Procurement Resources

Overview

This article provides an overview of Untitled’s approach to security, infrastructure protection, patch management and data handling. It is intended to assist enterprise customers, procurement teams, and security reviewers evaluating Untitled as a technology vendor.

Untitled provides a cloud-based Audience Platform used by organizations to perform identity resolution, data enrichment, audience building, and marketing activation workflows. The platform processes pseudonymous website visitor signals and technical metadata in order to assemble identity profiles that can be used for marketing analytics and activation use cases.

Because the platform operates on infrastructure that processes marketing and identity data, security and operational reliability are foundational considerations in how Untitled designs and operates its systems.

Security Philosophy

Untitled’s security program is based on practical, layered controls designed to protect platform infrastructure, customer data, and internal systems.

Core principles include:

Least-privilege access Access to infrastructure, production systems, and internal tools is granted based on role and limited to personnel whose responsibilities require it.

Defense-in-depth Security controls are implemented across infrastructure, application, and identity layers rather than relying on a single protective mechanism.

Secure cloud architecture Untitled’s platform is deployed on Amazon Web Services (AWS) and leverages managed cloud security controls such as encrypted storage, private networking, and access control policies.

Continuous monitoring and maintenance Infrastructure dependencies and system components are monitored for vulnerabilities and updates through automated tooling and internal review processes.

Security Program Scope

Untitled’s operational security practices include controls across the following areas:

• Infrastructure and cloud security

• Identity and access management

• Encryption and data protection

• Vulnerability management and patching

• Incident response and operational resilience

• Vendor and subprocessor management

Infrastructure Model

Untitled operates as a cloud-native SaaS platform hosted within Amazon Web Services (AWS).

Infrastructure is deployed within United States AWS regions and utilizes multi-availability-zone architecture to support system reliability. Encrypted backups and internal restoration procedures are maintained to support recovery in the event of disruption.

Encryption & Data Protection

Untitled protects data both in transit and at rest using widely adopted encryption standards.

• Data in transit is encrypted using TLS 1.2 or higher

• Sensitive data stored in databases and object storage is encrypted using AES-256 encryption

• Encryption keys are managed using AWS Key Management Service (KMS)

Identity & Access Management

Access to internal systems and infrastructure is governed through role-based access control and centralized identity management, powered by Okta's Auth0 service.

Multi-factor authentication (MFA) is required for access to all production systems, cloud infrastructure, administrative tooling, and systems containing sensitive company or customer information. All internal tools are configured with MFA as a requirement.

User access privileges are reviewed periodically and are revoked promptly upon employee off-boarding.

Observability & Patch Management

Untitled maintains a risk-based approach to identifying, prioritizing, and remediating security vulnerabilities and system errors across its infrastructure, applications, and dependencies. Issues are identified through automated scanning tools, monitoring of publicly disclosed vulnerabilities (such as CVEs), vendor alerts, and internal observability and engineering processes.

Each issue is evaluated based on severity and potential impact, with critical vulnerabilities prioritized for immediate remediation and lower-severity issues addressed through standard maintenance and release cycles. Where immediate fixes are not feasible, mitigating controls may be implemented to reduce risk.

Patches and updates are deployed through controlled processes, including CI/CD pipelines, managed cloud services, and version-controlled dependency updates. Untitled maintains continuous visibility into vulnerabilities through automated issue tracking, real-time alerting, and a structured weekly review process to ensure timely remediation.

Additional information on Untitled's observability systems and patch management processes can be found in the Observability & Patch Management Policy article.

Incident Response & Operational Resilience

Untitled maintains internal procedures for responding to security incidents and operational disruptions.

These procedures define escalation paths, investigation processes, communication expectations, and remediation steps in the event of a security incident.

In the event of a confirmed security incident affecting customer data, Untitled will notify affected customers in accordance with the obligations defined in its Platform Services Agreement.

Vendor & Subprocessor Oversight Policies

Untitled utilizes a limited set of third-party infrastructure and service providers to support operation of the platform.

Vendors are evaluated based on the sensitivity of the systems and data they may access, and access is restricted according to least-privilege principles. All Third-Party subprocessors are bound to the same standards defined in the Untitled Platform Services agreement, and Untitled remains fully liable for the acts and omissions of its subprocessors.

A list of third-party subprocessors and additional information about vendor oversight can be found in the Third-Party Subprocessors article.

Enterprise Procurement & Security Reviews

Untitled regularly works with enterprise customers that require vendor security and procurement reviews. This documentation section is intended to support those processes with an overview of our systems, controls, standards and policies.

If additional documentation or questionnaire responses are required as part of a procurement process, please contact the Untitled team via [email protected]