Data Security Policy

Effective Date: 04/07/2025
Last Updated: 05/25/2025

Effective Date: 04/07/2025
Last Updated: 05/25/2025

Effective Date: 04/07/2025
Last Updated: 05/25/2025

1. Scope

1.1 This Data Security Policy describes how AG2AI, Inc. ("we," "our," or "us") protects and secures data in connection with our AI agent services (the "Service").

1.2 This policy applies to all customer data, user information, and AI interaction data processed through our Service.

1.3 This policy may be updated from time to time. Terms effective at the time of service agreement will apply throughout the service duration.

2. Organizational Security Controls

2.1 Employee Access and Training

Access Controls:

  • Employees only access customer data on a strict need-to-know basis for:

    • Technical support and troubleshooting

    • System maintenance and backups

    • Service improvements (with anonymized data only)

    • Actions specifically authorized by customers

Employee Obligations:

  • All employees sign confidentiality agreements prohibiting disclosure of customer data

  • Mandatory reporting of any security incidents to management

  • Regular security awareness training upon hiring and ongoing

Background Checks:

  • Background verification for employees with access to customer data

  • Additional screening for employees with administrative access

2.2 Access Management

  • Role-based access controls limiting data access to authorized personnel only

  • Regular review and audit of employee access permissions

  • Immediate access revocation upon employee departure

  • Multi-factor authentication required for all administrative access

3. Technical Security Measures

3.1 Data Encryption

Data in Transit:

  • All communications encrypted using TLS 1.2 or higher

  • End-to-end encryption for sensitive data transmissions

  • Secure API connections with authenticated endpoints

Data at Rest:

  • Database encryption using AES-256 encryption standard

  • Encrypted backups and data storage

  • Secure key management and rotation procedures

3.2 Infrastructure Security

Network Security:

  • Industry-standard firewalls at network, host, and application levels

  • Database infrastructure segregated from application servers and internet

  • Network intrusion detection and prevention systems

  • Regular security monitoring and threat detection

Application Security:

  • Secure authentication and session management

  • Passwords never transmitted or stored in plain text

  • Secure HTTPS-only access to all services

  • Regular security updates and patch management

3.3 AI-Specific Security

Third-Party AI Services:

  • Secure API connections to AI providers (OpenAI, Anthropic, etc.)

  • Data processing agreements with all AI service providers

  • Monitoring of data flows to third-party AI services

  • Compliance with AI provider security requirements

Data Processing:

  • Anonymization of customer data used for AI model improvements

  • Secure handling of AI training data

  • Isolation of customer AI interactions

  • Audit trails for all AI data processing activities

4. Cloud Infrastructure Security

4.1 Infrastructure Provider Requirements

We utilize enterprise-grade cloud infrastructure providers (AWS, Google Cloud, Azure) that provide:

Physical Security:

  • 24/7 monitored data center facilities

  • Biometric access controls and security personnel

  • Environmental controls (power, cooling, fire suppression)

  • Redundant power and network connections

Operational Security:

  • Automated failover and disaster recovery

  • Regular maintenance and monitoring

  • Compliance with industry security standards (SOC 2, ISO 27001)

  • Geographic data residency options

4.2 Virtual Infrastructure

  • Virtual machine isolation using hypervisor technology

  • No direct access to physical hardware or raw disk devices

  • Automated security updates and configuration management

  • Resource isolation between different customer environments

5. Data Backup and Disaster Recovery

5.1 Backup Procedures

  • Automated daily backups of all customer data

  • Encrypted backup storage in geographically distributed locations

  • Regular backup integrity testing and restoration procedures

  • Retention periods aligned with customer requirements and legal obligations

5.2 Disaster Recovery

  • Documented disaster recovery plan with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO)

  • Regular disaster recovery testing and plan updates

  • Redundant infrastructure across multiple availability zones

  • Emergency response procedures and communication plans

6. Incident Response and Monitoring

6.1 Security Monitoring

  • Continuous monitoring of systems for security threats

  • Automated alerting for suspicious activities

  • Log collection and analysis for security events

  • Regular security assessments and vulnerability scanning

6.2 Incident Response

  • Documented incident response procedures

  • Immediate containment and investigation of security incidents

  • Prompt customer notification of incidents affecting their data

  • Post-incident analysis and remediation measures

7. Compliance and Auditing

7.1 Security Standards

We maintain compliance with relevant security standards including:

  • SOC 2 Type II (planned/in progress)

  • ISO 27001 security management practices

  • GDPR and other applicable privacy regulations

  • Industry-specific security requirements as applicable

7.2 Auditing

  • Regular internal security audits and assessments

  • Third-party security reviews and penetration testing

  • Continuous monitoring of security controls effectiveness

  • Documentation of all security procedures and incidents

8. Third-Party Security

8.1 Vendor Management

  • Security assessments of all third-party service providers

  • Data processing agreements with security requirements

  • Regular review of vendor security practices

  • Incident notification requirements for vendors

8.2 AI Service Providers

  • Due diligence on AI service provider security practices

  • Contractual security requirements and data handling terms

  • Monitoring of AI provider security incidents and updates

  • Regular review of AI provider compliance and certifications

9. Customer Responsibilities and Exclusions

9.1 Customer Responsibilities

Customers are responsible for:

  • Secure configuration of their account settings

  • Strong password policies and access management

  • Proper use of the Service in accordance with our terms

  • Reporting suspected security incidents promptly

9.2 Exclusions

This policy does not cover:

  • Data processed outside our Service platform

  • Third-party services integrated by customers

  • Customer's own network security or endpoint devices

  • Data shared through unofficial channels or methods

9.3 Limitations

  • No unauthorized penetration testing without written approval

  • Security measures are designed for reasonable protection but cannot guarantee absolute security

  • Customer data processed through integrations subject to third-party security policies

10. Policy Updates and Contact Information

10.1 Policy Changes

We may update this policy to reflect changes in:

  • Technology and security practices

  • Legal and regulatory requirements

  • Service enhancements and new features

  • Industry best practices

10.2 Contact Information

For questions about this Data Security Policy or to report security concerns:

Email: info@ag2.ai
Address: 240 2nd Ave S #300, Seattle, WA 98104