AiVRIC User Guide
AiVRIC.com Trust Center Request demo Support
Security policy

Cryptographic Operations

Governs encryption, key management, and cryptographic services across AiVRIC to protect sensitive data at rest and in transit.

Applies to AiVRIC workforce, partners, and subprocessors Trust Center Acceptable use

On this page

Purpose & scope

The purpose of AiVRIC Cryptographic Operations is to ensure the confidentiality of AiVRIC data by implementing appropriate cryptographic technologies to protect systems and data. This applies to data whether it is at rest or in transit.

This policy applies to AiVRIC, its services and environments, and to all employees, contractors, subcontractors, and third parties who store, process, transmit, or dispose of AiVRIC data.

Appropriate cryptographic safeguards must be used to protect sensitive business data against loss, unauthorized access, or disclosure.

Key controls

  • Use of cryptographic controls (CRY-01): AiVRIC maintains enterprise-wide cryptographic protections documentation and processes, uses trusted public standards/technologies, and regularly reviews and updates cryptographic standards, controls, and procedures.
  • Transmission confidentiality (CRY-03): AiVRIC implements robust cryptographic systems to ensure sensitive information is encrypted with strong encryption before being transmitted over networks.
  • Transmission integrity (CRY-04): AiVRIC employs cryptographic mechanisms to ensure integrity of data during transmission.
  • Encrypting data at rest (CRY-05): AiVRIC protects sensitive data at rest (including personal and regulated data) by implementing robust cryptographic mechanisms to protect confidentiality and integrity, ensuring encryption uses industry-recognized standards, and regularly reviewing and updating encryption methods.
  • Storage media protections (CRY-05.1): AiVRIC safeguards sensitive/regulated data on storage media using cryptographic mechanisms that protect confidentiality and integrity.
  • Public Key Infrastructure (CRY-08): AiVRIC implements and maintains an internal PKI that aligns to a certificate policy, or uses an approved reputable PKI provider; certificate lifecycle is monitored and managed (issuance, renewal, revocation).
  • Cryptographic key management (CRY-09): AiVRIC manages key lifecycle (generation, distribution, storage, rotation, destruction), stores keys securely using HSMs or approved secure storage mechanisms, requires signed and acknowledged key holder agreements for relevant personnel, and audits key management controls.
  • FIPS-aligned key generation (CRY-09.1 / CRY-09.2): Symmetric and asymmetric keys are produced using NIST FIPS-compliant key management technologies and processes.
  • Key loss/change resiliency (CRY-09.3): Measures are maintained to ensure continued availability of information even if cryptographic keys are lost or changed.
  • Key control & distribution (CRY-09.4): Cryptographic keys are distributed securely using industry-recognized key management technologies and processes.

Operating procedures

  • Governance & ownership: AiVRIC Security leadership governs enterprise-wide cryptographic protections documentation and standards, ensuring alignment with public standards and trusted technologies and performing regular reviews/updates.
  • Encrypt before transmit: Sensitive information must be encrypted with strong encryption prior to network transmission and protected with mechanisms that assure both confidentiality and integrity in transit.
  • Encrypt at rest by default for sensitive data: Sensitive and regulated data stored on system components and storage media must be encrypted using industry-recognized encryption standards; encryption methods are periodically reviewed and updated to remain aligned with best practices.
  • PKI operations: Use certificate policies for issuance and management; lifecycle management includes renewal and revocation to preserve integrity and trust.
  • Key lifecycle management: Manage keys end-to-end (generation, distribution, storage, rotation, destruction); store keys in HSMs or approved secure storage; require key-holder agreements where applicable; conduct periodic audits/reviews of key management controls.
  • Availability safeguards: Ensure mechanisms exist to maintain availability of information if keys are lost or changed (e.g., escrow/recovery procedures aligned to approved standards).
  • Secure distribution: Distribute cryptographic keys only through industry-recognized secure key management technologies and processes.

Evidence & ownership

  • Owner: Security & Compliance (with operational execution by IT / Engineering as applicable).
    Review cadence: At least annually, and after material changes.
  • Compliance measurement: AiVRIC verifies compliance through methods including technical scans and other assessment mechanisms, internal or external audits, and security dashboards and reports.
  • Exceptions: Requests for exceptions must be submitted to the AiVRIC CISO (or designated security authority) and should include: scope, justification, potential impact/risk, risk mitigations, actions the requestor will take, and a timeframe to meet minimum compliance.
  • Non-compliance: Violations may result in disciplinary action up to and including termination (employees/contractors) and termination of contractual agreements and/or denial of access (third parties), as well as civil/criminal penalties where applicable.
  • Contact: [email protected]