Security

Cecil Earth Inc ("Cecil") is a climate tech startup that operates the Cecil platform, used by environmental, geospatial, and data science professionals within organisations from small to enterprise scale. This document describes Cecil’s security policies, system architecture, and processes designed to deliver enterprise-grade security.

Business Controls

Vulnerability disclosure

Cecil maintains a public vulnerability disclosure policy that defines acceptable testing scope, safe harbour terms, contact details, and a commitment to respond to valid reports. This policy enables third-party security researchers to report vulnerabilities responsibly, and ensures that such reports are promptly reviewed, triaged, and addressed with priority according to risk severity and impact.

Customer testing

Upon request, customers or their authorised delegates may perform security testing of the Cecil platform under controlled conditions. To initiate the process, send an email to security@cecil.earth describing the testing scope. Following evaluation, Cecil provides a reasonable schedule to avoid service disruptions while providing activity monitoring and transparent reporting. This process enables customers to validate security, compliance, and risk requirements.

Incident handling

Cecil maintains an incident response plan that defines roles and responsibilities, documents the incident-handling process, and ensures that relevant parties — including internal staff and affected customers — are notified appropriately. In case of a security or operational incident, the plan guides detection, containment, investigation, remediation, and communication steps, and ensures that internal records are retained for audit and future analysis.

Third-party services

Cecil relies on a curated set of trusted third-party service providers, each offering critical infrastructure or productivity functions. These include:

Sub-processors

  • AWS — for compute, storage, and infrastructure services

Productivity tools

  • Google — for identity, email, calendar, and productivity tools

  • Notion — for internal documentation and knowledge management

  • Slack — for team communication

Each sub-processor is used only when necessary, and their access to data is governed by contractual terms and their own privacy and security policies. Cecil reviews the security posture of key providers regularly, and restricts external service usage to minimise third-party risk.

System design controls

Data types

Cecil processes and stores environmental and geospatial data from satellite imagery that is structured in raster (GeoTIFF) and vector (GeoParquet) file formats. Cecil does not collect or store regulated data such as financial, health, or sensitive personally identifiable information. The only customer information stored is first name, last name, email address, and organisation name, simplifying compliance, reducing privacy risk, and allowing security efforts to concentrate on encryption, integrity, and access control of environmental datasets.

Serverless architecture

The Cecil platform operates on a Serverless Architecture composed by AWS Lambda for compute, S3 for the primary storage, DynamoDB for metadata storage, and event-driven messaging protocols for resilience, such as Event Bridge, SNS, and SQS. All services in the Cecil platform are carefully designed with the AWS Well Architected Framework, operating under an IAM role with the principle of least privilege, and automated patching across the entire infrastructure.

Network security

Inbound traffic enters exclusively through a managed API gateway, which provides TLS termination, request validation, rate limiting, and WAF integration. The gateway protects against DDoS attacks, code injection, malformed requests, and excessive request rates. Internal services do not accept inbound connections from the public internet. Inter-service communication occurs securely within the AWS environment, isolating internal components and minimising exposure to external threats.

HTTPS enforcement

All network traffic to the Cecil platform is redirected from HTTP (port 80) to HTTPS (port 443), ensuring secure communication by default. The platform requires a minimum of TLS 1.2, with automatic upgrade to TLS 1.3 where supported. This safeguards confidentiality and integrity of data in transit, preventing eavesdropping or man-in-the-middle attacks.

API key management

Customers are encouraged to rotate their Cecil API keys programmatically at intervals appropriate to their risk profile. Key rotation reduces the exposure window if a key is compromised. In case of a lost key, Cecil provides a fallback recovery method via email. Internally, all operations use time-limited credentials, and all customer API keys are stored as securely hashed values.

Credential management

All credentials and sensitive configuration are stored securely in AWS Secrets Manager. Secrets are never hard-coded in source code or configuration files. Development, staging, and production environment credentials are separated, preventing cross-environment leakage. This disciplined secret management ensures that critical data remains protected, and that compromised secrets can be rotated immediately while maintaining audit logs.

Encryption

All storage services — including databases, object storage, backups, and logs — use AES-256 encryption, ensuring that data at rest remains protected. All communication between clients and the platform, and between internal services, uses TLS encryption, ensuring data in transit is secure. Encryption keys are owned by Cecil and automatically rotated by AWS KMS. These measures guarantee confidentiality and integrity of customer data, whether stored or transmitted.

Third-party dependencies

Third-party dependencies undergo careful validation before adoption, evaluated for maintenance status, community support, security history, and production readiness. Once adopted, dependencies are subject to automated vulnerability scanning on a daily schedule. If a vulnerability is identified, the engineering team is notified, and remediation is prioritised based on severity and exploitability. This process guards against supply-chain risks and ensures the platform remains secure over time.

Logging and monitoring

All services consolidate JSON structured logs in AWS CloudWatch with a 90-day retention period configured by default. Monitoring alerts are triggered on error thresholds, repeated traffic patterns, and resource usage anomalies, with Slack notifications delivered in real-time. This enables rapid detection of security incidents, supports forensic investigation, and helps ensure platform stability.

Infrastructure as code

The Cecil platform infrastructure is defined using Terraform, stored in version control, and subject to code review before deployment. Development, staging, and production environments are isolated with separate AWS accounts. This approach enables deployments with consistency, reproducibility, and traceability of infrastructure changes. In case of configuration errors or incidents, rollbacks are possible, and the history of changes remains auditable.

Build and release process

Cecil maintains a deterministic build and release process designed to ensure integrity, traceability, and reliability of all changes deployed to the platform. All source code is managed in Git, where changes are reviewed and deployed with a versioned Terraform state and AWS ECR image tag, providing immutable versioning for each release. Together, these controls provide a reliable, auditable, and secure build and release pipeline, ensuring that all platform code changes are delivered with integrity, accountability, and confidence.

Operational controls

Identity management

All employees use Google Workspace for identity management with Multi-Factor Authentication enforced for all accounts. Access to internal services, code repositories, and production environments is controlled by role-based permissions, following the principle of least privilege. Privileged or administrative access is granted only when necessary, and rules for granting, reviewing, and revoking access are well-defined. This ensures robust identity hygiene, reduces the risk of account compromise, and enforces accountability across the team.

Device management

All team members use encrypted Mac laptops, with automatic operating system and security updates enabled. Internal guidelines govern acceptable device use, credential storage, secure network practices, and handling of sensitive information. These measures protect all the team against risks such as lost or stolen devices, malware, or inadvertent data exposure.

Backup and disaster recovery

Cecil configures S3 to use versioning for object storage, ensuring that historical versions of data are preserved. Infrastructure definitions managed via Terraform enable reconstruction of the environment if needed. In the event of data corruption, misconfiguration, or service disruption, the system supports rollback or restoration from previous states. This approach ensures data durability, business continuity, and resilience against a variety of failure scenarios.