Ai360 Data Security Policy

Last Updated (15-07-2023)

In accordance with the Master License Agreement ("MLA"), Ai360 Systems Ltd (the "Licensor", "we", "us", "our") is committed to protect the confidentiality, integrity, and availability of all data in its care. We value our Licensees’ privacy and are committed to ensuring that our services are secure, available and reliable.

We know that you trust us to protect your information and it is extremely important to us that security is a priority. Our organization is well staffed and adheres to carefully control workflows which ensure that all business is executed based on established security guidelines.

To this end, this Data Security Policy (the "Policy") describes the appropriate technical and organizational measures that the Licensor will implement to safeguard against unauthorized access, use, disclosure, alteration, or destruction of data, as well as ensure that data processing is in compliance with applicable laws and regulations.

The Licensor’s software’s (the "Software") architecture is designed around the goals of redundancy, security, and availability. Its security design relies on industry’s best practices such as encrypted transmissions, cross-site scripting prevention, firewalls, regular security updates, security scans, and vulnerability assessments to ensure the security of Licensee Data.

If you have discovered a security issue in the Software, please report it to us at:datasecurity@ai360insights.com

The Licensor reserves the right to modify or revise its measures and processes periodically, but it shall not significantly reduce the level of security as outlined in this Policy.

By using the Software the Licensee signals that they understand, agree to the terms of and will adhere to the stipulations outlined in this Policy.

1. Definitions

Unless otherwise defined below, all capitalized terms adhere to their meaning as within the MLA.

1.1. "Data Breach" refers to an occurrence where security has been compromised, leading to unintended or illegal destruction, modification, unauthorized access, or disclosure of the Licensee Data.

1.2. "Licensee" shall mean the individual or entity that has agreed to the terms of this Agreement, signed a Software License Order Form (the "SLOF") and has been granted a License to use the Software, including any Authorized Users as specified in the MLA and the SLOF.

1.3. "Licensee Data" shall mean any data, information and/or content that the Licensee inputs, uploads and/or otherwise makes available through the Software.

1.4. "Personal Data" refers to any information in Licensee Data that identifies and/or makes it possible to identify a particular individual or household.

1.5. "Regulatory Body" refers to a regulatory or supervisory body or agency in any country.

2. Licensee Data

2.1. The Licensee warrants and represents that it has obtained all necessary rights and permissions to provide the Licensee Data to the Licensor.

2.2. The Licensor shall only process Licensee Data as required to fulfill its obligations under the MLA and the Licensee’s particular License within the terms of this Policy.

2.3. The Licensee is responsible for complying with all applicable laws and regulations related to the use of the Software provided by the Licensor.

2.4. The Licensee Data must not include the following types of information and the Licensee is not permitted to upload, store and/or transmit via the Software any data that falls within the following categories:

(a) sensitive personal data, and data prohibited for processing under Article 9 of GDPR (Processing of Special Categories of Personal Data)

(b) personal data of individuals under 16 years old,

(c) social security numbers, driver's license numbers, other government ID numbers,

(d) information subject to regulation or protection under the U.S. Gramm-Leach-Bliley Act, U.S. Privacy Protection Act, or similar foreign or domestic laws,

(e) data regulated by the Payment Card Industry Data Security Standards or other financial account numbers or credentials,

(f) information regulated by the U.S. Health Insurance Portability and Accountability Act (HIPAA),

(g) content that infringes on a third party's intellectual property rights.

2.5. Personal data that do not fall under the categories listed in clause 2.4 of this Policy and have been anonymized in accordance with applicable regulatory requirements may be imported into the Software however.

2.6. In the event that the Licensee Data contains Personal Data, both parties shall adhere to the requirements set forth in th Privacy Policy, which can be accessed at the URL:

2.7. The Licensee shall have the right to export its data from the Software at any time during the License Term.

2.8. The Licensor shall implement encryption measures to protect Licensee Data that resides in or transits to or from the Software.

2.9. To ensure transparency and accountability, the Licensor shall maintain logs of administrator and operator activity, as well as data recovery events. These logs shall be regularly reviewed to identify, address and remedy any potential security issues.

2.10. Within 60 days of the termination of the License Term, Licensor shall delete all Licensee Data that is not required to be retained by law. Licensee Data that is retained shall be managed in accordance with the terms of this Policy and the Privacy Policy (where applicable).

3. Licensee Data Security Program

3.1. To ensure the protection of the Licensee Data and prevent Data Breaches, the Licensor shall establish and maintain a comprehensive data security program.

3.2. The program shall include physical, technical, management and administrative controls and shall comply with global industry standards.

3.3. The program shall take into consideration all the types of data processed by the Licensor in general, and the specific data process by the Licensee in particular.

3.4. To ensure the effectiveness of the data security program, the Licensor shall regularly review it and assessors both internal and external must do the same review whenever significant changes occur.

3.5. These confidentiality and data security procedures shall be made available to all the Licensor’s employees and will be reviewed and updated at least once annually.

3.6. All Licensor’s employees must accept these policies and procedures upon employment by the Licensor.

3.7. Where and as applicable, the Licensor shall apply procedures for backing up and attempting to recover the Licensee data in the event of a Data Breach.

4. Data Security & The Workforce

4.1. The Licensor shall ensure that all personnel are bound by written confidentiality contracts and are informed of the consequences of violating such obligations. Namely, they will be subject to disciplinary action, including but not limited to termination of employment.

4.2. In order to foster an environment of Data Security and appropriate employee behavior in regards to the Licensee Data and its security, the Licensor ensures that mandatory data security and privacy training is provided to the employees during the initial phase of their employment, and periodically throughout the lifetime of their work for the Licensor.

4.3. Licensor shall ensure that access to Licensee Data by the Licensor’s organization is restricted only to personnel who require access to provide the Software. To this end:

(a) The Licensor shall maintain a record of authorized personnel with access rights to the Licensee Data and shall review these rights at regular intervals.

(b) The Licensor shall implement controls to prevent personnel gaining access rights beyond the scope of what is in such records.

(c) Licensor shall promptly suspend and/or terminate access rights to the Licensee Data for the Licensor’s personnel reasonably suspected of breaching any provisions of this Policy.

5. Physical Data Security Measures

5.1. To ensure the security of the Data Centers and Server’s locations, access shall be restricted to authorized individuals only.

5.2. The Licensor shall develop and maintain a system for managing such access, which includes unique identification credentials for each individual and restricted entry points to the facility.

5.3. To further enhance security, the Licensor shall either employ building security personnel or CCTV monitoring for all entryways to such facilities. Furthermore, these entryways shall also be access controlled at all times in order to limit unauthorized access.

5.4. To protect against unauthorized access to the Licensor’s server rooms, the Licensor shall implement badge entry access controls. Access shall be restricted only to authorized personnel with appropriate clearance and identification credentials.

5.5. To prevent loss of data due to systems interference and/or power supply outages and failures, the Licensor shall establish and implement appropriate measures. These measures shall be designed to protect against potential threats and include backup power sources, surge protectors and data redundancy protocols.

6. Secure Access Controls

6.1. Licensor shall implement access control mechanisms to prevent unauthorized access to the Licensee Data and systems that have access to Licensee Data. These access control mechanisms will include but are not limited to:

(a) Secure access protocols and softwares such as firewalls and VPN’s and to enforce correct access in the internal network environment.

(b) Complex user passwords with length, complexity and non-repeatability requirements for users attempting to access the Software will be enforced.

(c) Ensuring that deactivated and/or expired login credentials are not granted to other individuals will be enforced.

(d) Monitoring repeated failed attempts to gain access to the Software and locking out user accounts after five failed authentication attempts.

(e) Making two-factor authentication available for user accounts.

6.2. The Licensor shall ensure that all Licensee Data residing in or transiting to or from the Software is encrypted. To enforce this, Licensor will:

(a) Use HTTPS (TLS 1.2/AES-256) encryption for Licensee Data in transit.

(b) Encrypt Licensee Data at rest using industry-standard encryption algorithms.

(c) Protect encryption keys and ensure their secure storage and transmission.

(d) Implement proper key management procedures, including key rotation and revocation.

6.3. The Licensor shall take measures to secure the network environment where Licensee Data is stored and transmitted. These measures will include but are not limited to:

(a) Keeping the Software up to date with the latest security patches and updates.

(b) Configuring firewalls to prevent unauthorized access to the network.

(c) Using network segmentation to limit access to Licensee Data.

(d) Monitoring network traffic to detect and prevent unauthorized access to Licensee Data.

(e) Implementing intrusion detection and prevention mechanisms.

6.4. The Licensor shall maintain logs of administrator and operator activity and data recovery events. To enforce this, the Licensor will:

(a) Enable and maintain system logs that capture information about user activity and system events related to Licensee Data.

(b) Review system logs regularly to detect suspicious activity and security events.

(c) Monitor system logs for signs of unauthorized access to Licensee Data.

(d) Configure system logs to retain data for a period of at least six months.

7. Data Breaches

In order to ensure a timely and efficient response to a potential Data Breach the Licensor shall take the following actions:

7.1. Notify the Licensee as soon as possible, after the Licensor becomes aware of a Data Breach.

7.2. Offer support and relevant information to the Licensee upon their reasonable request in order to enable the Licensee to investigate, lessen the impact of, and correct the Data Breach. This may involve providing technical guidance and recommendations to mitigate the effects of the breach, as well as ensuring compliance with any relevant legal obligations.

7.3. Shall not mention and/or disclose the identity of the Licensee when notifying a third party about a Data Breach, unless it is mandated by applicable law. Additionally, it is the Licensor’s responsibility to take all necessary measures to safeguard the confidentiality and privacy of the Licensee and its Authorized Users.

7.4. Retain appropriate information and records about any Data Breach for a reasonable period of time, in compliance with all applicable legal and regulatory requirements.

8. System Development & Monitoring:

In order to promote a secure development environment and effective monitoring of the Software’s systems, the Licensor undertakes to:

8.1. Maintain policies and procedures for testing and monitoring their environments according to industry standard methods.

8.2. Have a threat management program in place to address all threats, whether malicious or non-malicious. Any identified issues must be investigated and reviewed regularly.

8.3. The Licensor should have policies for secure development, control over any changes made to the Software and support regarding the proper functionality of the Software.

8.4. The Licensor must conduct appropriate security tests as part of the process to allow for any new development to become an integrated part of the Software.

8.5. The Licensor must supervise and monitor any outsourced system development.