LLM ControlsLLM Controls
PricingFAQ
Log in

Legal

Security Addendum

Updated: May 2026

This Security Addendum describes the administrative, technical, organizational, and operational safeguards maintained by LLM Controls to protect Customer Data and support secure operation of the Services.

This Security Addendum applies to the Services provided under the LLM Controls Customer Terms of Service and any applicable order form or statement of work.

1. Security Program

LLM Controls maintains an information security program designed to protect Customer Data against unauthorized access, use, disclosure, alteration, destruction, and loss.

The security program includes administrative, technical, and operational safeguards appropriate to:

  • the nature of the Services;
  • the sensitivity of Customer Data;
  • applicable contractual obligations;
  • the evolving security threat environment.

Security practices are reviewed periodically and updated based on risk, product changes, operational requirements, and applicable compliance obligations.

2. Governance and Risk Management

LLM Controls maintains security governance practices including:

  • defined security ownership;
  • internal policies and procedures;
  • risk assessment processes;
  • operational security reviews;
  • compliance oversight.

Security responsibilities are assigned to accountable personnel.

Security policies and controls are reviewed and updated as necessary to address:

  • emerging threats;
  • product changes;
  • infrastructure changes;
  • customer requirements;
  • regulatory developments.

3. Access Control

Access to production systems and Customer Data is restricted using:

  • role-based access control;
  • least-privilege principles;
  • need-to-know authorization.

Privileged access is limited to authorized personnel whose responsibilities require such access.

Where available and technically supported, privileged access is protected using:

  • multi-factor authentication;
  • strong authentication controls;
  • access logging.

LLM Controls maintains processes for:

  • user provisioning;
  • access changes;
  • access removal;
  • periodic access review.

Access is revoked when no longer required.

Administrative activity may be logged and reviewed for security, operational, and compliance purposes.

4. Encryption and Data Protection

Customer Data is encrypted in transit using modern transport security protocols.

Customer Data is encrypted at rest using industry-standard encryption mechanisms where supported by the applicable hosting environment and architecture.

LLM Controls maintains key management practices aligned with:

  • cloud provider capabilities;
  • deployment architecture;
  • applicable security requirements.

Additional encryption, customer-managed keys, dedicated environments, or specialized controls may be provided where expressly agreed in an applicable order form.

5. Logging, Monitoring, and Detection

LLM Controls maintains logging and monitoring practices appropriate to the Services.

Logs may include:

  • authentication events;
  • authorization events;
  • administrative actions;
  • service activity;
  • system events;
  • security telemetry;
  • abnormal access patterns.

Monitoring is used to support:

  • security detection;
  • troubleshooting;
  • operational reliability;
  • incident investigation.

Access to logs is restricted to authorized personnel.

6. Vulnerability Management

LLM Controls maintains vulnerability management practices designed to identify, assess, prioritize, and remediate security risks.

Practices may include:

  • dependency monitoring;
  • vulnerability scanning;
  • secure configuration review;
  • patch management;
  • security testing;
  • remediation tracking.

Security findings are prioritized based on:

  • severity;
  • exploitability;
  • exposure;
  • potential customer impact.

High-risk findings are addressed based on assessed risk and operational priority.

7. Secure Development Practices

LLM Controls follows secure development practices designed to reduce software and operational risk.

Practices may include:

  • source code management controls;
  • peer review;
  • dependency review;
  • environment separation;
  • testing processes;
  • controlled deployments.

Production changes are managed using processes intended to maintain service reliability and security.

8. Segregation and Tenancy

Customer environments, data, and workloads are protected using isolation controls appropriate to the applicable architecture.

Controls may include:

  • logical separation;
  • tenant isolation;
  • access controls;
  • network segmentation;
  • application-level controls.

Where dedicated, single-tenant, private cloud, customer-specific, or isolated deployment arrangements are required, such requirements must be expressly stated in the applicable order form or security addendum.

Data residency, deployment region, dedicated infrastructure, or on-premises deployment commitments apply only where expressly agreed in writing.

Unless otherwise agreed, LLM Controls may process Customer Data using commercially reasonable cloud regions, infrastructure providers, and service architectures selected to deliver the Services.

9. Third-Party Providers and AI Infrastructure

Customer acknowledges that the Services may rely on third-party providers, including:

  • cloud infrastructure providers;
  • foundation model providers;
  • AI model APIs;
  • database providers;
  • monitoring systems;
  • operational service providers.

LLM Controls evaluates and manages third-party providers based on:

  • service requirements;
  • security capabilities;
  • operational needs;
  • contractual obligations.

Third-party providers that process Customer Data will be managed as subprocessors where applicable under the Agreement and DPA.

10. Backups and Business Continuity

LLM Controls maintains backup and recovery practices designed to support availability and restoration of the Services.

Backup practices may include:

  • periodic backups;
  • recovery processes;
  • retention policies;
  • restoration procedures.

Backup frequency, retention periods, recovery objectives, and disaster recovery capabilities may vary based on:

  • service tier;
  • architecture;
  • deployment model;
  • contractual commitments.

Business continuity practices are maintained at a level appropriate to the Services.

11. Incident Response

LLM Controls maintains an incident response process for identifying, investigating, responding to, and resolving suspected security incidents.

The incident response process may include:

  • detection;
  • investigation;
  • containment;
  • remediation;
  • customer notification;
  • post-incident review.

Upon confirmation of a material security incident affecting Customer Data, LLM Controls will notify Customer without undue delay.

LLM Controls will provide information reasonably available to assist Customer's investigation and response, subject to:

  • legal requirements;
  • security limitations;
  • confidentiality obligations.

12. Personnel Security and Training

Personnel with access to Customer Data are subject to confidentiality obligations.

LLM Controls provides personnel with security and privacy guidance appropriate to their roles.

Access to sensitive systems is limited to authorized personnel with a legitimate business requirement.

Personnel access is removed when no longer required.

13. Subprocessors

LLM Controls may engage subprocessors and service providers to support delivery of the Services.

Where applicable, LLM Controls will:

  • maintain a mechanism to identify material subprocessors;
  • impose contractual obligations designed to protect Customer Data;
  • require subprocessors to maintain appropriate security practices.

Customer authorizes use of subprocessors subject to the Agreement and DPA.

14. Security Audits and Assurance

LLM Controls may provide security documentation, questionnaires, summaries, reports, and evidence on a confidential basis as reasonably available.

Customer acknowledges that security documentation may be subject to:

  • confidentiality restrictions;
  • security limitations;
  • scope limitations.

LLM Controls is currently undergoing SOC 2 Type II assessment and is in an active observation and review period.

LLM Controls will not represent that it is SOC 2 Type II certified until the assessment process is completed and certification or attestation is obtained.

Any certifications, attestations, or audit reports referenced by LLM Controls will accurately reflect:

  • certification status;
  • assessment scope;
  • applicable dates.

15. AI Governance and Controls

Where the Services use artificial intelligence systems, foundation models, agents, or automated workflows, LLM Controls maintains AI governance capabilities designed to support:

  • prompt management;
  • configuration management;
  • model selection controls;
  • workflow governance;
  • evaluation and testing workflows;
  • performance monitoring;
  • regression detection;
  • traceability;
  • audit history;
  • controlled deployment processes.

These controls are intended to improve:

  • reliability;
  • transparency;
  • operational oversight;
  • governance.

AI governance controls do not guarantee elimination of:

  • inaccurate Outputs;
  • unexpected model behavior;
  • hallucinations;
  • bias;
  • unsafe or undesired results.

Customer remains responsible for determining:

  • appropriate AI use cases;
  • required approval processes;
  • human review requirements;
  • business controls.

16. Customer Security Responsibilities

Customer is responsible for:

  • managing its users and credentials;
  • configuring access permissions;
  • protecting Customer-controlled systems;
  • maintaining identity providers;
  • securing integrations;
  • determining appropriate workflow permissions.

Customer is responsible for reviewing and approving:

  • automation scope;
  • AI decision authority;
  • escalation requirements;
  • operational controls.

17. Security Addendum Precedence

If there is a conflict between this Security Addendum and the main Agreement, this Security Addendum governs only with respect to security obligations.

Order forms or statements of work may specify additional security requirements where expressly agreed by the parties.

Contact Us

If you have questions about this Security Addendum, please contact us at:

LLM Controls
Email: contact@llmcontrols.ai