Security Statement

 

Ailethea, Inc.

Effective date: January 26, 2026

1. Introduction and Commitment to Security

Ailethea Inc. ("Ailethea," "we," "us," or "our") is a South Carolina corporation that provides Platform-as-a-Service (PaaS) solutions for regulated industries, including pharmaceutical companies operating Risk Evaluation and Mitigation Strategy (REMS) programs and other FDA-regulated initiatives. Security is foundational to our operations and integral to the trust our clients place in us.

This Security Statement describes the security measures, practices, and controls we implement to protect information and maintain the integrity of our systems. We recognize that our clients operate in highly regulated environments where data protection, system integrity, and regulatory compliance are paramount.

This Statement applies to our public-facing website at https://ailethea.com (the "Website"). Security practices governing our regulated platform services are addressed through separate contractual agreements, security addenda, and compliance documentation provided to clients.

2. Security Governance and Organizational Controls

2.1 Security Leadership

Security accountability resides at the executive level within Ailethea. We maintain defined roles and responsibilities for information security management, with clear escalation paths for security matters. Security considerations are integrated into business decision-making processes and strategic planning.

2.2 Policies and Procedures

We maintain a comprehensive set of security policies and procedures that govern our operations. These policies are reviewed and updated periodically to address evolving threats, regulatory changes, and industry best practices.

Our security documentation framework addresses areas including, but not limited to: information security management; access control and identity management; data classification and handling; incident response and management; business continuity and disaster recovery; change management and configuration control; vendor and third-party risk management; and acceptable use of information assets.

2.3 Risk Management

We conduct periodic risk assessments to identify, evaluate, and prioritize security risks to our operations and information assets. Risk treatment decisions are documented and reviewed by appropriate stakeholders. We maintain a risk register and track remediation activities to completion.

3. Regulatory Compliance Framework

Given our focus on serving regulated industries, Ailethea designs and operates its systems with regulatory compliance as a core requirement. Our compliance framework addresses the following regulatory and industry standards:

3.1 FDA Regulations

Our platform services are designed to support compliance with applicable FDA regulations, including 21 CFR Part 11 (Electronic Records; Electronic Signatures) requirements for audit trails, electronic signatures, system access controls, and record integrity. We implement validation practices consistent with FDA guidance on computer system validation (CSV) and maintain documentation to support client qualification and validation activities.

3.2 GxP Compliance

We operate in accordance with Good Practice (GxP) principles applicable to computerized systems used in regulated life sciences environments. This includes adherence to data integrity principles (ALCOA+: Attributable, Legible, Contemporaneous, Original, Accurate, Complete, Consistent, Enduring, and Available) and maintenance of appropriate quality management practices.

3.3 Industry Standards

We align our security practices with recognized industry frameworks and standards, including: NIST Cybersecurity Framework; ISO/IEC 27001 Information Security Management principles; SOC 2 Trust Services Criteria; and OWASP security guidelines for web applications. Specific certifications and attestations are provided to clients under appropriate confidentiality agreements upon request.

4. Technical Security Controls

4.1 Infrastructure Security

Our infrastructure incorporates multiple layers of security controls, including: network segmentation and firewall protection; intrusion detection and prevention systems; distributed denial-of-service (DDoS) mitigation; secure configuration management and system hardening; and regular vulnerability scanning and patch management.

4.2 Encryption

We employ encryption to protect data confidentiality and integrity. Data in transit is protected using Transport Layer Security (TLS) 1.2 or higher with strong cipher suites. Data at rest is encrypted using industry-standard encryption algorithms. Encryption key management follows established best practices, including secure key generation, storage, rotation, and retirement procedures.

4.3 Access Control

Access to systems and data is governed by the principle of least privilege. We implement role-based access control (RBAC) to ensure personnel have access only to information and systems necessary for their job functions. Access controls include: unique user identification and authentication; multi-factor authentication (MFA) for privileged and remote access; periodic access reviews and recertification; and prompt access revocation upon personnel separation or role change.

4.4 Logging and Monitoring

We maintain comprehensive logging of security-relevant events across our systems. Logs are protected against unauthorized modification and retained in accordance with regulatory requirements and our retention policies. Security monitoring includes real-time alerting for anomalous activities and regular log review procedures. Audit trails are designed to meet 21 CFR Part 11 requirements for regulated platform services.

4.5 Application Security

Our software development practices incorporate security throughout the development lifecycle. This includes: secure coding standards and developer training; code review and static application security testing (SAST); dynamic application security testing (DAST); dependency scanning for known vulnerabilities; and penetration testing by qualified security professionals.

5. Data Protection

5.1 Data Classification

We classify information assets based on sensitivity and regulatory requirements. Classification determines the applicable security controls, handling procedures, and access restrictions for each data category.

5.2 Data Integrity

We implement controls to ensure data accuracy, completeness, and consistency throughout its lifecycle. For regulated platform services, these controls include validation checks, audit trails, and change control procedures designed to maintain data integrity in accordance with FDA expectations and GxP requirements.

5.3 Data Backup and Recovery

We maintain backup procedures to protect against data loss. Backups are performed regularly, encrypted, and stored in geographically separate locations. Backup restoration procedures are tested periodically to verify recoverability. Recovery time objectives (RTO) and recovery point objectives (RPO) are defined and documented for critical systems.

5.4 Secure Data Disposal

When data is no longer required for business or regulatory purposes, we employ secure disposal methods appropriate to the data classification. This includes cryptographic erasure, secure deletion, and physical destruction of media as applicable.

6. Personnel Security

Our personnel security practices are designed to ensure that individuals with access to sensitive information and systems are trustworthy and understand their security responsibilities.

6.1 Background Verification

We conduct background checks on personnel in accordance with applicable laws and regulations prior to granting access to sensitive systems and information. The scope of verification is commensurate with the sensitivity of the role.

6.2 Security Awareness and Training

All personnel receive security awareness training upon hire and periodically thereafter. Training covers topics including information security policies, data handling requirements, phishing and social engineering awareness, incident reporting procedures, and regulatory compliance obligations. Role-specific training is provided for personnel with specialized security responsibilities.

6.3 Confidentiality Obligations

Personnel with access to confidential information are bound by confidentiality obligations through employment agreements and, where applicable, additional non-disclosure agreements. These obligations survive the termination of employment.

7. Physical Security

Physical access to facilities housing information systems and data is restricted to authorized personnel. Physical security controls include: secured facility perimeters and access points; access control systems with authentication requirements; visitor management and escort procedures; environmental controls including fire suppression and climate management; and surveillance and monitoring systems.

Where we utilize third-party data center facilities, we select providers that maintain robust physical security controls and relevant certifications (such as SOC 2 Type II attestations).

8. Vendor and Third-Party Security

We evaluate the security posture of third-party vendors and service providers prior to engagement and on an ongoing basis. Vendor security assessments consider factors including: security certifications and attestations; security policies and practices; data handling and protection capabilities; incident response capabilities; and contractual security commitments.

Contracts with vendors who access or process sensitive information include appropriate security requirements, confidentiality obligations, and, where applicable, Business Associate Agreements or other regulatory-required agreements.

9. Incident Response and Management

We maintain documented incident response procedures to address security events and incidents. Our incident response program includes: defined incident classification and severity levels; clear roles, responsibilities, and escalation procedures; procedures for incident containment, eradication, and recovery; evidence preservation and forensic investigation capabilities; post-incident review and lessons learned processes; and regulatory notification procedures as required by applicable law.

We conduct periodic incident response exercises to test and improve our response capabilities.

10. Business Continuity and Disaster Recovery

We maintain business continuity and disaster recovery plans to ensure the availability of critical systems and services. These plans address: identification of critical business functions and systems; recovery strategies and procedures; roles and responsibilities during disruptions; communication procedures; and periodic testing and plan maintenance.

Recovery capabilities are designed to meet defined availability requirements and minimize the impact of disruptions on our clients and operations.

11. Change Management

Changes to production systems and applications are subject to formal change management procedures. Change control processes include: documentation of proposed changes and business justification; risk assessment and impact analysis; appropriate review and approval workflows; testing and validation requirements; rollback procedures; and post-implementation review.
For regulated platform services, change management procedures are designed to meet GxP requirements and maintain validated system states.

12. Continuous Improvement

We are committed to continuously improving our security posture. Our continuous improvement efforts include: regular security assessments and audits; monitoring of threat intelligence and emerging risks; evaluation and adoption of new security technologies and practices; incorporation of lessons learned from incidents and near-misses; and engagement with industry groups and regulatory bodies to stay current with evolving requirements.

13. Website Security

This public-facing website (https://ailethea.com) is protected by the following security measures: TLS encryption for all connections; web application firewall (WAF) protection; protection against common web vulnerabilities (including OWASP Top 10 risks); regular security scanning and monitoring; and secure hosting infrastructure with appropriate access controls.

Information submitted through website forms is transmitted securely and handled in accordance with our Privacy Policy.

14. Reporting Security Concerns

We encourage responsible disclosure of potential security vulnerabilities. If you believe you have identified a security vulnerability in our Website or services, please report it to us promptly using the contact information below.

When reporting a potential vulnerability, please provide sufficient detail to allow us to investigate and address the issue, including: a description of the vulnerability and potential impact; steps to reproduce the issue; and any relevant technical details or proof-of-concept information.

We request that you: avoid accessing or modifying data belonging to others; refrain from actions that could degrade service availability; allow reasonable time for us to address reported issues before public disclosure; and comply with all applicable laws.

We commit to: acknowledging receipt of vulnerability reports promptly; providing updates on our investigation and remediation progress; and working in good faith with security researchers who report issues responsibly.

15. Contact Information

For security-related inquiries, to report a potential security issue, or to request additional information about our security practices, please contact us:

Ailethea Inc.
Attn: Security
Email: [email protected]
US Mail: Two Park Lane Suite 203
Hilton Head Island, SC 29926

For non-security inquiries, please use the general inquiry form on our Website https://ailethea.com.

16. Limitations and Disclaimer

This Security Statement provides a general overview of our security practices and is intended for informational purposes. It does not constitute a warranty, guarantee, or contractual commitment. Specific security commitments to clients are documented in applicable service agreements and security addenda.
Security threats evolve continuously, and no security program can guarantee absolute protection against all threats. We continuously work to enhance our security posture and adapt to emerging risks.

17. Updates to This Statement

We may update this Security Statement from time to time to reflect changes in our practices, technologies, or regulatory requirements. Material changes will be reflected by updating the effective date. We encourage you to review this Statement periodically.