Vaultody Data Security Policy

2.1 Physical Security Measures

2.1.1 Data Center Facilities

Vaultody relies on reputable cloud data center providers that implement strong physical security controls. These may include:

• Multi‑zone security with controlled access points and visitor management.
• Physical perimeter protection such as guarded gates, fencing and barriers.
• Mantraps, biometric readers, and electronic access cards for entry.
• Continuous CCTV monitoring and on‑site security personnel.
• Fire detection and suppression systems, both localized and facility‑wide.

2.1.2 Systems, Machines and Devices

Systems and devices that process or store Customer Data are protected by:

• Physical protection mechanisms appropriate to their risk level.
• Entry controls to restrict access to authorized staff and service providers.

2.1.3 Media Handling and Destruction

Vaultody and its cloud providers apply industry-standard media protection practices, including:

• Secure destruction of sensitive materials before disposal or reuse of media.
• Use of secure storage (for example, safes) for damaged drives pending destruction.
• Verified physical destruction of decommissioned hard disks containing Customer Data.

2.2 Technical Security Measures

2.2.1 Access Administration

Technical access to the Subscription Service by Vaultody personnel is controlled through strong authentication and authorization mechanisms:

• User authentication is required to access production and staging environments.
• Access rights are granted based on job responsibilities and the “least privilege” principle.
• Access is promptly revoked when employment or a contractor relationship ends or when no longer needed.
• Production infrastructure uses appropriate account and password controls, including:
  • Virtual private network (VPN) or equivalent secure channels where required.
  • Complex password requirements and password expiration policies.
  • Multi‑factor authentication for administrative access.

2.2.2 Logging and Monitoring

Vaultody centrally collects and stores logs from production infrastructure. These logs are protected from tampering and are monitored by trained security personnel to detect anomalous or suspicious activity.

2.2.3 Network Security and Firewalls

An industry‑standard firewall architecture is used to protect Vaultody systems. Firewalls inspect inbound connections directed to the Vaultody environment and enforce network‑level access control policies.

2.2.4 Vulnerability and Patch Management

Vaultody operates a vulnerability management process that includes:

• Periodic independent security risk assessments to identify critical assets, threats and vulnerabilities.
• Tracking and remediation of identified vulnerabilities according to their severity.
• Obtaining vendor security patches and updates for relevant software.
• Testing patches to confirm compatibility and safety prior to deployment.
• Timely application of tested patches in production systems in line with Vaultody’s standard operating procedures.

2.2.5 Malware Protection

Where appropriate, Vaultody uses anti‑virus, anti‑malware and anti‑spyware solutions. These tools are updated regularly, and events are centrally logged to help validate their effectiveness.

2.2.6 Change Management

Changes to platforms, applications and production infrastructure follow a formal change control process. Changes are assessed for risk, tested as appropriate and documented before being implemented.

2.3 Administrative Security Measures

2.3.1 Data Center Oversight

Vaultody periodically reviews each cloud data center provider to confirm that appropriate security controls are maintained in line with this Security Program.

2.3.2 Personnel Security

Where permitted by applicable law, Vaultody conducts background screening (and, where relevant, drug screening) for employees and contractors who may access Customer Data, in accordance with Vaultody’s internal procedures.

2.3.3 Security Awareness and Training

Vaultody maintains an ongoing security awareness program. Personnel receive security training at the time of hire and periodically thereafter, with content aligned to their role and responsibilities.

2.3.4 Vendor Risk Management

Third‑party vendors that access, store, process or transmit Customer Data are assessed through Vaultody’s vendor risk management program. Vaultody evaluates these vendors for appropriate security and business controls before and, as appropriate, during use.

3.1 Cloud Hosting, Encryption and Backup

Vaultody hosts customer instances on a cloud‑based infrastructure and applies multiple layers of data protection:

• All HTTP traffic between the Customer and the Subscription Service is encrypted using TLS 1.3 certificates issued by the cloud provider.
• Internal service‑to‑service communication between Vaultody applications is also protected with TLS 1.3 certificates.
• Vaultody uses private cloud networks, and services that store highly sensitive information are not exposed directly to the public internet.
• Customer Data in transit is routed through encrypted channels (e.g., TLS / SSL).

To support data durability and availability, Vaultody:

• Performs automated snapshot backups of Customer Data on a daily basis.
• Maintains full backups on at least a weekly basis.
• Relies on cloud‑provider backup and restore features to implement and test backup and recovery workflows.

3.2 Operational Continuity for Support

If an emergency makes the primary customer support phone system unavailable, incoming calls are routed to an answering service. That service can transfer calls to an available Vaultody support representative located in another geographic region, helping maintain continuity of customer support operations.

4.1 Security Incident Monitoring and Response

Vaultody monitors for security incidents affecting the Subscription Service and responds in accordance with internal incident response procedures. Depending on the nature and severity of an event, Vaultody’s security team escalates and engages relevant response teams to investigate, contain, eradicate and recover from the incident.

4.2 Data Breach Notification

If Vaultody determines that there has been a confirmed unauthorized acquisition, access, use, disclosure or destruction of Customer Data (a “Breach”), Vaultody will:

• Notify the Customer’s designated security contacts without undue delay, unless a law enforcement agency lawfully requires a delay.
• Provide initial notice through the customer support portal or other agreed communication channel.
• Take reasonable measures to contain and mitigate the impact of the Breach.
• Implement reasonable corrective actions intended to reduce the likelihood of future similar incidents.
• Provide additional information about the nature and consequences of the Breach as it becomes available, to the extent permitted by law and reasonably requested by the Customer, so that the Customer can meet any notification obligations to affected individuals, regulators or credit bureaus.

4.3 Customer Cooperation

The Customer agrees to cooperate with Vaultody in the event of a security incident or Breach, including by:

• Maintaining accurate and up‑to‑date contact details in Vaultody’s customer support portal.
• Providing information reasonably requested to help investigate and resolve an incident.
• Supporting efforts to identify root causes and prevent recurrence where Customer environments or configurations are involved.

6.1 Product Security Capabilities

The Subscription Service provides built‑in features to help customers secure their environments, including:

• User authentication mechanisms before access is granted.
• Secure storage and encryption of user passwords.
• Options for customers to manage passwords and access credentials.
• Blocking access for deactivated or disabled user accounts.

Customers manage each user’s access and permissions by assigning appropriate credentials and user types within the Subscription Service.

6.2 Customer Responsibilities

Vaultody provides the secure cloud environment, MPC engine, and platform capabilities that allow the Customer to process Customer Data within the Subscription Service. Customers retain certain responsibilities, including but not limited to:

• Using column‑level encryption functionality and access‑control features for any data that is sensitive (for example, credit card numbers, bank details, social security or national identification numbers, health information, and other special‑category personal data).
• Recognizing that choosing not to encrypt sensitive fields is a Customer decision and that the Customer is solely responsible for the consequences of that decision.
• Protecting the confidentiality of all user logins, passwords, API keys and other credentials.
• Reviewing and managing user access rights regularly and removing access promptly when no longer required.

Vaultody protects all Customer Data hosted in its cloud infrastructure in accordance with this Data Security Policy, regardless of how the Customer classifies such data.

6.3 Customer Cooperation on Upgrades

From time to time Vaultody may identify application upgrades or configuration changes that are necessary to maintain the security, performance or availability of the Subscription Service. Customers agree to apply such upgrades or changes within a reasonable timeframe or as otherwise specified by Vaultody.

6.4 Scope and Limitations

Vaultody’s obligations under this Data Security Policy apply only to systems, networks, devices, facilities and components that Vaultody controls. This Policy does not apply to:

• Information shared with Vaultody that is not stored within the Subscription Service or Vaultody‑controlled systems.
• Data transmitted through or stored solely within the Customer’s virtual private network (VPN) or any third‑party network outside Vaultody’s control.
• Any data that the Customer or its users process, store or transmit in violation of the Agreement or this Data Security Policy.