Securing the use of CEREBRO rests on a shared responsibility model between CaliaLabs and client organisations.

CaliaLabs is responsible for the security of the platform itself: infrastructure, code, encryption of data at rest and in transit, threat monitoring, vulnerability management, and operational continuity.

Client organisations are responsible for the security of their own access: managing the identities of their staff, enabling multi-factor authentication, configuring roles based on the principle of least privilege, and training their teams.

This split is not an abstract contractual clause. It is an operational reality: even the best infrastructure cannot protect against a password reused on another compromised service.

Multi-factor authentication (MFA) is mandatory for all accounts with administrative privileges, and strongly recommended for all users.

Supported MFA methods are: authenticator applications (TOTP), physical FIDO2/WebAuthn keys, and single-use backup codes. SMS is not recommended as a second factor due to known risks (SIM swap, interception).

Passwords must meet the following criteria: minimum length of 12 characters, mixed complexity, no reuse across services, renewal only if compromise is suspected (no forced calendar rotation, per NIST SP 800-63B recommendations).

Creating an account on CEREBRO requires validation by an administrator of the client organisation. Each account is individual: accounts shared between multiple people are prohibited.

Roles in CEREBRO follow the principle of least privilege: each user has only the rights strictly necessary for their operational mission.

Three broad role families exist: operational (stream processing, ex-ante validation), governance (supervision, arbitration, overrides), and administration (system configuration, user management, integrations).

Administrative privileges are subject to enhanced traceability: each administrative action generates an immutable (WORM) log event, timestamped and attributable to the identity performing the action.

Organisations are encouraged to review granted rights regularly (at least quarterly), remove access from staff whose mission has changed, and immediately disable accounts upon departure.

CEREBRO sessions automatically expire after an inactivity period defined in the organisation's configuration (default: 30 minutes for standard accounts, 15 minutes for administrator accounts).

Connections from a new device or a new IP address trigger an additional verification based on the organisation's policy.

Access to CEREBRO is only possible via HTTPS with TLS 1.3 or higher. Unencrypted requests are systematically rejected at the reverse proxy level.

Using unencrypted public networks (open Wi-Fi, unidentified hotspot) to access the platform is discouraged, even for users with a corporate VPN connection.

Any suspected compromise — lost device, potentially disclosed password, suspicious email received by a user, abnormal activity in the logs — must be reported without delay.

The dedicated channel is available 24 hours a day, 7 days a week, at [email protected]. In the event of a confirmed major incident, an emergency phone line is communicated to the security contacts of client organisations.

Commitment deadlines are as follows: acknowledgement within 1 hour for critical incidents, within 4 hours for high-severity incidents. An initial analysis is shared within 24 hours.

In line with applicable GDPR and DORA obligations, CaliaLabs undertakes to notify affected clients within regulatory timeframes in case of personal data breach or significant operational incident.

The most common attacks against critical platforms do not target the platform itself, but its users: phishing, social engineering, identity fraud.

We recommend that client organisations train their teams to recognise weak signals: unusual requests, manufactured urgency, unusual communication channels, unexpected attachments.

CaliaLabs provides, on request, awareness resources adapted to the platform's usage context, as well as tailored phishing simulations.

In case of doubt about the authenticity of a communication claiming to come from CaliaLabs, systematically verify through the official contact channel before acting.

This document is reviewed at least once a year, and whenever significant platform changes or threat landscape evolutions occur. The current version is the one published on the Trust Center.

Client organisations are informed of major changes through contractual communication channels.