Security & Data Protection

1. Overview

Security is a foundational requirement of the CineCLI platform, not an add-on. We apply defense in depth across infrastructure, application, data and operational layers, and we follow the principle of least privilege throughout. Because synthetic media carries heightened safety risks, our security program is closely integrated with our content-safety controls — see our Responsible AI Policy.

2. Infrastructure

• Hosted on AWS. The platform runs entirely on Amazon Web Services, inheriting the physical, environmental and network security of AWS data centers.
• Models via Amazon Bedrock. All foundation-model inference (text, image, voice, video) is performed through Amazon Bedrock. Requests are processed within the AWS Region you select.
• Region residency. Customer content and inference stay within the selected AWS Region. We do not move customer content out of region for processing.

3. Encryption

• In transit. All traffic to and within the platform is encrypted using TLS 1.2 or higher. Plaintext connections are not accepted at our edge.
• At rest. Stored data — including uploads, generated assets, backups and logs — is encrypted using AES-256.
• Key management. Encryption keys are managed through AWS Key Management Service (KMS) with access restricted to authorized services and roles.

4. Access control

• Least privilege. Access to systems and data is granted only as needed for a specific operational or safety purpose.
• Role-based access. Permissions are assigned by role rather than to individuals, and reviewed periodically.
• Multi-factor authentication. MFA is required for administrative and privileged access to production systems.
• Audit logging. Access to customer content and administrative actions are logged for monitoring, investigation and accountability.

5. Network & application security

• Network segmentation. Production environments are isolated from development and corporate networks, with traffic restricted to what each tier requires.
• Secrets management. Credentials and API keys are stored in a managed secrets store, never in source code or configuration committed to version control.
• Dependency scanning. Third-party dependencies are scanned for known vulnerabilities, with alerts triaged on an ongoing basis.
• Vulnerability management. We monitor for vulnerabilities, prioritize by severity, and remediate within risk-based timeframes. Penetration testing is performed on a recurring basis.

6. Content safety controls

Security and content safety reinforce one another at CineCLI. Beyond protecting data, we screen what enters and leaves the platform:

• Amazon Bedrock Guardrails. Every model call runs through Guardrails with our policy configuration.
• Input/output screening. Prompts and reference uploads are screened before a model is called, and generated media is re-screened before delivery.
• Watermarking. Generated imagery, video and synthetic audio carry an invisible watermark to support downstream detection.
• C2PA provenance. Approved exports are stamped with tamper-evident content credentials.

The full safety model — including likeness, consent and deepfake rules — is described in our Responsible AI Policy and Acceptable Use Policy.

7. Data handling

• No training on customer content. Customer prompts and content are never used to train foundation models.
• Retention & deletion. Customer content is retained for the period needed to provide the service and is deleted on request or after account closure, subject to legal retention requirements. See our Privacy Policy.
• Backups. Encrypted backups are maintained to support recovery and are subject to the same access and retention controls as production data.

8. Sub-processors

We use a limited set of vetted third-party providers to operate the service. The current list, their purpose and locations are published on our Sub-processors page, where you can also subscribe to change notifications.

9. Business continuity & incident response

• Backups & recovery. Encrypted backups and recovery procedures support restoration of service after disruption.
• Incident response. We maintain an incident-response process covering detection, containment, eradication, recovery and post-incident review.
• Breach notification. In the event of a personal-data breach affecting customers, we are committed to notifying affected customers and relevant authorities without undue delay, consistent with applicable law and our contractual commitments.

10. Compliance & certifications

Our security program is designed to align with widely recognized control frameworks, and we build toward independent attestation as the platform matures. We design our handling of personal data to align with the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) as further described in our Privacy Policy.

11. Responsible disclosure

We welcome reports from security researchers. If you believe you have found a vulnerability, please contact security@cinecli.com with enough detail to reproduce the issue. We offer a good-faith safe harbor: we will not pursue legal action against researchers who act in good faith, avoid privacy violations and service disruption, do not access or modify data beyond what is necessary to demonstrate the issue, and give us a reasonable opportunity to remediate before public disclosure.

12. Contact

For security questions, contact security@cinecli.com. For privacy and data-protection matters, contact privacy@cinecli.com. This page works together with our Privacy Policy, Sub-processors list and Responsible AI Policy.