Imperial Eminence Cyberguard Corporation · The Ivory Index
Security Addendum
Tier IV — Enterprise Governance · Ref: IECC-T4-001 · Version 1.0 · Effective 14 June 2026
This Security Addendum ("Addendum") describes the technical and organisational security measures implemented by Imperial Eminence Cyberguard Corporation ("IECC") in connection with The Ivory Index Software and associated services. It supplements the EULA, DPA, and MSA and forms part of the agreement between IECC and the Customer.
User profile data stored at ~/.theivorry/profiles/{"{id}"}/ resides on the Customer's local device. IECC recommends full-disk encryption (e.g., macOS FileVault, Windows BitLocker) for all devices running the Software. The Software does not implement additional application-layer encryption of local profile data beyond what the host OS provides.
Where the Software makes outbound network requests (e.g., optional model downloads via Ollama, institution database updates), IECC requires TLS 1.2 or higher for all connections. Self-signed certificates are not accepted. Certificate validation is enforced.
Where IECC operates cloud-based services under an Order Form, data at rest is encrypted using AES-256 or equivalent. Data in transit uses TLS 1.3 where supported, with TLS 1.2 as the minimum.
| Control | Implementation |
|---|---|
| Local Software access | OS-level user authentication; no IECC remote access to local data |
| IECC internal systems | Role-based access control; principle of least privilege |
| Cloud infrastructure (if applicable) | MFA required for all privileged access; SSH key authentication; no shared credentials |
| Code repositories | Access restricted to authorised developers; branch protection on main |
| Production environments | Separated from development; access logged and audited |
IECC does not maintain backups of User local profile data, as such data resides exclusively on the User's device. Users are solely responsible for backing up their local data. IECC recommends regular backups of the ~/.theivorry/ directory.
Where IECC operates cloud services, automated backups are performed daily. Backups are retained for 30 days (standard tier) or 90 days (enterprise tier). Recovery time objective (RTO): 4 hours. Recovery point objective (RPO): 24 hours.
Security incidents affecting IECC systems are handled in accordance with the Incident Response Policy (IECC-T4-003). For incidents affecting Customer data actually held by IECC (cloud services only), IECC will notify the Customer without undue delay and in any event within 72 hours of becoming aware of the incident, in accordance with applicable data protection law.
IECC evaluates third-party service providers and subprocessors for security posture prior to engagement. Key providers and their roles are documented in the Subprocessor Register (IECC-T4-002). IECC requires subprocessors handling Customer data to implement security measures at least equivalent to those described in this Addendum.
IECC reviews and updates this Addendum at least annually and upon material changes to the security programme. Customers will be notified of material security changes affecting their data.
