Security

Security is built into how we work — not bolted on afterwards. As a company that ships production AI and red-teams models for a living, we hold our own systems to the same standard. This page describes, at a high level, how Lynkstr Private Limited protects its systems, data, and the products it builds, and how to report a vulnerability.

01Our approach

We follow a defence-in-depth, least-privilege philosophy and apply controls proportionate to risk. Our practices are informed by widely recognised standards and guidance, including the OWASP Top 10 and the OWASP Top 10 for Large Language Model Applications. Security is a shared responsibility across the team, and we treat it as an ongoing process rather than a one-time checklist.

02Infrastructure & hosting

• Systems run on reputable cloud and hosting providers with strong physical and network security.
• Environments are separated, and network access is restricted to what is necessary.
• We keep operating systems and dependencies patched and up to date.

03Encryption

• In transit: traffic to our websites and services is encrypted with TLS (HTTPS).
• At rest: data stored in our managed databases and storage is encrypted at rest.
• Secrets and credentials are stored using secure secret-management practices, never in source code.

04Access control

• Access to systems and data is granted on a least-privilege, need-to-know basis.
• We use strong authentication and enable multi-factor authentication on critical accounts.
• Access is reviewed periodically and revoked promptly when no longer required.

05Secure development

• Security is considered throughout our software development lifecycle, from design to deployment.
• Changes go through version control and review before reaching production.
• We use dependency scanning and address known vulnerabilities in libraries we rely on.
• We follow secure coding practices to mitigate common web risks (injection, XSS, CSRF, and similar).

06AI & model security

Securing AI systems is a core competency — it is one of the services we offer. For our own products and client work, we consider AI-specific risks such as prompt injection, data leakage, insecure output handling, and model misuse. Where appropriate, we apply input/output controls, guardrails, and red-teaming and safety evaluation to probe for failure modes, bias, and adversarial weaknesses before release.

07Monitoring & logging

• We log relevant system and application events to support detection and investigation.
• We monitor for anomalies and operational issues that could indicate a security problem.
• Logs are protected and retained in line with operational and legal needs.

08Vulnerability management

We track and triage vulnerabilities in our infrastructure, applications, and dependencies, prioritising remediation by severity and exploitability. We welcome reports from the security community — see Reporting a vulnerability.

09Incident response

We maintain a process to detect, contain, investigate, and remediate security incidents. Where an incident affects personal data, we act in accordance with our Privacy Policy and applicable law, including India's Digital Personal Data Protection Act, 2023, and will notify affected parties and authorities where required.

10Data protection

How we collect, use, and protect personal data is described in our Privacy Policy. On client engagements, we handle client data per the relevant agreement and only as instructed, applying the safeguards described on this page.

11Subprocessors

We use a limited set of trusted third-party providers (for example, cloud hosting, email, and AI model providers) to operate our business. We select providers with appropriate security practices and bind them with suitable contractual terms. A current list can be provided to clients on request.

This page describes our practices at a high level and does not form part of any contract or warranty. Specific security commitments for an engagement are set out in the applicable agreement.