI's API for AI processing. Security measures include:
- Data Protection Agreement: OpenAI does not train models on API data
- Data Retention: OpenAI retains data for up to 30 days for trust/safety only
- Encryption: All API calls use TLS encryption
- Access Controls: API keys stored securely, rotated regularly
7. Endpoint Security
7.1 Corporate Devices
| Control | Implementation |
|---|---|
| Disk Encryption | Full disk encryption required |
| Endpoint Protection | Malware detection and prevention |
| Patch Management | Automatic security updates |
| Mobile Device Management | Remote wipe capability |
7.2 Remote Access
- VPN: Required for administrative access
- Zero Trust: Device posture validation
- Logging: All remote access logged and monitored
8. Personnel Security
8.1 Background Checks
All personnel with access to Customer Content undergo:
- Identity verification
- Criminal background check
- Reference verification
8.2 Security Training
| Training Type | Frequency |
|---|---|
| Security Awareness | Annual + onboarding |
| Secure Development | Annual for developers |
| Incident Response | Annual + post-incident |
| Phishing Simulation | Quarterly |
8.3 Confidentiality
- All personnel sign confidentiality agreements
- Access to Customer Content limited to need-to-know
- Termination procedures include access revocation within 24 hours
9. Incident Response
9.1 Incident Classification
| Severity | Description | Response Time |
|---|---|---|
| Critical (P1) | Active breach, data exfiltration | Immediate (< 1 hour) |
| High (P2) | Attempted breach, vulnerability exploit | < 4 hours |
| Medium (P3) | Security policy violation | < 24 hours |
| Low (P4) | Minor security event | < 72 hours |
9.2 Incident Response Process
- Detection: Monitoring, alerts, user reports
- Triage: Classification, severity assessment
- Containment: Isolate affected systems
- Eradication: Remove threat
- Recovery: Restore normal operations
- Lessons Learned: Post-incident review, improvements
9.3 Customer Notification
For Personal Data Breaches affecting Customer Content:
- Timeline: Notification within 72 hours of becoming aware
- Content: Nature of breach, data affected, mitigation steps, contact information
- Method: Email to designated security contact, followed by detailed written report
- Cooperation: Reasonable assistance with Customer's investigation and regulatory notifications
10. Business Continuity
10.1 Backup and Recovery
| Backup Type | Frequency | Retention | Location |
|---|---|---|---|
| Database | Continuous (point-in-time) | 30 days | GCP multi-region |
| Configuration | Daily | 90 days | GCP Cloud Storage |
| Logs | Real-time | 12 months | GCP Cloud Logging |
10.2 Recovery Objectives
| Metric | Target |
|---|---|
| Recovery Time Objective (RTO) | 4 hours |
| Recovery Point Objective (RPO) | 1 hour |
10.3 Disaster Recovery
- Multi-Region Architecture: Failover capability to secondary region
- DR Testing: Annual disaster recovery exercises
- Runbooks: Documented recovery procedures
11. Logging and Monitoring
11.1 Audit Logging
Talent& maintains logs of:
| Log Type | Contents | Retention |
|---|---|---|
| Authentication | Login attempts, MFA events | 24 months |
| Authorization | Access grants/denials | 24 months |
| Administrative | Configuration changes | 24 months |
| API Access | API calls, parameters (excluding content) | 12 months |
| Security Events | Alerts, incidents | 24 months |
11.2 Monitoring
- Real-Time Alerting: Automated alerts for security events
- 24/7 Monitoring: Critical systems monitored continuously
- Anomaly Detection: Unusual activity patterns flagged
- Performance Monitoring: Availability and performance metrics
11.3 Log Protection
- Logs are encrypted at rest and in transit
- Logs are immutable (append-only)
- Access to logs restricted to authorized personnel
- Logs are backed up to separate storage
12. Compliance and Audit
12.1 Certifications (Current or In Progress)
| Certification | Status | Scope |
|---|---|---|
| SOC 2 Type II | Controls implemented; formal audit planned | Security, Availability, Confidentiality |
| ISO 27001 | Planned | Information Security Management |
12.2 Third-Party Assessments
| Assessment | Frequency |
|---|---|
| Penetration Testing | Planned |
| Vulnerability Assessment | Continuous (automated dependency scanning via CI) |
| Security Architecture Review | Ongoing internal review |
12.3 Customer Audit Rights
Upon Customer's written request (no more than once per year), Talent& will:
- Provide copies of relevant audit reports (SOC 2, penetration test summaries)
- Complete security questionnaires (SIG, CAIQ, custom)
- Participate in security due diligence calls
- Allow on-site audits with 30 days notice (at Customer's expense)
All audit-related information is Talent& Confidential Information.
13. Subprocessor Security
13.1 Subprocessor Requirements
Before engaging subprocessors, Talent& ensures:
- Written data protection agreement in place
- Security practices meet Talent&'s standards
- Annual security review of critical subprocessors
13.2 Current Subprocessors
| Subprocessor | Purpose | Security Certifications |
|---|---|---|
| Google Cloud Platform | Infrastructure | SOC 2, ISO 27001, FedRAMP |
| Firebase / Firestore | Database, Authentication | SOC 2, ISO 27001 |
| OpenAI | AI Processing | SOC 2, security practices documented |
| Merge.dev | HRIS Integration | SOC 2 |
| Microsoft (OAuth) | Authentication | SOC 2, ISO 27001 |
14. Security Questionnaires
14.1 Standard Questionnaires
Talent& can provide responses to:
- SIG (Standardized Information Gathering) - Full or Lite
- CAIQ (Consensus Assessments Initiative Questionnaire) - CSA
- VSAQ (Vendor Security Assessment Questionnaire)
- Custom questionnaires (reasonable length)
14.2 Response Timeline
| Questionnaire Type | Response Time |
|---|---|
| SIG Lite (< 100 questions) | 5 business days |
| SIG Full / CAIQ | 10 business days |
| Custom (< 200 questions) | 10 business days |
| Custom (> 200 questions) | 15 business days |
15. Customer Responsibilities
Customer is responsible for:
| Area | Customer Responsibility |
|---|---|
| Access Management | Managing user accounts, access rights, MFA enrollment |
| Credentials | Protecting login credentials, API keys |
| User Training | Ensuring users understand security practices |
| Data Classification | Determining sensitivity of data provided |
| Compliance | Ensuring use of Services complies with applicable laws |
| Integration Security | Securing connections to third-party systems |
| Incident Reporting | Promptly reporting suspected security issues |
16. Security Contact
Security Inquiries
Solo Eleven, Inc
Attn: Security Team
Email: hello@talentand.ai
Vulnerability Disclosure
To report security vulnerabilities, email hello@talentand.ai with:
- Description of the vulnerability
- Steps to reproduce
- Potential impact
Talent& commits to:
- Acknowledging receipt within 48 hours
- Providing status updates during investigation
- Not pursuing legal action against good-faith security researchers
17. Updates to This Exhibit
Talent& may update this Security Exhibit to reflect improvements to its security program. If an update materially diminishes the security protections, Talent& will notify Customer at least 30 days before the change takes effect.
Appendix A: Technical Security Controls Summary
| Control Category | Controls Implemented |
|---|---|
| Identity & Access | MFA, SSO, RBAC, least privilege, access reviews |
| Data Protection | Encryption (TLS 1.2+, AES-256), key management, data classification |
| Network Security | VPC, firewall, WAF, DDoS protection, network segmentation |
| Application Security | SDLC, code review, SAST/DAST, dependency scanning |
| Endpoint Security | Disk encryption, EDR, patch management |
| Logging & Monitoring | Audit logs, SIEM, real-time alerting, 24/7 monitoring |
| Incident Response | IR plan, 72-hour notification, post-incident review |
| Business Continuity | Backups, DR plan, 4-hour RTO, 1-hour RPO |
| Vendor Management | Subprocessor agreements, annual reviews |
| Compliance | SOC 2 controls implemented, automated dependency scanning |
Appendix B: Shared Responsibility Model
| Security Domain | Talent& Responsibility | Customer Responsibility |
|---|---|---|
| Physical Infrastructure | GCP data centers | N/A |
| Network Security | VPC, firewall, DDoS | N/A |
| Platform Security | Application, database | N/A |
| Identity Management | Authentication platform | User account management |
| Access Control | RBAC framework | User permissions, access reviews |
| Data Protection | Encryption, backups | Data classification, lawful basis |
| Endpoint Security | Corporate devices | Customer devices |
| User Training | Platform documentation | End-user security training |
| Compliance | Service compliance | Customer use compliance |
| Incident Response | Detection, containment, notification | Customer-side response, regulatory notification |
Last Updated: March 11, 2026