TRUST CENTER

Last Updated: 2026-03-09

Version 1.0

Click here to download.

============================================

1. TRUST CENTER OVERVIEW

============================================

1.1 Purpose

The Blueshift Cybersecurity Trust Center provides a unified overview of Blueshift’s security practices, privacy disclosures, compliance efforts, operational safeguards, and related public legal and trust materials relating to the IntelliThreat AI Platform and supporting systems. This Trust Center is provided for informational purposes only, is intended as a public-facing publication and document-navigation resource, and does not create any contractual commitment unless expressly incorporated by reference into a written agreement signed by Blueshift and Customer, and in the event of any conflict between this Trust Center and a governing agreement, the governing agreement controls.

1.2 Scope

This Trust Center applies to, and may publish public-facing guidance and reference materials concerning the IntelliThreat AI Platform and related purchased offerings, including as applicable:

• The IntelliThreat AI Platform
• Platformrelated APIs, connectors, and integrations supported for the applicable purchased offering
• Platformrelated support and supporting systems, as applicable to the purchased offering
• Platformrelated data handling and governance practices

It does not by itself govern Blueshift’s managed SOC, managed XDR, SOC-monitored, or other managed services unless expressly incorporated through an applicable Order together with the applicable separate managed services agreement documents and any applicable HIPAA/BAA documentation. Separate public-facing materials may be maintained for those offerings where appropriate, and no summary in this Trust Center will by itself amend, expand, or supersede those separate governing documents.

1.3 Alignment With Governing Agreements

This Trust Center is aligned with, and should be read consistently with, the following governing agreement documents, public-facing legal notices, and related trust materials, as applicable and only to the extent expressly incorporated or otherwise made applicable under the governing agreement:

• The PLATFORM MASTER SUBSCRIPTION AGREEMENT — https://www.blueshiftcyber.com/legal/platform-master-subscription-agreement
• The DATA PROCESSING ADDENDUM — INTELLITHREAT AI PLATFORM — https://www.blueshiftcyber.com/legal/data-processing-addendum/intellithreat-ai-platform
• The INTELLITHREAT AI PLATFORM ADDENDUM — https://www.blueshiftcyber.com/legal/addenda/intellithreat-ai-platform
• The MICROSOFT 365 INTEGRATION ADDENDUM — https://www.blueshiftcyber.com/legal/addenda/microsoft-365-integration
• The SOCMONITORED INTELLITHREAT AI ADDENDUM — https://www.blueshiftcyber.com/legal/addenda/soc-monitored-intellithreat-ai
• The Supplemental SOC Service Level Agreement — https://www.blueshiftcyber.com/legal/service-level-agreements/supplemental-soc
• The MANAGED SOC & XDR SERVICES ADDENDUM — https://www.blueshiftcyber.com/legal/addenda/managed-soc-xdr-services
• The INTELLITHREAT AUTONOMOUS ADDENDUM (where applicable) — https://www.blueshiftcyber.com/legal/addenda/intellithreat-autonomous

The data retention, export, and deletion materials made available, where applicable, in connection with the DATA PROCESSING ADDENDUM — INTELLITHREAT AI PLATFORM, the MANAGED SOC & XDR SERVICES ADDENDUM, and other applicable governing documents, with only the effect expressly provided in those governing documents — https://www.blueshiftcyber.com/trust-center/data-lifecycle

The applicable public-facing Privacy Notice and Cookie Notice, where applicable to website and similar online interactions and not as a substitute for governing agreement terms applicable to Customer Data or Personal Data processed under purchased offerings, — https://www.blueshiftcyber.com/legal/privacy-notice and https://www.blueshiftcyber.com/legal/cookie-notice

Where conflicts arise among applicable incorporated governing documents, the order of precedence set forth in Section 1.3 of the PLATFORM MASTER SUBSCRIPTION AGREEMENT controls.

1.4 Public Document Categories and Published URL Structure

For public website publishing purposes, Blueshift may organize Trust Center and legal-stack materials under the following categories and published URL structure:

· Trust Center overview and index — https://www.blueshiftcyber.com/trust-center

· Security documents — https://www.blueshiftcyber.com/trust-center/security/{document-slug}

· Privacy and data processing documents — https://www.blueshiftcyber.com/legal/{document-slug} or https://www.blueshiftcyber.com/trust-center/privacy/{document-slug}

· AI governance and autonomous-feature disclosures — https://www.blueshiftcyber.com/trust-center/ai/{document-slug}

· Compliance and regulatory statements — https://www.blueshiftcyber.com/trust-center/compliance/{document-slug}

· Operational resilience and service-status materials — https://www.blueshiftcyber.com/trust-center/resilience/{document-slug} and https://status.blueshiftcyber.com

· Subprocessor and infrastructure transparency materials — https://www.blueshiftcyber.com/legal/subprocessors/{document-slug}

============================================

2. PUBLICATION AND NAVIGATION GUIDANCE

============================================

2.1 Purpose

This section provides publication guidance for how customer-facing Trust Center materials should be presented on Blueshift’s public website. Contractual or incorporated legal terms, including any Acceptable Use Policy, should be published as separate legal-stack documents at their own dedicated URLs rather than embedded in summary form in this Trust Center overview, unless Blueshift intentionally elects otherwise, and any such summary remains subordinate to the applicable governing agreement documents.

2.2 Recommended Public Categories

The public Trust Center should group customer-facing materials into clear navigation categories such as:

• Security and infrastructure
• Privacy, data processing, and subprocessors
• AI safety, model governance, and autonomous-feature disclosures
• Compliance and regulatory statements
• Operational resilience, incident response, and service availability
• Responsible disclosure and security researcher resources
• Accessibility, legal process, and other corporate transparency materials

2.3 Publication Standards

For customer-facing publication purposes, Blueshift should:

• Maintain one canonical public URL for each published legal-stack or trust document
• Use consistent naming between Trust Center references and the underlying document title
• Display a clear “Last Updated” date on each published page
• Avoid posting summary text that conflicts with incorporated agreement documents or product-specific addenda

Where a document is informational only, clearly state that it does not amend or expand contractual obligations unless expressly incorporated by reference into the governing agreement.

2.4 Cross-Linking

Each Trust Center summary page should link to the full underlying public document where available and should cross-reference related materials, including the Privacy Notice, Cookie Notice, Subprocessor List, Standard Security Measures, AI Safety & Model Governance statement, BC/DR Overview, Responsible Disclosure Policy, and applicable service-specific addenda, in each case where published and applicable.

============================================

3. SECURITY OVERVIEW

============================================

3.1 Security Philosophy

Blueshift employs a defenseindepth security model, integrating secure engineering, operational rigor, and continuous monitoring to protect the confidentiality, integrity, and availability of Customer Data across the IntelliThreat AI Platform and supporting systems.

3.2 Security Controls

Blueshift maintains:

• Encryption: TLS 1.2+ in transit; encryption at rest using industry-standard measures appropriate to the relevant systems and data (AES-256 where applicable)
• Access Controls: RBAC, MFA, leastprivilege access
• Secure SDLC: Internal review and testing
• Network Security: Segmentation, firewalls, IDS/IPS
• Logging & Monitoring: Centralized logs, anomaly detection
• Vulnerability Management: Continuous monitoring and vulnerability management
• Incident Response: Documented incident response plan

3.3 Compliance Alignment

Blueshift maintains controls designed to support compliance efforts, customer requirements, and risk management practices relating to the following, as applicable to the purchased offering and Blueshift’s role under the governing agreement:

• SOC 2 (in progress)
• NIST CSF (formal control mapping in progress; target Q4 2026)
• GDPR/EEA data protection requirements and CCPA/CPRA, as applicable to Blueshift’s role in the relevant processing

HIPAA-related obligations only where expressly agreed in a signed contract; Blueshift is not a default business associate or default BAA provider

3.4 Subprocessors

A current list of subprocessors is available in the SUBPROCESSOR LIST — INTELLITHREAT AI PLATFORM, which is provided for informational purposes and has only the notice, objection, and other limited procedural effect expressly stated in the applicable governing agreement documents. Public URL: https://www.blueshiftcyber.com/legal/subprocessors/intellithreat-ai-platform

Blueshift’s public-facing websites and online properties are subject to applicable public-facing privacy and cookie disclosures. Cookie choices, consent practices, and data practices for website and similar online interactions are governed by the applicable Privacy Notice and Cookie Notice, while Customer Data and Personal Data processed through the IntelliThreat AI Platform or separately purchased managed services remain governed by the applicable contract documents, DPA, and service-specific disclosures.

============================================

4. SUPPORT

============================================

4.1 Support Contact

• Email: support@blueshiftcyber.com
• Website: https://www.blueshiftcyber.com/trust-center

============================================

5. API DOCUMENTATION AND TERMS LINKING

============================================

5.1 License

Any API-specific license terms, restrictions, credential requirements, rate limits, and service conditions should be published in dedicated API documentation and, where applicable, a separate public legal-stack document incorporated by reference through the PLATFORM MASTER SUBSCRIPTION AGREEMENT or applicable Order.

5.2 Recommended Public Links

The Trust Center or developer-facing navigation may link, where applicable, to:

• API documentation — https://developer.blueshiftcyber.com
• API terms or developer terms — https://www.blueshiftcyber.com/legal-terms
• Rate-limit or usage documentation — https://developer.blueshiftcyber.com/docs/rate-limits
• Authentication and credential guidance — https://developer.blueshiftcyber.com/docs/authentication
•  

5.3 Customer-Facing Summary

Customer must keep API keys, access tokens, and other API credentials confidential and secure, and must promptly revoke and rotate API credentials upon any actual or suspected compromise.

5.4 Availability

The APIs are provided asis and without any uptime or availability commitment except as expressly set forth in the PLATFORM MASTER SUBSCRIPTION AGREEMENT, an applicable Order, or the SERVICE STATUS PAGE AND AVAILABILITY SLA, to the extent applicable.

5.5 Termination

Blueshift may suspend or terminate API access for AUP violations, security threats, excessive or harmful usage, or breach of the PLATFORM MASTER SUBSCRIPTION AGREEMENT or applicable API terms, to the extent such API terms are expressly made applicable.

============================================

6. SERVICE STATUS PAGE / AVAILABILITY SLA

============================================

6.1 Availability Commitment

During each calendar month of the Subscription Term, any availability commitment for the IntelliThreat AI Platform, including any applicable exclusions for Permitted Downtime, is governed exclusively by the SERVICE STATUS PAGE AND AVAILABILITY SLA, but only to the extent that agreement is expressly incorporated and applicable to the purchased offering under the PLATFORM MASTER SUBSCRIPTION AGREEMENT or an applicable Order.

6.2 Status Page

Blueshift maintains a Service Status Page (“Service Status Page”) that may provide availability, maintenance, and incident-status information for the IntelliThreat AI Platform for informational purposes; the Service Status Page does not by itself create contractual commitments except to the extent expressly incorporated through the applicable governing agreement.

• Realtime service availability
• Incident notifications
• Scheduled maintenance
• Historical information

6.3 Maintenance

Maintenance notice practices for the IntelliThreat AI Platform are described in the SERVICE STATUS PAGE AND AVAILABILITY SLA, to the extent applicable and expressly incorporated under the PLATFORM MASTER SUBSCRIPTION AGREEMENT or an applicable Order.

============================================

7. BUSINESS CONTINUITY & DISASTER RECOVERY

============================================

7.1 Objectives

This BC/DR Overview summarizes Blueshift’s resilience, continuity, and disaster recovery practices for the IntelliThreat AI Platform and supporting systems. It is informational only and does not create contractual commitments beyond those in the applicable governing agreement documents.

• Documented business impact analysis
• Redundant communication channels
• Executivelevel continuity governance
• Annual review and tabletop exercises

7.2 DR Capabilities

• OCI-hosted cloud infrastructure in U.S. regions
• Automated backups and replication
• Infrastructureascode deployment
• Recovery Time Objective (RTO): ≤ 24 hours (Nonbinding targets; commercially reasonable efforts only.)
• Recovery Point Objective (RPO): ≤ 24 hours (Nonbinding targets; commercially reasonable efforts only.)

7.3 Testing

Blueshift performs disaster recovery testing periodically, including at least annual review and testing practices designed to assess resilience and recovery readiness. Testing may include, as appropriate based on risk, system scope, and operational considerations: (a) failover validation and restoration exercises; (b) tabletop exercises covering representative disruption scenarios, including regional cloud outage, ransomware impact, and key-personnel unavailability; and (c) targeted component-level testing following material infrastructure changes. Test results are reviewed through Blueshift’s internal governance processes, and material findings may be assigned remediation owners and tracked to closure on a documented timeline.

============================================

8. AI SAFETY & MODEL GOVERNANCE

============================================

8.1 Principles

The IntelliThreat AI Platform uses machine learning and agentic automation to support detection and response. Where Customer has activated an applicable IntelliThreat Autonomous tier or other applicable autonomous functionality in accordance with the applicable configuration, consent, activation, control, and purchased-offering framework, the Platform may execute authorized response actions within Customer-configured permissions. Blueshift implements measures designed to help ensure:

• No training, fine-tuning, or improvement of AI models using identifiable Customer Data or Personal Data without Customer’s prior written consent; Blueshift may use de-identified, anonymized, and/or aggregated telemetry as permitted by applicable agreements and law, and does not use identifiable Customer Data or Personal Data to train public or third-party models
• AI outputs and, where applicable, executed actions are logged and auditable, with tamper-evident audit logs for Autonomous Actions as described in the applicable addendum
• Customer determines the automation levels, activation settings, permissions, and approval workflows it enables, subject to the functionality available in the applicable purchased offering
• Optional humanintheloop workflows (where available, supported, and purchased)
• Guardrails designed to help prevent unauthorized actions
• Autonomous Actions are constrained by Customer-configured permissions, with Kill-Switch capability and tamper-evident audit logs (see the INTELLITHREAT AUTONOMOUS ADDENDUM)

8.2 Autonomous Mode Safety

• Blueshift does not use identifiable Customer Data or Personal Data to train, fine-tune, or improve its AI models without Customer’s prior written consent. Blueshift may use de-identified, anonymized, and/or aggregated telemetry data for model improvement to the extent permitted by the applicable governing agreement and applicable law, and does not use identifiable Customer Data or Personal Data to train public or third-party models.
• Autonomous execution applies only where enabled by Customer within the applicable purchased offering, integrations, permissions, and configuration framework described in the applicable governing documents and any required activation or consent record required thereunder.
• Model updates are subject to internal validation and safety review, as appropriate to the nature of the update.
• Customers may activate a Kill-Switch to suspend Autonomous Mode actions, subject to the operational framework described in the INTELLITHREAT AUTONOMOUS ADDENDUM.
• Autonomous Actions are recorded in tamper-evident audit logs and made available through applicable Platform functionality, subject to the governing agreement documents.

Except to the extent expressly assumed in an applicable Order or Addendum, Blueshift does not make Customer’s security, legal, business, or operational decisions merely by providing autonomous, automated, agentic, or AI‑assisted functionality configured, enabled, or otherwise approved by Customer.

8.3 Customer Controls

Customer retains control over whether and how automation levels are enabled, configured, and constrained within the applicable purchased offering, with optional humanintheloop workflows where available and purchased.

============================================

9. EXPORT COMPLIANCE STATEMENT

============================================

9.1 Compliance

Blueshift is committed to compliance with applicable U.S. export controls and economic sanctions laws and regulations in connection with the IntelliThreat AI Platform and related Services, including:

• U.S. Export Administration Regulations (EAR)
• OFAC sanctions
• Other applicable export control and sanctions laws

9.2 Customer Obligations

Customers must not:

• Export, reexport, transfer, provide access to, or otherwise make the Platform or related Services available in or to any jurisdiction, person, or entity subject to applicable U.S. sanctions or export embargoes, except as authorized by applicable law
• Use the Platform or related Services in violation of applicable export control or sanctions laws, including in connection with prohibited end uses or end users (for example, weapons of mass destruction development)
• Provide access to the Platform or related Services to any person, entity, or other party that is prohibited or restricted under applicable export control or sanctions laws

============================================

10. ACCESSIBILITY STATEMENT (WCAG)

============================================

10.1 Commitment

Blueshift is committed to making its products, services, and public websites accessible to the widest possible audience, including individuals with disabilities. This commitment applies to the IntelliThreat AI Platform, the IntelliThreat Autonomous tier, and the Blueshift public website. Blueshift works to continuously improve accessibility as its products and websites evolve.

10.2 Measures

• Keyboard navigation support
• Screenreader compatibility
• Highcontrast UI options
• Descriptive labels and ARIA attributes

10.3 Feedback

If you encounter an accessibility barrier, need assistance accessing content, or have suggestions for improvement, please contact Blueshift at: accessibility@blueshiftcyber.com.

============================================

11. VULNERABILITY DISCLOSURE / SECURITY.TXT

============================================

11.1 Reporting

Security researchers may report vulnerabilities through the Responsible Disclosure Policy. Reports should be submitted to security@blueshiftcyber.com. Blueshift generally targets acknowledgment of qualifying reports within five (5) business days. Coordinated disclosure timelines follow CVSS severity tiers: Critical/High (≥ 7.0) — 90 days; Medium/Low (< 7.0) — 120 days. Blueshift does not currently operate a monetary bug bounty program.

============================================

12. DATA RESIDENCY & REGIONAL HOSTING

============================================

12.1 Regions

As of the Last Updated date of this Trust Center Document Suite, Blueshift expects IntelliThreat AI Platform data to be processed and stored within the United States, subject to the applicable governing agreement documents, the DATA PROCESSING ADDENDUM — INTELLITHREAT AI PLATFORM, where applicable, any applicable retention, export, and deletion materials, and Blueshift’s applicable public-facing privacy disclosures regarding international data transfers.

12.2 Future Expansion

Additional regions may be added over time in Blueshift’s discretion based on customer demand, regulatory requirements, infrastructure availability, and Blueshift’s then-current offering status.

12.3 Residency Controls

Processing locations may vary based on Customer configuration, applicable subprocessors, support needs, legal requirements, applicable retention, export, and deletion processes, and the applicable services in use, subject to the governing agreement documents, the DATA PROCESSING ADDENDUM — INTELLITHREAT AI PLATFORM, where applicable, and Blueshift’s applicable public-facing privacy disclosures.

============================================

13. LAW ENFORCEMENT REQUEST POLICY

============================================

13.1 Principles

Blueshift:

• Requires valid legal process
• Notifies customers unless prohibited by law
• Minimizes disclosure to the narrowest scope required
• Does not provide direct access, backdoors, or surveillance capabilities

13.2 Process

Requests must be submitted to legal@blueshiftcyber.com.

============================================

14. INCIDENT RESPONSE & BREACH NOTIFICATION

============================================

14.1 IR Program

Blueshift maintains a documented Incident Response Plan including:

• Detection
• Containment
• Eradication
• Recovery
• Postincident review

14.2 Notification

Blueshift will provide Customer notification, as required by applicable law or the applicable governing agreement, without undue delay after confirmation of a Security Incident affecting Personal Data; notice obligations are governed by the applicable agreement and are not triggered solely by unconfirmed suspicion of a potential incident.

Blueshift conducts rootcause analysis and corrective actions, as appropriate, following confirmed Security Incidents, subject to the applicable governing agreement and operational considerations.

============================================

15. CUSTOMER SECURITY RESPONSIBILITIES MATRIX

============================================

============================================

16. MODEL EVALUATION & REDTEAM TESTING SUMMARY

============================================

16.1 Evaluation

Models are subject to internal evaluation practices that may include, as appropriate to the nature of the model or update:

• Accuracy testing
• Bias assessment
• Safety validation

16.2 RedTeam Testing

Blueshift performs periodic testing designed to evaluate Platform resilience against adversarial inputs, prompt injection attempts, and model manipulation techniques, consistent with commercially reasonable practices for AI-based security software.

16.3 Continuous Improvement

Findings may inform model updates, internal validation, safety review, and governance reviews, as appropriate.

============================================

============================================

17. MANAGED SOC & XDR SERVICES

============================================

17.1 Scope Note

This Trust Center primarily covers the IntelliThreat AI Platform software offering. Blueshift’s managed SOC, managed XDR, and other managed services are separately purchased, have separate security and operational frameworks, and are separately governed by the MANAGED SOC & XDR SERVICES ADDENDUM, the applicable Supplemental SOC Service Level Agreement, and other applicable governing agreement documents. Privacy, data handling, retention, export, deletion, and any service-specific compliance commitments for managed SOC/XDR services are determined by those applicable managed-services documents and the governing agreement, not by generalized Platform-only statements in this Trust Center. Website cookies and similar tracking technologies are governed by Blueshift’s applicable public-facing Cookie Notice and Privacy Notice, rather than by managed-services terms unless expressly stated otherwise. HIPAA-related services are not offered or supported for managed SOC/XDR services unless expressly agreed in a signed contract; Blueshift is not a default business associate or default BAA provider. Any U.S. hosting, regional hosting, data residency, GovCloud-related availability, or service-specific configuration remains subject to the applicable Order, governing documents, and Blueshift’s then-current offering status.