Security Policy

This Security Policy describes how DataNXT GmbH (also referred to as "DataNXT", "we" or "us") will ensure your data and your client's data are secure when you interact with us, use the services on our platform, or our affiliates, including our application programming interface, software, tools, developer services, data, documentation and websites ("Services").

This Security Policy is part of your Agreement with DataNXT. Any capitalized terms used but not defined in this Security Policy have the meaning set forth in the Terms. The computing services utilized to offer the DataNXT Platform will be cloud-based and provided to DataNXT via one or more cloud service providers and represent our "Cloud Environment."

1. Audits and Certifications

1.1 Third-Party Security Audits

The information security management system used to provide the Service will be assessed by independent third-party auditors as described in the following audits and certifications ("Third-Party Audits") on not less than an annual basis:

• ISO 27001: DataNXT is committed to achieving ISO 27001:2022 certification and will be audited by an independent firm to confirm compliance with ISO 27001 requirements.
• SOC 2 Type II: DataNXT will undergo annual SOC 2 Type II audits to validate our security controls for security, availability, processing integrity, confidentiality, and privacy.
• GDPR Compliance: Regular assessments to ensure full compliance with the General Data Protection Regulation and other applicable data protection laws.

1.2 Audit Availability

Third-Party Audits will be made available to You as described in Section 8.1.

1.3 Framework Updates

To the extent that DataNXT decides to discontinue a Third-Party Audit, DataNXT will adopt an equivalent, industry-recognized framework.

2. Hosting Location of Customer Data

2.1 EU Data Hosting

Customer Data will be hosted by DataNXT in data centers located in the European Union.

2.2 Vendor Data Processing

Any Customer Data that is processed by DataNXT's vendors will similarly be restricted to being located in the EU or be fully compliant with GDPR and other applicable data protection regulations.

3. Data Encryption

3.1 Encryption Standards

DataNXT encrypts Customer Data at-rest using AES 256-bit (or better) encryption. DataNXT uses Transport Layer Security 1.3 (or better) for Customer Data in-transit over untrusted networks.

3.2 Key Management

With respect to encryption keys, we regularly rotate encryption keys and utilize hardware security modules to safeguard critical security keys. DataNXT logically separates encryption keys from Customer Data to ensure maximum security.

4. System and Network Security

4.1 Access Control

DataNXT personnel access to our Cloud Environment is with a unique user ID and is consistent with the principle of least privilege. Access requires a secure connection, multi-factor authentication, and passwords meeting or exceeding reasonable length and complexity requirements.

4.2 Data Access Restrictions

DataNXT personnel will not access Customer Data except (i) to provide or support the Service or (ii) to comply with the law or a binding order of a governmental body.

4.3 Endpoint Security

In accessing our Cloud Environment, our personnel will use devices that utilize security controls that include encryption and that also include endpoint detection and response tools to monitor and alert for suspicious activities and malicious code and vulnerability management as described in Section 4.7.

4.4 Network Protection

DataNXT shall protect its Cloud Environment using at least industry standard firewall and security practices, including next-generation firewalls, intrusion detection and prevention systems.

4.5 Threat Detection

Our Cloud Environment leverages industry-standard threat detection tools with daily signature updates, which are used to monitor and alert for suspicious activities, potential malware, viruses and/or malicious computer code (collectively, "Malicious Code"). DataNXT does not monitor Customer Data or Input for Malicious Code.

4.6 Penetration Testing

DataNXT engages independent third parties to conduct penetration tests of the Service at least annually. Summary results of such penetration tests can be made available to You as described in Section 8.1 at your request.

4.7 Vulnerability Management

Vulnerabilities meeting defined risk criteria trigger alerts and are prioritized for remediation based on their potential impact to the Service. Upon becoming aware of such vulnerabilities, DataNXT will use commercially reasonable efforts to address private and public critical and high vulnerabilities within 30 days, and medium vulnerabilities within 90 days.

5. Administrative Controls

5.1 Security Training

DataNXT maintains security awareness and training programs for its personnel including at time of on-boarding and through regular ongoing training sessions.

5.2 Confidentiality and Reporting

DataNXT personnel are required to sign confidentiality agreements and are required to acknowledge responsibility for reporting security incidents involving Customer Data.

5.3 Access Reviews

DataNXT reviews the access privileges of its personnel to DataNXT cloud environment at least annually, and removes access on a timely basis for all separated personnel.

5.4 Vendor Security

DataNXT ensures that any of its vendors that process Input or Customer Data maintain security measures consistent with our obligations under this Security Policy.

6. Physical Data Center Controls

6.1 Cloud Service Provider Controls

Our Cloud Environment will be maintained by one or more cloud service providers. We ensure that our cloud service providers' data centers have appropriate controls as audited under their third-party audits and certifications. Each cloud service provider shall have SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks. Such controls include:

• Physical access to facilities are controlled at building ingress points
• Visitors are required to present ID and must be signed in
• Physical access to servers is managed by access control devices
• Physical access privileges are reviewed regularly
• Facilities utilize monitor and alarm response procedures
• Facilities utilize CCTV surveillance systems
• Facilities have adequate fire detection and protection systems
• Facilities have adequate back-up and redundancy systems
• Facilities have appropriate climate control systems

6.2 Office Security

DataNXT maintains offices primarily for corporate and development purposes. Under no circumstances is Customer Data stored or hosted at such offices.

7. Incident Detection and Response

7.1 Security Incident Notification

If DataNXT becomes aware of a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data (a "Security Incident"), DataNXT shall notify You without undue delay, and in any case, within 72 hours after becoming aware. You will be notified at the security notice email address indicated on your currently operative order form or as otherwise determined appropriate by DataNXT.

7.2 Incident Response

In the event of a Security Incident as described above, DataNXT shall promptly take reasonable steps to contain, investigate, and mitigate any Security Incident. Any logs determined to be relevant to a Security Incident, shall be preserved for at least one year.

7.3 Incident Communication

DataNXT shall provide You with timely information about the Security Incident, including the nature and consequences of the Security Incident, the measures taken and/or proposed by DataNXT to mitigate or contain the Security Incident, the status of our investigation, and a contact point from which additional information may be obtained. Notwithstanding the foregoing, Customer acknowledges that because DataNXT personnel may not have visibility to the content of Customer Data, it may be the case that we are unable to provide detailed analysis of the type of Customer Data impacted by the Security Incident. Communications in connection with a Security Incident shall not be construed as an acknowledgment by DataNXT of any fault or liability with respect to the Security Incident.

8. Customer Rights and Shared Responsibility

8.1 Audit Rights

Upon request, and at no additional cost to Customer, DataNXT shall provide Customer, and/or its appropriately qualified third-party representative (collectively, the "Auditor"), access to reasonably requested documentation evidencing our compliance with our obligations under this Security Policy in the form of, as applicable a copy of our (i) progress towards ISO 27001 certification (ii) a summary of the results of our most recently completed penetration test, and (iii) data flow diagrams for the Service (collectively with Third-Party Audits, "Audit Reports"). Where an Auditor is a third-party, such third party will be required to execute a separate confidentiality agreement with DataNXT prior to any audit, Pen Test, or review of Audit Reports, and DataNXT may object in writing to such third party if in DataNXT's reasonable opinion, the third party is not suitably qualified. Any such objection will require You to appoint another third party or conduct such audit, Pen Test, or review. DataNXT is not responsible for any expenses incurred by an Auditor in connection with any review of Audit Reports, or an audit or Pen Test.

8.2 Customer Data Responsibility

It is the Customer's responsibility to ensure that it is authorized to use any Input or Customer Data with the Service and that Your usage complies with relevant legal and regulatory obligations.

8.3 Credential Management

You are responsible for managing and protecting Your credentials to access the Service. User credentials must be kept confidential and may not be shared with unauthorized parties. You must promptly report any suspicious activities related to Your account(s) (such as when You reasonably believe that credentials have been compromised).

8.4 System Maintenance

You are responsible for keeping Your relevant IT systems (such as the browser You use to access the Service) up-to-date and appropriately patched.

9. Data Protection and Privacy

9.1 GDPR Compliance

DataNXT is committed to full compliance with the General Data Protection Regulation (GDPR) and other applicable data protection laws. Our security measures are designed to support our privacy obligations and protect the rights of data subjects.

9.2 Data Processing Agreements

Where DataNXT acts as a data processor, we will enter into appropriate data processing agreements with our customers that comply with applicable data protection laws and clearly define the roles and responsibilities of each party.

9.3 Privacy by Design

Our security architecture incorporates privacy by design principles, ensuring that data protection is built into our systems and processes from the ground up.

10. Continuous Improvement

10.1 Security Monitoring

DataNXT continuously monitors and improves our security posture through regular assessments, threat intelligence, and industry best practice adoption.

10.2 Policy Updates

This Security Policy will be reviewed and updated regularly to reflect changes in our security practices, regulatory requirements, and industry standards.

11. Contact Information

If you have any questions about our Security Policy or security-related issues, please contact us at: