WBN Data Security Statement

WBN personnel with access to personal data or sensitive systems receive security awareness training appropriate to their role. Training covers topics including phishing recognition, secure credential management, data handling obligations, and the reporting of suspected security incidents. Security awareness is treated as an ongoing obligation, not a one-time onboarding exercise.

Access to WBN's systems and data is granted based on defined roles and the specific information each role legitimately requires. Access rights are reviewed when roles change, when staff leave or change function, and on a regular periodic basis to identify and remove access that is no longer appropriate. Privileged access — administrative rights that carry elevated risk — is subject to additional controls and more frequent review.

WBN maintains internal security policies that set out the obligations of all personnel with respect to data handling, system access, device security, and incident reporting. These policies are reviewed and updated regularly, and compliance with them is a condition of employment and engagement for all staff and contractors with access to WBN's systems or information.

Where WBN engages third-party vendors or suppliers who handle personal data or have access to WBN systems, we assess their security practices before engagement and apply contractual obligations that require them to maintain appropriate security standards. Vendor relationships are reviewed on an ongoing basis and security obligations are enforced. This includes cloud infrastructure providers, software-as-a-service platforms, and professional service providers with any access to WBN's information environment.

Information security at WBN is treated as an organisational priority with defined accountability at senior leadership level. Security decisions are not delegated solely to technical teams — they are integrated into operational, editorial, and commercial decision-making. WBN's security posture is reviewed at a leadership level on a regular basis, and material security risks are escalated for senior attention.

• Model security. WBN's AI models — their trained configurations, weights, and operational parameters — are protected as high-value intellectual property and operational assets. Access to model infrastructure is restricted, logged, and monitored.
• Adversarial robustness. WBN tests its AI systems for susceptibility to adversarial manipulation — including prompt injection attacks, attempts to extract sensitive information from model outputs, and other techniques designed to compromise AI system behaviour. Systems found to be vulnerable are not deployed in sensitive contexts without mitigation.
• Data pipeline security. The data that feeds WBN's AI systems — training data, inference inputs, and operational data — is handled with the same security controls applied to other sensitive information categories. AI systems do not have broader access to WBN's information environment than is necessary for their defined function.
• Output monitoring. AI outputs in production systems are monitored for anomalous patterns that may indicate system compromise, data leakage, or unexpected behaviour caused by security incidents or model drift.

WBN does not rely solely on automated security monitoring for its AI systems. Human review is applied to security-relevant AI behaviour, and human decision-making governs responses to AI-related security incidents. The principle of human oversight that governs WBN's editorial AI use extends equally to AI security — automated systems surface information and flag concerns; people make decisions about how to respond.

Security considerations are incorporated into WBN's AI development lifecycle from the outset — not added after deployment. New AI capabilities are assessed for their security implications before being introduced into production environments. This reflects WBN's broader commitment to responsible AI described in our Responsible AI Policy.

WBN selects third-party providers through an assessment process that includes evaluation of their security practices, certifications, and track record. Providers who handle personal data or have access to WBN's systems are required under contract to maintain security standards consistent with WBN's obligations to its users and with applicable law. We do not accept that the involvement of a third-party provider reduces WBN's responsibility for the security of information in its care.

Provider security obligations are not set and forgotten at contract signing. We monitor material changes to provider security posture, review provider relationships periodically, and require notification from providers of security incidents that may affect WBN's information or systems. Where a provider's security practices fall below the standard required, we address the gap through remediation requirements or, where necessary, by changing provider.

We acknowledge that WBN does not have direct control over the internal security practices of its third-party providers, and that the security of major cloud and infrastructure providers is itself subject to risks beyond any single customer's influence. Where a significant security incident at a third-party provider affects WBN's users or systems, we respond in accordance with the incident response process described in Section 8.

WBN's monitoring systems are designed to identify potential security incidents — including unauthorised access attempts, unusual data access patterns, system integrity changes, and anomalous behaviour in AI systems — and to alert our security team for investigation. Detection is continuous, not periodic.

When a potential security incident is identified, it is investigated promptly to establish its nature and scope. Where an incident is confirmed, our immediate priority is containment — limiting further access, protecting affected data, and preventing the incident from expanding in scope while investigation continues.

Where a security incident involves personal data and meets the threshold for notification under applicable privacy and data protection laws, WBN will notify the relevant regulatory authorities and affected individuals within the timeframes required by those laws — and in many cases, as quickly as our investigation allows. We communicate clearly and honestly about what occurred, what information was affected, and what we are doing about it.

Following any security incident, WBN conducts a review of what occurred, how our systems and processes responded, and what changes are needed to reduce the likelihood or impact of similar incidents in the future. Lessons learned from incidents — including near-misses that did not result in confirmed breaches — are fed back into our security improvement programme. We do not treat security incidents as something to be closed and forgotten. We treat them as information about where we need to do better.

WBN welcomes responsible disclosure of security vulnerabilities identified in our platforms and systems. If you have discovered what you believe to be a security vulnerability in any WBN platform, please report it promptly to security@wbnn.news. Please provide a clear description of the vulnerability, the steps required to reproduce it, and any relevant technical details. We will acknowledge your report promptly, investigate it seriously, and keep you informed of the outcome. We do not take legal action against good-faith responsible disclosure.

WBN's platform architecture is designed with resilience as a requirement — including redundant systems, geographically distributed infrastructure where appropriate, and failover capabilities that allow services to continue or be rapidly restored when individual components fail. We do not operate single points of failure in critical systems where this can be avoided.

WBN maintains business continuity plans for significant disruptive events — covering technology failure, cyber incidents, natural disasters, and other scenarios that could affect our ability to operate. These plans define how critical functions are maintained or restored, who is responsible for what during a disruption, and how we communicate with affected parties when normal service is unavailable.

Business continuity and disaster recovery capabilities are tested periodically to confirm that they work as designed and that our teams can execute them effectively under pressure. Plans are reviewed and updated following tests, following actual incidents, and whenever significant changes to our systems or operations occur.

The security threat landscape does not stand still. New attack techniques emerge, new vulnerabilities are discovered, new technologies introduce new risks, and the scale and nature of WBN's own operations change over time. Effective information security requires continuous evaluation, adaptation, and investment — not a fixed set of controls applied indefinitely.

WBN is committed to reviewing and strengthening its security practices on a continuous basis — through regular security assessments, monitoring of the evolving threat environment, evaluation of new protective technologies, and learning from our own experience and that of the broader security community. This statement will be updated when our security approach materially changes, and we will communicate significant changes through our platforms.

This Data Security Statement was last reviewed and updated on June 28, 2026. The "Last Updated" date at the top of this document will reflect any subsequent revisions. Previous versions are available on request.