Organizational security

Employee security lifecycle

Union.ai conducts background checks for all employees with production system access, verified through the SOC 2 audit. Security awareness training is required within 30 days of hire and annually, monitored via Vanta. Confidentiality agreements are signed by all employees and contractors. A code of conduct is acknowledged by all personnel, with violations subject to disciplinary action.

Access management follows documented procedures for provisioning, modification, and revocation. Termination checklists ensure complete access revocation when employees depart. Annual performance evaluations are conducted. Least-privilege access to internal systems is enforced with regular access reviews.

Governance

Formal security roles and responsibilities are defined with a documented organizational structure and reporting relationships. Board-level oversight is maintained: senior management briefs the board on security and risk at least annually.

Information security policies are documented and reviewed at least annually. A whistleblower policy provides an anonymous communication channel for reporting concerns. Third-party vendors are evaluated and monitored through the vendor management program, and the sub-processor list is available via the Trust Center. Business continuity and disaster recovery plans are aligned with SOC 2 requirements.

Security development lifecycle

Secure coding guidelines are enforced through mandatory code review. Automated security testing is integrated into CI/CD pipelines. Dependency scanning and vulnerability management cover all software components. Infrastructure-as-code with version-controlled security configurations ensures that infrastructure changes are auditable and reproducible.

Regular third-party penetration testing validates the effectiveness of security controls. Documented incident response procedures include escalation paths and post-incident review.

Verification

Organizational security

Reviewer focus: Confirm that organizational security practices are documented and independently verified.

How to verify:

These are organizational practices verified through the SOC 2 Type II audit and Trust Center continuous monitoring. This is audit-only verification. These practices cannot be demonstrated through product features.