Terms & Conditions

Software as a Service

Terms

1. Definitions

   1. Account – the central means of access to the Platform.

   2. Agreement – the legally binding contract between the Client and the Company consisting of Terms, Service Level Agreement, Data Processing Agreement, Technical and Organisational Measures, and Platform Security.

   3. Client – an entity subscribed to the Platform, obtaining services from the Company.

   4. Company – Inspectly Holdings OÜ, registry code 16608614, providing the Platform as defined in these Terms.

   5. General Terms – all of the terms and conditions contained herein and all other operating rules, policies, established good practices, guidelines, and procedures that may be published from time to time by the Company or otherwise made available on or through the Platform.

   6. Platform – the food inspection platform together with the services provided via the platform (available at https://www.inspectle.online/).

   7. Pricing Plan – subscription terms and fees provided on the Platform (https://www.inspectle.online/pricing-plans).

   8. Trial Period – if the Client has agreed upon a trial period, the details of which may be provided in the Pricing Plan, they may use the Platform free of charge during the agreed-upon period.

2. Conditions of Platform use

   1. Subject to all limitations and restrictions contained herein, the Company grants the Client a non-exclusive and non-transferable subscription right to access and use the Platform as hosted by the Company in accordance with the Agreement.

   2. The Client understands and agrees that the Company uses third-party vendors and hosting partners to provide the necessary hardware, software, networking, storage, and related technology required to run the Platform.

   3. The Client may not sell, modify, re-use, re-sell, distribute, reproduce or make any other use of the Platform unless otherwise agreed upon between the Parties.

   4. The Client may not reverse engineer, decompile or disassemble the Platform or modify another website so as to falsely imply that it is associated with the Platform.

   5. No ownership or exclusive copyrights to the Platform are granted to the Client through the Client's use of the Platform.

   6. The Client grants the Company the right to display the Client’s name and/or trademark in the Company’s sale and marketing materials.

   7. The Client understands that the Company reserves the right to suspend the Client’s access to the Platform if the Client is in delay with payment of an invoice for more than 30 (thirty) calendar days.

   8. The Client understands that the Company reserves the right to not enter into an agreement or to suspend or terminate both the Agreement and the Client’s access to the Platform, if the Client uses the Company’s products on websites or via other technical measures which the Company considers to be illegal, against good moral, or against good practice.

3. Account

   1. The Client shall retain ultimate administrative control over their Account.

   2. The Client is responsible for keeping the Account secure while using the Platform. The Client is responsible for all data uploaded and all activity that occurs under the Account. The Client is responsible for maintaining the security of the Account and its password. The Company cannot and will not be liable for any loss or damage from the Client's failure to comply with this obligation. The Client will promptly notify the Company if the Client becomes aware of any unauthorized use of, or access to, the Platform through the Account, including any unauthorized use of the password or the Account.

4. Confidentiality

   1. The parties shall maintain and keep confidential and shall not disclose directly or indirectly to any third party the other party’s Confidential Information (as defined below) and shall prevent the third parties’ access to such information (hereinafter Confidentiality Obligation). The Confidentiality Obligation includes the prohibition to use confidential information for any other purposes than the provision and receipt of the Platform. The Confidential Information shall mean all information (including oral and visual information, information recorded in writing or electronically, or in any other medium or by any other method) related to a party or to a company belonging to the same group with that party (hereinafter a party and companies belonging to the same group referred to as Group Company), inter alia, including:

      1. the Agreement and any other internal regulations and/or documents of any of the Group Companies.

      2. all the data and documentation related to the businesses and clients of the Group Company, including client information and databases, financial information, any information about the methods of cost estimation, volumes of any of the Group Company’s purchase or sales activities, market shares, business partners, marketing plans, cost and price structuring, sales strategies, development of the Platform, information about commercial and other agreements (including the economic situation, accounting information, structure, internal administration and data about the shareholders), information affecting the work of management bodies, business plans, budgets, etc.;

      3. IT systems and software belonging to or licensed by the Group Companies; usernames and passwords issued or generated for the use of such IT systems or software;

      4. any other information about the business activities of the Group Companies, the disclosure of which may affect any of the Group Companies in a negative manner or any information which a party might reasonably expect that a Group Company would regard as confidential.

   2. In case of any reasonable doubt, whether the particular information shall be treated as confidential and whether and to what extent it might be disclosed to third parties, the parties shall consider such information as Confidential Information.

   3. The relevant Group Company remains the owner of the Confidential Information, regardless of any disclosure of the same. A disclosing party may at any time request that the receiving party returns any media containing Confidential Information.

   4. The Confidentiality Obligation shall remain effective for an indefinite term after the termination of the Agreement due to whatever reason.

5. Intellectual Property rights

   1. Intellectual property under the meaning provided in this Agreement includes inventions, designs, processes, formulae, databases, algorithms, improvements, know-how, logos, marks, plans, models, mask designs and graphic displays, photographs, digital and other artworks, all copyright works, and in relation to the software particularly and without limitation, the source code and architecture of the software and trade secrets including details of performance or design of the Platform or any part of the Platform.

   2. All intellectual property rights to the components of the Platform, any upgrade of the software and in all additions, corrections, and improvements thereto, and in any other proprietary software made available by the Company to the Client will at all times remain the property of the Company. The parties acknowledge that the Client shall not receive any intellectual property rights to the components of the Platform.

6. Payment

   1. The fees applicable to the provision of the Platform will be provided in the Pricing Plan. The Client can choose the Pricing Plan and the invoicing shall be automated, according to the selected Pricing Plan. Access to the Platform shall be granted after the Company has received due payment from the Client to its bank account.

7. Disclaimer of Warranties

   1. The Company provides the Platform on an “as is” and “as available” basis, without warranty of any kind. Without limiting this, the Company expressly disclaims all warranties, whether express, implied or statutory, regarding the Platform, including without limitation any warranty of merchantability, fitness for a particular purpose, title, security, accuracy and non-infringement.

8. Limitation of Liability

   1. All claims related to the performance of the Agreement must be submitted to the other party without undue delay in a format that can be reproduced in writing.

   2. A party has the right to demand compensation from the other party for damages caused by breach or non-performance of their obligations under the Agreement, unless these Terms provide otherwise or unless the parties have explicitly agreed otherwise in a format that can be reproduced in writing.

   3. The Client understands and agrees that the Company will not be liable to the Client or any third party for any loss of profits, use, goodwill, or data, or for any incidental, indirect, special, consequential or exemplary damages, however arising, that result from

      1. the Client's use or inability to use the Platform;

      2. any modification, price change, suspension or discontinuance of the Platform;

      3. the Platform generally or the software or systems that make the Platform available;

      4. unauthorized access to or alterations of the Client's transmissions or data;

      5. any other matter relating to the Platform.

   4. The Company's liability is limited whether or not the Company has been informed of the possibility of such damages, even if a remedy set forth in the Agreement is found to have failed its essential purpose. The Company will have no liability for any failure or delay due to matters beyond the Company's reasonable control. However, the maximum liability of the Company is limited to the amount that is equal to the amount the Client paid to Company in the course of the previous three months from the occurrence of the event that resulted in Company's liability.

   5. All liabilities arising out of or related to this Agreement shall be exclusively defined, governed, and limited by the terms set forth in the Service Level Agreement (SLA) executed between the parties. The parties expressly acknowledge and agree that the SLA, which is annexed hereto and made a part hereof, contains specific provisions related to liabilities, including but not limited to, representations, warranties, remedies, and limitations of liability. In the event of any inconsistencies or conflicts between the terms of this Agreement and the SLA concerning liability, the terms of the SLA shall prevail.

   6. The parties shall not be liable for breach or non-performance of their obligations under the Agreement if it has been caused by force majeure. If the effect of force majeure is temporary, non-performance is excused only for the period during which force majeure impeded the performance of the obligation. Force majeure events are unforeseeable circumstances which the party, who has violated the obligation, is unable to control and the prevention of which by the same cannot be expected proceeding from the principle of reasonableness. Examples of force majeure include but are not limited to severe acts of nature, war, riot, acts of terrorism, the activities of public authorities (e.g. the state, local government) and other circumstances independent of the parties (e.g. strike, the general failure of the computer system, failure of communications lines or power failure, denial-of-service attack).

9. Release and Indemnification

   1. The Client indemnifies, defends, and holds Company harmless from and against any and all claims, liabilities, and expenses, including attorneys' fees, arising out of the Client's use of the Platform, including but not limited to the Client's violation of the Agreement, provided that the Company (1) promptly gives the Client written notice of the claim, demand, suit or proceeding; (2) gives the Client sole control of the defense and settlement of the claim, demand, suit or proceeding (provided that the Client may not settle any claim, demand, suit or proceeding unless the settlement unconditionally releases Company of all liability); and (3) provides to the Client all reasonable assistance, at the Client's expense.

10. Term and termination

    1. This Agreement is concluded for an indefinite period. Either Party may terminate the Agreement by giving 30 calendar days’ notice.

    2. The Company is entitled to terminate the Agreement without prior notice in cases where Client breaches this Agreement, any applicable laws or regulations, or harms the Company’s brand, reputation or business.

    3. During the Trial Period, the Client may terminate this Agreement without prior notice and without cause.

    4. Termination of the Agreement does not release the Parties from their outstanding obligations arising from the Agreement and does not affect the rights or remedies of a party arising out of breach of the Agreement.

11. Miscellaneous

    1. The Agreement between the Client and the Company and any access to or use of the Platform is governed by the laws of the Republic of Estonia, except for the conflict of laws rule. All disputes arising from the Agreement or the use of the Platform shall be settled via negotiations. If an amicable settlement cannot be reached, the dispute shall be finally settled in accordance with the laws of the Republic of Estonia, in Harju County Court in Tallinn.

    2. The Client may not assign or delegate any rights or obligations under the Agreement without the Company's prior written consent, and any unauthorized assignment and delegation by the Client is void.

    3. All provisions of the Agreement which by their nature should survive termination will survive termination, including, without limitation, ownership provisions, confidentiality obligations, warranty disclaimers, indemnity and limitations of liability.

    4. The Company communicates with the Client in an electronic form via the contact person and/or email address the Client has submitted. Urgent informational messages may be communicated by phone but shall be repeated via email latest on the next working day. The Client agrees that all agreements, notices, disclosures, and other communications that the Company provides to the Client electronically satisfy any legal requirement that those communications would satisfy if they were on paper. The Client undertakes to notify the Company immediately of a change in the submitted contact details.

    5. If any provision of the Agreement is held invalid or unenforceable, the remaining provisions will remain in full force and effect. Any failure on the part of the Company to enforce any provision of the Agreement will not be considered a waiver of the Company’s right to enforce such provision.

12. Changes to these Terms

    1. The Company reserves the right, at its sole discretion, to amend these General Terms at any time and will update these Terms in the event of any such amendments. The Company will notify the Client of minor changes to the Terms at least 30 calendar days prior to the change taking effect by notifying the Client via email. For material modifications, the Parties shall enter into negotiations. For the avoidance of doubt, the modifications to the functionality of the Platform will not be deemed as material changes.

ANNEXES

ANNEX 1 – Service Level Agreement

ANNEX 2 – Data Processing Agreement

ANNEX 3 – Technical and Organisational Measures (TOM)

ANNEX 4 – Platform Security

ANNEX 1

Service Level Agreement

1. Scope

   1. The Company shall provide the following Services to the Client:

   2. The Inspectle Food hygiene inspection software, including the web platform and mobile software;

      1. manned telephone support;

      2. monitored email support;

      3. proactive real-time monitoring of the software;

      4. software troubleshooting;

      5. software and system version updates;

2. Submitting requests for support

   1. Any problems with the Services or System should be immediately reported to the Company.

   2. Problems can be reported via email or in case of Blocking or Critical priority issues, via phone call to the support hotline during the standard support service hours.

3. Availability

   1. Services will be available to the Client according to the following standard support service hours:

      1. Support hotline: standby/on request 8:00 - 17:00 (EET).

   2. The provision of Services outside of the standard support service hours will be agreed upon and priced on an on-demand basis.

   3. Company shall provide the Services in the Estonian and English languages.

4. Prioritisation, response and resolution deadlines

   1. The Company shall handle the problems according to the priorities and resolution deadlines as indicated below:

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

1. The response and resolution deadlines shall be calculated from the receipt of the notification. If the notification is sent outside the standard support service hours, the response and resolution deadlines shall be calculated from the time the standard support service is available to the Client.

2. The Client is aware that some of the requests may require further investigation and/or internal escalation by Company technical specialists. The resolution of such issues may be dependent on the availability of the diagnostics information from the Client and the Client shall cooperate with the Company to ensure timely resolution of issues and problems. In this case, the Company shall monitor events at every stage throughout the diagnostic process and keep the Client informed of the progress.

1. Violation of Service Availability

2.         In the event of the Company indisputably violating any of the provisions of Clause 4.1 related to Blocking priority resolution terms, the Client is entitled to service credit totalling up to the amount of one month’s service per violation. For each full day that the breach continues, the Client is entitled to service credit to the amount of 10% of the monthly service fee, without prejudice to any other rights provided for by law or under this agreement such as the right to specific performance, the right to an injunction or the right to claim damages in lieu of this penalty. However, the Company cannot be held liable for the incidents or resolution that they do not have control over.

3. Expenses

   1. The Client shall compensate the Company for all the expenses incurred due to the Company’s processing of a support request, the resolution of which is out of the scope of responsibility of the Company according to hourly rates specified in the Company’s price list or agreed separately between the Parties.

4. Changes to the Service Level Agreement

   1. In the case of any changes imposed on the Company by a regulator or the cloud computing party, the Company reserves the right, at their sole discretion, to amend the SLA at any time and will update this SLA in the event of any such amendments. Company will notify the Client of material changes to the SLA at least 30 calendar days prior to the change taking effect by sending a notice to the Client. For non-material modifications, the Client’s continued use of the Services constitutes agreement to the Company’s revisions of the SLA.

5. Payment

   1. Company’s pricing and payment terms are agreed upon in the Special Terms.

6. Miscellaneous

   1. The terms and conditions set forth in the General Terms shall apply to the SLA.

   2. In the event of any discrepancy between the SLA and the General Terms, the SLA shall prevail.

ANNEX 2

​

Data Processing Agreement

Client - hereinafter referred to as "CONTROLLER " and Company - hereinafter referred to as "PROCESSOR "

1.              Subject matter

1.1.           Subject matter of the DPA, type and purpose of the data processing, types of personal data and categories of data subjects are described in Schedule 1.

1.2.           This DPA shall – unless otherwise agreed – apply as long as PROCESSOR processes personal data on behalf of CONTROLLER.

2.              Processing of Data bound by Instructions

2.1.           The PROCESSOR shall process the personal data based on the instructions provided by the CONTROLLER using the Software as a Service (SaaS) platform.

2.2.            The CONTROLLER is responsible for the transparency and information provided to its customers in its service terms, privacy policies and contracts regarding the details of the services provided by the PROCESSOR.

3.              Commitment to Confidentiality

3.1.           The PROCESSOR shall engage for the implementation of this DPA only the persons authorised to process the personal data, who have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.2.           The PROCESSOR shall work with due care towards accomplishing that its employees comply with all applicable legal requirements for data protection and that the information obtained from the CONTROLLER is not released to unauthorised third parties or otherwise used/exploited.

4.              Security of Processing / Technical and Organisational Measures (TOMs)

4.1.           The PROCESSOR takes all TOMs required pursuant to Article 32 GDPR.

4.2.           TOMs are subject to technical progress and development. During the duration of this DPA, the PROCESSOR shall continuously adapt the TOMs to the requirements of this DPA and according to technological progress.

4.3.           Insofar as the PROCESSOR provides a technical system/ solution for the CONTROLLER; the PROCESSOR has to ensure that the technical system/ solution meets the requirements of the GDPR.

5.              Engaging Another Processor (SUBPROCESSOR)

5.1.           The PROCESSOR may engage SUBPROCESSORS listed in Schedule 2. The CONTROLLER gives the authorisation of engaging these SUBPROCESSORS.

5.2.           The PROCESSOR shall inform the CONTROLLER of any intended changes concerning the addition or replacement of SUBPROCESSORS by updating Schedule 2.

5.3.           The PROCESSOR shall impose on the SUBPROCESSORS the same data protection obligations, which are set out in this DPA. Where the SUBPROCESSOR fails to comply with the data protection obligations set out in this DPA, the PROCESSOR shall remain fully liable to the CONTROLLER for compliance with the data protection obligations of the SUBPROCESSOR.

5.4.           The PROCESSOR shall properly verify compliance with the data protection obligations by the engaged SUBPROCESSOR on a regular basis.

5.5.           Any transfer into a third country (incl. giving access to personal data) either by the PROCESSOR itself or any SUBPROCESSOR is subject to prior written approval, including in electronic form, by the CONTROLLER. The CONTROLLER gives the authorisation for third-country transfers to engaged SUBPROCESSORS, which are listed in Schedule 2.

5.6.           Where personal data is transferred from the PROCESSOR located in the European Union (EU) or the European Economic Area (EEA) to a SUBPROCESSOR located in a country not recognised by the European Commission as providing an adequate level of protection for personal data, CONTROLLER appoints PROCESSOR and PROCESSOR assures to enter into the EU Standard Contractual Clauses on CONTROLLER's behalf with such SUBPROCESSOR based outside of the EEA or the EU. PROCESSOR will accede to these Standard Contractual Clauses concluded between PROCESSOR and the SUBPROCESSOR.

6.              Cooperation & Support Obligations

6.1.           The PROCESSOR assists the CONTROLLER with all necessary and economically appropriate means as well as by appropriate technical and organisational measures for the fulfilment of the CONTROLLER's obligation to respond to requests for exercising the data subject's rights.

6.2.           Direct communication with the data subject shall only take place with the prior written permission of the CONTROLLER. The PROCESSOR shall forward all inquiries related to the data subject's rights to the CONTROLLER without undue delay.

7.              Assistance in Ensuring Compliance with the Obligations of the CONTROLLER

7.1.           The PROCESSOR is aware that in case of a personal data breach, the CONTROLLER must notify the personal data breach the supervisory authority and/or the data subject without undue delay and, where feasible, not later than 72 hours after having become aware of the personal data breach. In the event of a personal data breach, the PROCESSOR will support the CONTROLLER by all necessary and economically reasonable means in performing his notification duties pursuant to Art. 28 (3) (f) GDPR. The PROCESSOR will inform the CONTROLLER of any personal data breach as well as suspected cases and provide at least the following information:

7.1.1.       the nature of the personal data breach including, where possible, the categories and approximate number of data subjects concerned and of personal data records concerned;

7.1.2.       the name and contact details of the data protection officer or another contact point, where more information can be obtained;

7.1.3.       the likely consequences of the personal data breach;

7.1.4.       the measures taken or proposed to be taken by the CONTROLLER to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects.

8.              Deletion and Return of Personal Data                                 

8.1.           CONTROLLER has the option to configure how personal data is stored on Software as a Service (SaaS) platform and set a retention policy specifying the duration after which the data is automatically deleted

9.              Demonstrating Compliance with the Obligations and Contributing to Audits

9.1.           The PROCESSOR makes available to the CONTROLLER all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

10.            Further Obligations

10.1.        In the event of suspicion of violations of the data protection obligations or other data breaches or complaints regarding the processing of personal data or resulting from inspections or other measures taken by the supervisory authorities, CONTROLLER shall be immediately notified.

10.2.        Where required by law, PROCESSOR shall appoint in writing a data protection officer according to Art. 37 GDPR and a representative according to Art. 27 GDPR.

11.            Other Provisions

11.1.        The Parties shall keep confidential all business secrets and data security measures they gain knowledge of in the context of the contractual relationship. Business secrets are all (but not limited to) business-related facts, circumstances and activities which are not generally accessible, but only accessible to a limited group of persons unless the PROCESSOR has no legitimate interest in non-proliferation. Data security measures are all TOMs taken by one contracting party. This obligation of secrecy remains effective after the termination of this DPA.

11.2.        The liability of the Parties for data protection violations is regulated in Art. 82 GDPR.

11.3.        In the event of contradictions, inconsistencies, or discrepancies between this DPA and the Terms and Conditions, the provisions of this DPA shall take precedence over the provisions of the main contract. Furthermore, the provisions of the standard contractual clauses/standard data protection clauses shall take precedence, if applicable.

11.4.        Should any of the provisions of this DPA be or become invalid, the remaining provisions shall remain valid and unaffected.

11.5.        Any modification of this DPA, including its termination and this clause, must be in electronic form and made available as the update of the Terms and Conditions.

11.6.        Irrespective of the provisions concerning the duration of the DPA, both Parties shall be entitled to termination upon good cause in the event of serious violations of the data protection provisions laid down in this DPA.

 Schedule 1:

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

​

ANNEX 3

Technical and Organisational Measures (TOM)

1. Overview

The following Technical and Organisational Measures are being provided in compliance with Article 32(1) of the GDPR. Company maintains its production environment on Vultr (Sweden server) and relies on Microsoft Azure Blob Storage for image storage. As such, it relies in large part on the technical security measures adopted by Vultr and Azure. All physical security controls are managed by the cloud hosting providers we use. To the extent that Company processes Personal Data outside the Vultr and Azure systems, the following technical and organisational measures have been implemented with respect to your Personal Data. The structure of the content below is derived from Article 32(1) of the GDPR.

1. Pseudonymisation and Encryption

Data is encrypted both at rest and in transit. We use TLS encryption to protect the data in transit and we leverage industry-standard encryption tools to encrypt data at rest.

1. Confidentiality

• We have access controls designed to manage access to Data and system functionality based on authority levels and job functions. Documented access removal processes are utilised to revoke access of personnel who no longer need it.

• We enforce password policies and require multi-factor authentication when available to protect our accounts.

• All personnel laptops are encrypted and password protected enforced through a centralised endpoint protection solution that enforces best practices on devices.

• Automatically activated and password-protected computer locking solutions.

• We protect our user login against a number of attack vectors including brute force attacks by utilising industry-standard third-party services. Passwords are cryptographically hashed and salted based on industry best practices by our authorisation provider and user authorisation tokens to manage connections to the Platform.

• We do not run our own routers, load balancers, DNS servers, or physical servers. Our Platform operates in a cloud-based environment, utilizing virtual private servers provided by Vultr and image storage solutions from Azure.

• We have implemented procedures and rules for the safe and permanent destruction of data that is redundant.

• We log and monitor activity on our system, which includes, but is not limited to, Azure Blob Storage and Vultr system events, Grafana metrics derived from PostgreSQL data and SendGrid. We actively store these logs and analyze them for unusual activity. Grafana is specifically used for monitoring the level of interaction with our system by analyzing data from our PostgreSQL databases. Processes are in place to alert our dedicated security team of any suspicious activity for immediate review.

1. Integrity

• The deployment of the Platform is entirely automated and changes to both infrastructure and code are subject to automated testing using our Continuous Integration (CI) tool before being released to production.

• Our infrastructure is provisioned via code solutions, enabling consistent, reliable, and secure deployments of cloud infrastructure. We utilize tools compatible with Azure and Vultr environments for this purpose, ensuring a programmatically managed and standardized setup.

• Changes to our Platform are reviewed by peers, and such code reviews are designed to ensure the security, performance and quality of code released to production.

• We engage an independent organisation to assess the security of our Platform, which is reviewed a no less than once every 12 months.

1. Availability and Resilience

• We leverage fully managed services to deliver the Platform. Providers such as Azure Functions and Vultr Compute Instances are responsible for administering and patching services within their respective ecosystems.

• All Client data is stored in Cloud storage services and is backed up on at least a daily basis.

Ability to Restore the Availability and Access to Personal Data

• We have a written Business Continuity and Disaster Recovery Plan setting forth processes to restore the Platform.

1. Processes of Regular Testing, Assessing and Evaluating the Effectiveness of Technical and Organisational Measures for Ensuring the Security of the Processing

• We regularly review data privacy measures.

• We have a security expert who collaborates with all other departments at the Company to ensure security across the Platform and services.

• All members of our team (including both full-time employees and independent contractors) are required to comply with internal security policies and practices, including but not limited to, an Information Security Incident Management Policy, and Information Security Policy and Standards – Data Encryption Policy, an Acceptable Use Policy, an Email Policy and a Data Classification and Access Control Policy.

• We perform regular penetration test audits with a contracted third party.

​

ANNEX 4

Platform Security

1. Infrastructure

Physical access

Company operates in a cloud-based environment and utilizes a shared cloud security model. We do not run our own routers, load balancers, DNS servers, or physical servers. Our infrastructure is hosted on virtual private servers provided by Vultr and image storage is handled by Azure Blob Storage.

1. Application security

Code reviews

All code is reviewed by a senior engineer before being deployed to production systems. Code reviews are designed to ensure the security, performance and quality of code released to production

User Logins

We protect our user login against a number or attack vectors including brute force attacks, by utilising third party services. Passwords are cryptographically hashed and salted based on industry best practises by our authorisation provider and user authorisation tokens to manage connections to the Platform.

Development Process

The deployment of the Platform is entirely automated. Changes to both infrastructure and code are subject to automated testing using our Continuous Integration (CI) tool before being released to production. A change that passes our review and testing process is then deployed to production using our CI tool.

Penetration Testing

Company performs regular penetration test audits with a contracted third party.

Data encryption and transfer

Company encrypts data both at rest and in transit. All network communication uses TLS encryption to protect it in transit. We leverage the encryption tools included in public cloud data stores to encrypt data at rest.

1. Policies and Compliance

Overview

Company is committed to protecting your information. While Company has not undergone a 3rd party security audit for SOC-2 or ISO27001, 27018, we hold ourselves to the security controls present in those frameworks and have chosen our cloud hosting providers that are SOC and ISO compliant.

Employee Access to Data

Company restricts access to systems and infrastructure to Company personnel who require access as part of their job responsibilities. Access removal processes are used to revoke access to personnel who no longer need it.

Company enforces a password policy and a requirement for multi-factor authentication when available to protect our accounts.

Documentation and Change Control

We manage all our infrastructure as code, allowing us to audit and peer review any changes and to provide a secure and automated process for applying these changes.

Notification of Security Breach

Company complies with GDPR requirements for data breach notification standards. In the event of a security breach Company will take actions to contain, investigate and mitigate the breach. Company will notify Clients in the event of a breach in writing within 48-hours of a breach being confirmed.

An unsuccessful Security Incident will not be subject to notification. An unsuccessful Security Incident is one that results in no unauthorised access to Personal Data or to any equipment or facilities storing Personal Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorised access to traffic data that does not result in access beyond headers) or similar incidents.