QC AI WRITTEN INFORMATION SECURITY PROGRAM (WISP)

The purpose of this Written Information Security Program (WISP) is to define the administrative, technical, and operational safeguards that Queen City AI (“QCAI”) employs to protect the confidentiality, integrity, and availability of information entrusted to us by clients, partners, and internal stakeholders, particularly in the context of our AI consulting and AI strategy services. This program is essential for ensuring business efficiency and effective workflow automation. 

This program applies to: 

· Client data and systems 

· Internal business systems 

· AI models, pipelines, and derived artifacts 

· All personnel and approved subcontractors 

This WISP is reviewed at least annually and updated as our risk posture or operating environment changes.

2.1 Principle of Least Privilege

Access is granted strictly on a need-to-know and least-privilege basis to enhance business efficiency. Personnel are granted only the minimum permissions required to perform assigned duties, especially in the context of AI consulting and workflow automation.

2.2 Identity & Authentication

All systems require authenticated user access to ensure security in Artificial Intelligence applications. Multi-Factor Authentication (MFA) is enforced for:

- Cloud infrastructure

- Source code repositories

- Production and staging environments

Shared accounts are prohibited to maintain integrity in AI strategy implementation.

2.3 Access Reviews

Access permissions are reviewed to support effective AI strategy:

- Upon role change

- Upon contract termination

- At least quarterly for production systems

Access is revoked immediately upon offboarding to safeguard workflows.

3.1 Encryption at Rest

All client data stored in cloud services is encrypted at rest using industry-standard encryption (AES-256 or equivalent), ensuring the security crucial for AI Consulting and AI Strategy initiatives. Encryption is enabled by default for:

- Databases

- Object storage

- Backups

- Vector databases

3.2 Encryption in Transit

All data in transit is protected using TLS 1.2 or higher, which is essential for maintaining the integrity of Artificial Intelligence applications. Unencrypted data transmission is prohibited for client or sensitive internal data, thereby enhancing business efficiency and supporting workflow automation.

Encryption keys are managed using cloud-native key management services (KMS) where available, ensuring that AI consulting projects maintain strong security protocols. Key access is restricted to authorized system roles, enhancing business efficiency by minimizing risks. Key rotation follows provider best practices, aligning with an effective AI strategy. In client-specific environments, logically separated keys are utilized where applicable, supporting workflow automation and maintaining the integrity of artificial intelligence applications.

5.1 System Logging

Security-relevant events are logged, including: 

- Authentication attempts 

- Privilege changes 

- System access to client data 

Logs are retained for a minimum of 90 days, unless client requirements specify longer retention. This logging is crucial for maintaining an effective AI strategy, as it enhances business efficiency through better oversight of security events related to artificial intelligence applications.

5.2 Monitoring

Cloud environments are monitored for: 

- Unauthorized access attempts 

- Configuration drift 

- Service availability issues 

Alerts are configured for high-risk events, ensuring that AI consulting practices are supported by a robust framework for workflow automation and security management.

6.1 Data Classification

Queen City AI, as part of its AI consulting services, classifies data into the following categories:

Client Data

Data provided directly by a client, which may include operational, financial, contractual, or proprietary information related to their AI strategy. This data is always treated as confidential to uphold business efficiency.

Internal Data

This includes Queen City AI's business data, such as finance, HR, and internal documentation, which is restricted to authorized personnel to ensure the integrity of our workflow automation processes.

Derived Artifacts

Outputs generated through processing client data, such as embeddings, model outputs, and structured extractions, are treated with the same confidentiality level as the source client data, reflecting our commitment to responsible artificial intelligence practices.

6.2 Data Use Restrictions

Client data is used solely for the contracted purpose and is never utilized to train public or shared foundation models. Additionally, client data is not shared across clients, ensuring that our AI consulting services maintain the highest standards of privacy.

Client data retention in the context of AI consulting and AI strategy is governed by contractual terms. Our default policy ensures that we retain client data solely for the duration of the engagement. Upon contract termination or at the client's request, we implement secure deletion methods that adhere to cloud provider secure deletion standards. This approach not only safeguards sensitive information but also enhances business efficiency through effective workflow automation. Confirmation of deletion can be provided upon request.

8.1 Incident Definition

A security incident includes any suspected or confirmed:

- Unauthorized access

- Data disclosure

- Data integrity compromise

- System availability disruption affecting client data

These incidents can significantly impact business efficiency, particularly when they involve Artificial Intelligence systems utilized for AI Consulting and AI Strategy.

8.2 Response Timeline

First 24 Hours

- Contain and isolate affected systems

- Preserve logs and evidence

- Conduct initial impact assessment

- Notify internal leadership

24–48 Hours

- Identify root cause

- Assess scope of affected data

- Implement remediation steps

- Prepare client notification if required

48–72 Hours

- Notify affected clients per contractual and legal obligations

- Provide preliminary incident report

- Implement preventive controls

- Begin post-incident review, especially in the context of workflow automation and AI systems.

8.3 Client Notification

Clients are notified promptly when their data is impacted. Notifications include:

- Nature of the incident

- Data involved

- Remediation actions taken

- Recommended client actions (if any) to enhance their own AI Strategy and ensure the integrity of their business processes.

Queen City AI utilizes vetted third-party service providers to enhance its AI Consulting services. These vendors are chosen based on their security posture and reliability to ensure optimal business efficiency.  

9.1 Cloud Infrastructure Providers  

Primary cloud hosting providers (e.g., AWS, Azure, GCP) enable a robust AI Strategy.  

9.2 LLM Providers  

Commercial large language model providers are used strictly for inference purposes, ensuring that no client data is used for model training. This aligns with our commitment to secure Artificial Intelligence practices.  

9.3 OCR, Vector DB, and Storage Providers  

We utilize OCR services for document extraction, vector databases for embeddings, and object storage solutions to create client-walled data environments that facilitate workflow automation.  

A current list of sub-processors can be provided to clients upon request.

Queen City AI, a leader in AI consulting, intends to pursue SOC 2 Type I alignment as the business scales to enhance business efficiency. This initiative aligns with our AI strategy focused on leveraging artificial intelligence for optimal workflow automation. 

Planned Timeline:

• Q1–Q2: Internal control documentation and gap assessment

• Q3: Control implementation and internal audit readiness

• Q4: Engage third-party auditor for Type I examination

This roadmap reflects intent, not certification, and may adjust based on client requirements.

Penetration testing will be conducted annually or upon significant architectural changes to enhance our AI consulting practices. This testing may include: external vulnerability scanning, configuration reviews, and ensuring that our AI strategy aligns with best practices in artificial intelligence. Findings are tracked and remediated based on severity to promote business efficiency and support workflow automation. 

Governance & Review 

This WISP is owned by Queen City AI leadership and is reviewed annually or upon material changes. Updates related to our AI strategy are communicated internally and made available to clients upon request.