Security & Compliance
ThinkNEO AI Technology Co., Limited Last updated: 25 April 2026
ThinkNEO takes the security of your data seriously. This page describes our current security controls, compliance roadmap, and how to report vulnerabilities.
How ThinkNEO Works
ThinkNEO is an AI Control Plane and Gateway. We route your API requests to third-party AI Providers (OpenAI, Anthropic, Google, NVIDIA, Meta, Mistral, DeepSeek, Alibaba, Cohere, xAI). We do not host AI models. This means your prompts and outputs transit through our infrastructure but are processed by the Provider you select.
Current Security Controls
Encryption
| Layer | Standard |
|---|---|
| Data at rest | AES-256 |
| Data in transit | TLS 1.3 (no fallback to TLS 1.1 or below) |
| Backups | AES-256 encrypted, daily, 30-day retention |
Access Control
- RBAC (Role-Based Access Control) across all Workspaces and internal systems
- MFA required for all ThinkNEO administrators
- Scoped API keys with per-key permission boundaries
- Principle of least privilege enforced organization-wide
Application Security
- SAST gates in CI/CD pipeline:
- Bandit (Python) — zero HIGH findings policy; builds fail on any HIGH-severity issue
- Semgrep — custom rulesets for secrets detection, injection patterns, and auth flaws
- Dependency scanning on every build — known CVEs block deployment
- No hardcoded credentials — secrets managed via environment variables and vault
- Code review required for all changes to production code
Audit Logging
- All API access and configuration changes are logged
- Logs include: actor identity, action, timestamp, resource affected
- Default retention: 90 days (automatically purged after)
- Enterprise: configurable up to 7 years
- Logs are immutable during the retention period
Testing
- 352+ automated tests covering security scenarios, authentication, authorization, input validation, and edge cases
- 82/82 intentional compliance with the A2A Technology Compatibility Kit (TCK)
- Continuous integration runs the full test suite on every commit
Infrastructure
- Hosted on DigitalOcean (primary) with AWS (encrypted backups)
- Network segmentation between production, staging, and development environments
- Automated alerts for anomalous traffic patterns
Compliance Roadmap
We believe in being transparent about where we are today and where we are headed.
| Standard | Status | Target |
|---|---|---|
| SOC 2 Type I | In progress | 2026 |
| ISO 27001 | Planned | 2027 |
| HIPAA | Available on request (Enterprise Tier) | On request |
| GDPR | Compliant — DPA available at /legal/dpa | Current |
| LGPD (Brazil) | Compliant — covered by Privacy Policy | Current |
| CCPA (California) | Compliant — covered by Privacy Policy | Current |
| PDPO (Hong Kong) | Compliant — covered by Privacy Policy | Current |
Responsible Disclosure
If you discover a security vulnerability, we want to hear from you.
Report to: security@thinkneo.ai
Our commitment:
- Response SLA: 48 hours — we will acknowledge your report within 2 business days
- Assessment: We will investigate and provide an initial assessment within 5 business days
- Fix timeline: Critical vulnerabilities are patched within 72 hours; high-severity within 7 days
- Credit: With your permission, we will credit you in our security acknowledgements
- No retaliation: We will not take legal action against researchers who report in good faith
Scope: All ThinkNEO services at thinkneo.app, thinkneo.ai, and associated APIs and subdomains.
Out of scope: Third-party AI Provider infrastructure, social engineering, and denial-of-service testing.
We do not currently operate a formal bug bounty program, but we are evaluating options and may introduce one in the future. While we don't currently operate a paid bug bounty program, we acknowledge legitimate security researchers in our SECURITY.md Hall of Fame.
Incident Transparency
Status Page
Real-time service status and incident updates are published at:
Post-Incident Reports
For any incident affecting the confidentiality, integrity, or availability of Customer data:
- Public post-mortem published within 7 days of resolution
- Post-mortems include: timeline, root cause, impact, remediation, and preventive measures
- Affected customers are notified directly via email
GDPR Breach Notification
In the event of a Personal Data breach as defined by GDPR Article 33:
- Supervisory authority notified within 72 hours
- Affected Data Subjects notified without undue delay where the breach poses a high risk to their rights and freedoms
- Full details in our Data Processing Agreement
Questions
For security-related questions or to request additional documentation (e.g., penetration test reports, SOC 2 readiness evidence):
ThinkNEO AI Technology Co., Limited Hong Kong SAR Email: security@thinkneo.ai