AGIMUS

TECHNOLOGIES

Login

AGIMUS TECHNOLOGIES INC.

DATA SECURITY & PRIVACY POLICY

Version 1.0
January 2025

EXECUTIVE SUMMARY

This policy establishes the data security and privacy framework maintained by Agimus Technologies Inc. ("Agimus," "we," "our"). Our objective is to safeguard and properly manage all client and system data within our enterprise AI platform. Through structured controls, defined responsibilities, and robust technologies, we strive to protect data against unauthorized access, maintain its integrity, and ensure its availability.

SCOPE

This policy applies to all data processed, stored, or transmitted through Agimus Technologies' systems. It covers client data, system data, and internal operational data. The standards and procedures described herein extend to our entire technology infrastructure, business operations, and any stakeholders who handle or have access to sensitive information.

1. DATA GOVERNANCE FRAMEWORK

1.1 Data Classification Standards

Agimus classifies data into distinct categories to ensure appropriate handling and protection measures:

Client Data Assets

  • Business-Critical Data: Includes database contents, files uploaded to our platform, proprietary business logic, financial and operational records, and integration configurations.
  • Account Management Data: Comprises authentication credentials, access configurations, user permissions, and activity logs.

Platform Data Assets

  • Infrastructure Configuration: System credentials, service account settings, and API authentication keys. Only authorized personnel with a clear business need are granted access.
  • Operational Data: Performance metrics, system health indicators, usage analytics, and security logs, all regularly monitored to maintain high availability and detect anomalies.

2. SECURITY CONTROLS & STANDARDS

2.1 Data Encryption Protocol

Data at Rest
All data at rest is encrypted using industry-standard methods (e.g., AES-256) and protected by a robust Key Management Service (KMS) to ensure confidentiality. Clients can opt for customer-managed encryption keys (CMEK) if they prefer direct control over key management. Automated key rotation is performed to mitigate risks associated with key compromise.

Data in Transit
Agimus enforces TLS 1.3 for external communications to preserve confidentiality and integrity. End-to-end encryption is applied for data transfers, including secure tunnels for database connections. Certificate-based authentication is required for communication between our services, ensuring both endpoints are properly verified.

2.2 Access Control Framework

We adhere to a Zero Trust security model, granting access based on continuous verification rather than network location. Role-based access control (RBAC) is enforced alongside the principle of least privilege, guaranteeing that users only receive permissions necessary for their job functions. Multi-factor authentication (MFA) is mandatory for all users to reduce the likelihood of compromised accounts. Automated access reviews occur regularly to minimize risk and address changes in user roles.

3. OPERATIONAL SECURITY

3.1 Infrastructure Security

Agimus applies all critical and routine security patches, as well as system updates, in a timely manner. We use network segregation and micro-segmentation to reduce the impact of potential breaches. Cloud-based DDoS protection helps mitigate large-scale attacks, while continuous monitoring detects network anomalies and threats.

3.2 Application Security

Secure development lifecycle (SDLC) practices are embedded throughout product development to proactively address potential vulnerabilities. Agimus regularly conducts security assessments and penetration tests, complemented by automated vulnerability scans. In the event of a security concern, documented incident response procedures guide our actions in containment and resolution.

4. BUSINESS CONTINUITY

4.1 Data Backup Protocol

Our automated backup systems protect all data in backup storage with encryption. We maintain geographically redundant copies of critical data to mitigate the risk of localized disasters. Backup restoration tests confirm the reliability of these systems and alignment with both regulatory obligations and business needs.

4.2 Disaster Recovery

Agimus establishes a Recovery Time Objective (RTO) of four hours for critical systems and a Recovery Point Objective (RPO) of fifteen minutes for critical data. These targets help limit downtime and data loss. Documented recovery procedures outline the steps and responsibilities for restoring normal operations, and we conduct periodic testing to validate our readiness.

5. SECURITY MONITORING & REVIEW

5.1 Security Practices

All critical security configurations undergo routine reviews to confirm they remain effective and compliant with best practices. Access and usage logs are continuously monitored to detect suspicious behavior or anomalies, and changes to security measures, patches, and updates are thoroughly documented.

5.2 Internal Review

In addition to monthly configuration reviews, we regularly verify the completeness and integrity of backups. Any identified gaps or new risks prompt updates to our security practices, ensuring continuous adaptation to evolving threats and regulatory changes.

6. INCIDENT MANAGEMENT

6.1 Response Protocol

Agimus's incident classification system prioritizes security events based on severity, potential impact, and urgency. Clear response procedures guide containment, investigation, and remediation efforts. When applicable, we notify affected clients and produce post-incident analyses to strengthen our overall security posture.

6.2 Escalation Procedures

A 24/7 incident response team stands ready to handle escalations. Defined communication pathways enable swift engagement with stakeholders. Regular training and simulation exercises ensure that key personnel are prepared to address and resolve complex incidents promptly.

7. CLIENT DATA PROTECTION

7.1 Data Isolation

Client data is segregated using logical isolation mechanisms within our multi-tenant environment. Where necessary, clients can opt for dedicated deployment instances for additional separation. Regular testing confirms that isolation measures remain effective in preventing unauthorized cross-access between clients.

7.2 Data Lifecycle Management

Specific retention periods are defined for client data in accordance with legal requirements and contractual obligations. Secure destruction procedures ensure that data no longer required is irrecoverably removed. We also support data portability for clients, enabling secure transfers upon request. Periodic audits verify compliance with our lifecycle management processes.

8. THIRD-PARTY AGREEMENTS & CLOUD STORAGE

8.1 Agreements with Anthropic and OpenAI

Agimus partners with top AI providers such as Anthropic and OpenAI to offer advanced natural language processing services. Our formal agreements ensure:

  • Data Confidentiality: Both Anthropic and OpenAI commit contractually to protect client-related data processed through their platforms, prohibiting unauthorized use or disclosure.
  • Security Compliance: These providers adhere to industry standards (e.g., SOC 2, GDPR) and regulatory requirements.
  • Limited Data Retention: Data sent for AI processing is retained only as long as necessary to perform the service. Providers are restricted from using or storing client data beyond agreed-upon purposes.
  • Incident Notification: In any security event affecting Agimus-provided data, Anthropic and OpenAI must promptly inform us and collaborate on mitigation and resolution efforts.

8.2 Secure Storage on Google Cloud

Agimus stores client schemas, uploaded files, and other assets using Google Cloud's infrastructure. We leverage the following security measures:

  • Encryption at Rest: All data is encrypted with AES-256, managed via Google Cloud Key Management Service (or CMEK for clients wanting direct key management).
  • Robust Access Controls: A strict least-privilege policy governs access to cloud resources, supplemented by MFA for all privileged accounts.
  • Geo-Redundancy: Critical data resides in geographically separate data centers to ensure high availability and resilience.
  • Lifecycle & Monitoring: Retention and secure deletion procedures align with compliance requirements. Native logging and auditing tools track all access to cloud repositories, and any anomalies trigger immediate alerts.

CONTACT INFORMATION

For any questions or concerns related to this policy, please contact our Security Team:

Agimus Technologies Inc.
Email: security@agimus.ai

POLICY REVIEW

This policy is reviewed annually or updated more frequently if significant changes in technology, operations, or regulatory requirements occur.

Last Updated: January 30, 2025
Document Owner: Agimus Security Team