​

Foreword

​

1. Security Team and Its Responsibilities

• Security Management ** and Compliance**: Responsible for communicating enterprise-level security and compliance standards to AnyGen development teams. This function establishes secure development practices to ensure AnyGen’s data storage model aligns with enterprise data processing standards.
• Business and Product Security: Focuses on access control and prevention of unauthorized privilege escalation within AnyGen’s complex business logic.
• Data Security: Ensures the confidentiality and integrity of AnyGen’s data.
• Incident Response and Disaster Recovery: Handles runtime anomalies and emergency security incidents.

​

2. Personnel Security

• Onboarding, Transfer , ** and Offboarding Control**: All new hires and internal transfers must undergo standardized background checks and approval processes. Upon resignation or role changes, permissions are revoked systematically and promptly to eliminate orphaned accounts.
• Confidentiality and Compliance Agreements: All employees must sign rigorous non-disclosure agreements. When handling system troubleshooting or data analysis reported by users, unauthorized access to user business data is strictly prohibited; all activities must comply with strict data masking and query control protocols.
• Security Training and Awareness: The company organizes training programs regarding employees’ professional knowledge and skills and information security awareness, including:
  • Organize information security-related training programs to enhance employees’ information security skills, at least once a year;
  • Hold information security activities periodically to publicize information security awareness, at least once a year;
  • Communicate security awareness to employees in multiple ways, such as making publicity materials for security awareness and conveying them to employees through the mail, posters, etc.
• Endpoint and Office Environment Security: AnyGen has developed a sound security management and control strategy for terminal equipments of employees and deployed it to all equipments by default. Employees cannot delete or modify the security configuration by themselves.

​

3. Network Security

• Network Access Control: AnyGen uses access control lists (ACLs) for network isolation. Different network areas such as guest networks, office networks, development test networks, and production networks are divided internally. All employees who are outside AnyGen’s network borders need to access AnyGen’s internal resources through a VPN connection. AnyGen’s internal audit department will audit access logs, etc., find and trace non-compliant operation records, and impose corresponding penalties.

• Network Firewall: AnyGen uses a network firewall to intercept common network security vulnerability attacks in AnyGen products, and only authorized security and compliance engineers can uniformly configure the protection rules of the network firewall. AnyGen has set up a combination of automatic and manual methods to update the network firewall configuration.
• DDoS and Network Attack Defense: AnyGen service provides customers with network access through CDN and dynamic acceleration, and accesses back-end services through company load balancing; AnyGen has deployed industry-leading anti-DDoS services to defend against traffic-based and connection-based attacks.
• Network Transmission Encryption: AnyGen uses HTTPS and WSS for encrypted transmission in both the internal and external networks, ensuring the security of the transmission process and preventing eavesdropping and tampering.

​

4. Server and Runtime Environment Security

• Server Access Control: AnyGen regularly scans server assets, closes unnecessary ports and services in a timely manner, minimizes external permissions, filters unsafe services, and reduces security risks. Security personnel conduct weak password detection on a regular basis, and urge server operation personnel to increase the complexity of passwords to prevent brute force cracking. All access to the server must be operated and audited through the bastion host. AnyGen uses the whitelist to control the access source of business services to ensure that only trusted sources can access the service.
• Vulnerability Scanning: AnyGen uses automated vulnerability scanning tools to regularly detect server vulnerabilities. After the confirmation by security personnel, it will be notified to relevant personnel for processing and repair. The operation personnel will regularly update the system patches to effectively ensure the stable operation of the server.
• Intrusion Detection: AnyGen’s physical servers are fully deployed with HIDS (Host-based Intrusion Detection System), which can monitor server file baseline changes in real time, discover abnormal processes, capture active abnormal external links, Trojan backdoors, and other abnormal behaviors, and respond in a timely manner. In addition, all traffic from the client end is detected and verified by WAF (Web Application Firewall) to ensure its security and legality, and to block malicious requests in real time. The security team will closely track the security situation and the latest attack methods, study intrusion characteristics, and regularly upgrade defense strategies.
• Anomaly Detection: Built on the big data platform and machine learning platform, the security team conducts multi-dimensional security analysis on the massive host logs generated by the server and the data collected by the self-developed HIDS, establishes an anomaly detection model, and timely discovers risky operations and abnormal processes on the server, malicious network connections, and other abnormal behaviors, and responds in a timely manner. The security team will closely track the security situation and the latest attack methods, continuously iterate the security algorithm model, update the abnormal behavior characteristics, and regularly upgrade the defense strategy.

​

5. Application Security

• Secure Development Process: AnyGen strives to control security risks from the source of security vulnerabilities. By making security courses and providing training in the form of on-site and online programs, all developers and product managers must receive security training to understand the causes of relevant security vulnerabilities and strengthen coding knowledge. When the project starts, the security team communicates with the project manager to ensure that security requirements and security tests are reflected in the project plan. At the same time, the security team will evaluate the third-party libraries and tools used by the product, and discover vulnerabilities to ensure that there are no vulnerabilities introduced by the supply chain. The security team conducts design and code security reviews with the product team. Before the product goes online, a penetration test and a security assessment of deployment will be conducted to ensure the security of the service.
• Vulnerability and Security Incident Management: AnyGen monitors internal and external security vulnerabilities and threat intelligence information through various means. The security team uses automated security scanning tools to scan its own services and operating systems, and conducts security checks on application systems through regular penetration tests. After the vulnerability and threat intelligence information is confirmed, the risk level will be determined according to the hazard situation, and it will be pushed to the relevant team for repair and processing as soon as possible. AnyGen has a complete vulnerability lifecycle management strategy, and a professional security team follows up on all security problem solving.

​

6. Data Security

• Data Transmission: AnyGen provides users with data transmission links that support strong encryption protocols. Data transmissions are all encrypted using HTTPS and using 2048-bit RSA keys.
• Data Storage: AnyGen has developed a comprehensive data classification management method, and has implemented strict classification and classification management of collected user information, encrypted all sensitive information stored in the system, effectively protecting users’ information security.
• Data Access: Access to user data is strictly isolated with permissions. Users cannot access each other without authorization. By default, employees of AnyGen do not have access to any user data, and all operations of employees are strictly restricted and audited.
• Disposal of Data:** **When AnyGen signs a cooperation agreement with the user organization, it agrees with the user organization that when the cooperation is terminated, AnyGen will process user-related data in accordance with laws and regulations, including but not limited to deletion and anonymization, both of which are irreversible. All data deletion and anonymization technical means comply with the prevailing industry standards and the requirements of laws and regulations.
• Data Security Inspection: The login behavior, operation behavior, server security baseline file changes, access rights changes, and data access behaviors of all servers in AnyGen’s online environment will be recorded. By establishing user behavior portraits and abnormal behavior models, the security team realizes the identification, analysis, and correlation of abnormal behaviors, and automatically detects various abnormal data access behaviors in real time, such as inappropriate access to data, malicious data crawling and risky operations, login abnormalities, privilege escalation, etc., and issues alarms or blocks them.

​

7. Disaster Recovery and Business Continuity

• Multi-Instance Cluster Deployment: Backend services are deployed across multiple instances to ensure reliability. Granular monitoring of traffic and system health enables seamless state sharing and rapid failover between instances during traffic surges or hardware failures.
• Backup and Recovery: AnyGen has formulated relevant regulations to standardize database backup strategies, backup data storage, and backup recovery testing. The business databases have regular snapshots and backups. At the same time, AnyGen has deployed a backup execution monitoring mechanism to ensure the integrity of data backups, and regularly conducts backup data recovery tests.
• Emergency ** Drills**: AnyGen has a complete emergency drill mechanism, and regularly conducts drills. Participants include business teams, security teams, and operation and maintenance teams. Disaster recovery drill is conducted at least once a year for situations that may cause business interruptions to ensure data availability.

​

8. Change Management

• Program Changes: AnyGen has established comprehensive change management controls, and clarified the change management requirements and process, including change plan, change approval, and change implementation. Operations that have known or potential impacts on the stability, availability, and security of online services fall within the scope of online changes. AnyGen product development strictly controls the change operation to prevent the change operation from affecting the stability of the service. Online operations must have an operation request, which can only be carried out after approval. AnyGen has deployed independent development, testing, and production environments for each product-related application. The change operation follows the canary release and goes online. A small traffic test is required before the official release, so as to ensure the stability and security of the service.
• Source Code Control: AnyGen has established a strict source code management process, and research personnel can only access and manage the code warehouse corresponding to their team. Each project code warehouse in the code warehouse has a person in chargeof the code warehouse. If the R&D personnel need to apply for access to the code warehouse other than their team, they must submit the application in the code warehouse, and after the approval of the department head and the person in charge of the applied code warehouse, the corresponding permissions can be granted. Redundant permissions that remain unused for an extended period will be revoked.
• Infrastructure Changes: AnyGen deploys an access control list at the border of the public network to control network access. If it is necessary to change the ACL configuration baseline and network access control list, the operation and maintenance personnel submit an application through the platform, and professional engineers will perform the operation after assessing the rationality of the change. Only authorized engineers have the permission to perform changes to the network access configuration.
• Change Monitoring: AnyGen conducts internal audits every year to check the operation of AnyGen’s internal control system, which covers the implementation effectiveness of control related to change management, and summarizes the results in the internal audit report. If abnormalities are found, the internal audit department and the relevant responsible team will communicate and follow up on the rectification results. Segregation of duties exists in the change management process, including change development, testing, approval, release, and monitoring.

​

9. AI Security and Trustworthiness

• Identity Management: Implements full-lifecycle identification and permission management for AI agents, ensuring all identities are verifiable and their permissions are strictly constrained.
• Secure Environment: Provides a trusted execution environment for AI agents through device admission control, network isolation, and sandboxing.
• Controllable Behavior: Performs focused monitoring and constraint of AI agent behaviors to ensure that they conform to expectations.
• Trusted Data: Protects the security of data handled by AI agents during processing, including data leakage prevention, end-to-end encryption, and dynamic data masking.
• Trusted Content: Ensures the security and compliance of AI agents’ interaction content, including content moderation, anti-fraud, and prompt-injection defense.