Vulnerability management
Vulnerability assessment
Union.ai’s vulnerability management program includes dependency analysis and automated CVE alerts for software dependencies, container image scanning for platform and customer-facing components, and periodic third-party penetration testing.
Patch management
Union.ai follows a risk-based approach to patching. Critical vulnerabilities (CVSS 9.0+) are prioritized for immediate remediation. High-severity vulnerabilities are addressed within defined SLA windows.
The control plane is updated independently of customer data planes, so security patches can be applied without customer-side changes. In self-managed deployments, the customer handles data plane patching. In BYOC deployments, Union.ai manages data plane patching on the customer’s behalf.
Incident response
Union.ai maintains documented incident response procedures aligned with SOC 2 Type II requirements, including defined escalation paths, communication protocols, containment procedures, and post-incident review processes. The control plane’s stateless handling of customer data limits the potential impact of any control plane incident. See Two-plane separation for details.
Third-party dependency risk
Union.ai relies on a small number of critical and operational dependencies, each with specific mitigations.
| Dependency | Tier | Role | Mitigation |
|---|---|---|---|
| Cloudflare | Critical | Cross-plane connectivity (Tunnel and gRPC ingress) | mTLS, outbound-only, health monitoring, auto-reconnection |
| AWS (control plane) | Critical | CP infrastructure | Multi-AZ, automated failover, encryption at rest and in transit |
| Customer cloud provider | Critical | DP infrastructure | Customer-managed; Union.ai provides guidance and tooling |
| Vanta | Operational | Compliance monitoring | Independent SOC 2 audit validates controls |
| Okta | Operational | OIDC authentication | Standard OAuth2/OIDC; API keys and service accounts as fallback |
The vendor management program is covered under SOC 2 Type II with periodic evaluation. A formal dependency risk assessment is available upon request. In self-managed deployments, the customer owns all data plane dependencies. In BYOC deployments, Union.ai assumes cluster-level dependency risk.
Verification
Vulnerability management
Reviewer focus: Confirm that Union.ai has an active vulnerability management program with defined SLAs and that third-party dependencies are evaluated and monitored.
How to verify:
-
The SOC 2 Type II report and Trust Center cover vulnerability management and vendor assessment controls.
-
Penetration test results are available on request.
This is audit-only verification.