# Organizational \and physical security practices

Union.ai maintains organizational security controls to protect people, facilities, and endpoint devices.
These controls are independently verified through SOC 2 Type II audits and continuously monitored via the Vanta Trust Center (trust.union.ai).

## Employee security lifecycle

**Verified controls** (source: Trust Center, SOC 2 Type II audit)

| Control | Description | Verification |
| --- | --- | --- |
| Background checks | All employees with access to production systems undergo background checks prior to onboarding | SOC 2 Type II |
| Security awareness training | Required within 30 days of hire and annually thereafter for all employees | Trust Center (passing) |
| Confidentiality agreements | Signed by all employees and contractors during onboarding | Trust Center (passing) |
| Code of conduct | Acknowledged by all employees and contractors; violations subject to disciplinary action | Trust Center (passing) |
| Access provisioning | Documented procedures for granting, modifying, and revoking user access | Trust Center (passing) |
| Termination checklists | Access revoked for terminated employees via formal checklist process | Trust Center (passing) |
| Performance evaluations | Managers complete evaluations for direct reports at least annually | Trust Center (passing) |
| Least-privilege access | Internal systems follow least-privilege; regular access reviews conducted | SOC 2 Type II |

## Governance & organizational controls

| Control | Description | Verification |
| --- | --- | --- |
| Defined security roles | Formal roles and responsibilities for design, implementation, and monitoring of security controls | Trust Center (passing) |
| Organizational structure | Documented org chart with reporting relationships | Trust Center (passing) |
| Board-level oversight | Board or relevant subcommittee briefed by senior management on security and risk at least annually | Trust Center (passing) |
| Information security policies | Policies and procedures documented and reviewed at least annually | Trust Center (passing) |
| Whistleblower policy | Formalized policy with anonymous communication channel for reporting violations | Trust Center (passing) |
| Vendor management | Third-party vendors and sub-processors evaluated and monitored; sub-processor list available via Trust Center | SOC 2 Type II |
| Business continuity | BC/DR plans aligned with SOC 2 | SOC 2 Type II |

## Security development lifecycle

* **Secure coding:** Guidelines enforced through mandatory code review processes
* **Automated security testing:** Integrated into CI/CD pipelines
* **Dependency scanning:** Vulnerability scanning and management for all software dependencies
* **Infrastructure-as-code:** Version-controlled security configurations
* **Penetration testing:** Regular third-party security assessments
* **Incident response:** Documented procedures aligned with SOC 2 Type II, including defined escalation paths and post-incident review

> [!NOTE]
> All controls marked as “passing” are continuously monitored via Vanta and verified through the Union.ai Trust Center at trust.union.ai. The SOC 2 Type II audit report is available upon request.

---
**Source**: https://github.com/unionai/unionai-docs/blob/main/content/security/organizational-security-practices.md
**HTML**: https://www.union.ai/docs/v2/union/security/organizational-security-practices/