Allybi Security and Privacy Policy

1. Introduction and Scope

1.1 Purpose and Commitment

Camasmie Gillet Inc., a Delaware corporation, is committed to maintaining the highest standards of security and privacy in all aspects of the Allybi Service. This Security and Privacy Policy establishes a comprehensive framework for protecting information and demonstrates our commitment to safeguarding user data and maintaining the confidentiality, integrity, and availability of all systems and information.

The Allybi Service represents a new generation of document management and artificial intelligence-assisted platform that enables users to upload, organize, analyze, and collaborate on documents with advanced AI capabilities. We recognize that security and privacy are fundamental aspects of our relationship with users, and this policy reflects our understanding that these protections must be built into every aspect of our service delivery.

Our security and privacy framework provides comprehensive protection for user information while enabling the innovative features and capabilities that make the Allybi Service valuable. We are committed to transparency about our practices and providing users with meaningful control over their information.

1.2 Scope and Application

This policy applies to all aspects of the Allybi Service, including our web platform, mobile applications, application programming interfaces (APIs), and underlying infrastructure. It governs the collection, use, processing, storage, and protection of all information processed by or through the Allybi Service.

The policy applies to all categories of users, including individual users, team members, organization administrators, and other persons who interact with the Allybi Service. It also governs our handling of information about website visitors, prospective users, and other individuals whose information we may process.

This policy covers all types of information processed by the Allybi Service, including user-uploaded documents, artificial intelligence queries and interactions, account information, usage analytics, and other data. Different types of information require different levels of protection, and this policy establishes appropriate safeguards for each category.

1.3 Our Security and Privacy Principles

Our approach to security and privacy is guided by five core principles that inform all aspects of our operations:

Privacy by Design and by Default means that privacy considerations are built into the design and development of all Allybi Service features, and privacy-protective settings are enabled by default without requiring users to take additional action.

Data Minimization and Purpose Limitation means that we collect only the information necessary to provide the Allybi Service and use that information only for the purposes for which it was collected or compatible purposes explicitly disclosed to users.

Transparency and User Control means that we provide clear information about our practices, offer meaningful choices about how information is collected and used, provide granular control settings, and make these tools easily accessible to users.

Security Excellence and Continuous Improvement means that we implement industry-leading security measures, continuously monitor and assess our security posture, and regularly update our practices to address evolving threats and emerging best practices.

Accountability and Governance means that we maintain clear assignment of roles and responsibilities, maintain comprehensive policies and procedures, conduct regular assessments of our practices, and maintain documentation to demonstrate compliance with our commitments.

1.4 Regulatory Compliance Framework

The Allybi Service is designed to comply with applicable privacy and security laws and regulations in jurisdictions where we operate, including the European Union’s General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), Brazil’s Lei Geral de Proteção de Dados (LGPD), and other applicable privacy laws.

Our GDPR compliance framework ensures that we establish lawful bases for processing personal data, respect data subject rights, conduct privacy impact assessments for high-risk processing, implement privacy protection by design and by default, use appropriate safeguards for international data transfers, and maintain procedures for breach notification and regulatory cooperation.

Our CCPA compliance framework ensures that we provide California consumers with rights to know what personal information is collected, delete personal information, opt out of certain uses, and receive equal service and pricing regardless of privacy choices. We maintain systems and procedures to respond to consumer requests and honor their privacy preferences.

Our practices align with the OECD Privacy Guidelines, the APEC Privacy Framework, and other international standards to ensure consistent protection of personal information regardless of jurisdiction.

2. Information Security Governance

2.1 Security Leadership and Organizational Structure

The Chief Executive Officer bears ultimate responsibility for information security and privacy protection within the Allybi Service. This executive-level accountability ensures that security receives appropriate resources and strategic integration throughout the organization.

We have designated security leadership responsible for developing, implementing, and maintaining our comprehensive security program. Our security leadership works collaboratively with engineering, operations, legal, and customer success teams to ensure that security considerations are integrated into all aspects of our operations.

Cross-functional security committees provide oversight and coordination of security initiatives across different organizational units. These committees meet regularly to review security performance, identify emerging risks, and coordinate responses to security challenges.

Our security governance includes regular reviews of program effectiveness, assessment of policy and procedure adequacy, evaluation of control effectiveness, and analysis of security metrics and trends. These reviews inform ongoing improvements to our security program.

2.2 Security Policies and Standards

We maintain a comprehensive framework of security policies and standards that provide detailed guidance for protecting information and maintaining the security of our systems and operations. Our policies are based on industry best practices, regulatory requirements, and the specific security needs of the Allybi Service.

Our Information Security Policy establishes the foundation for our overall security approach, defines roles and responsibilities, and provides the framework for more specific security standards. Our Access Control Standards establish requirements for password complexity, multi-factor authentication, privileged access management, regular access reviews, and secure termination procedures. Our Data Protection Standards establish requirements for information classification, encryption, retention and disposal, and special protections for sensitive information.

Our Network Security Standards establish requirements for firewalls, intrusion detection and prevention systems, network segmentation, use of secure protocols, and continuous security monitoring. Our Incident Response Standards establish procedures for detecting security incidents, responding to incidents, recovering from incidents, classifying incidents, defining roles and responsibilities, managing communications, and preserving evidence.

All security policies and standards are regularly reviewed and updated to address evolving threats, changes in technology, new regulatory requirements, and lessons learned from security assessments and incidents.

2.3 Risk Management Framework

We employ a systematic approach to identifying, assessing, and mitigating security and privacy risks. Our risk management framework includes risk identification through threat modeling, vulnerability assessments, architecture reviews, and threat intelligence analysis.

Risk assessment involves evaluating the potential impact and likelihood of identified risks, considering the sensitivity of information at risk, potential consequences of compromise, effectiveness of existing controls, and the current threat landscape. Risk mitigation involves implementing technical controls, establishing operational procedures, providing security training, conducting regular assessments, and maintaining incident response capabilities.

Our ongoing risk monitoring includes regular reassessment of identified risks, evaluation of control effectiveness, analysis of security metrics and trends, and identification of new and emerging risks. We communicate risk information to leadership and coordinate risk mitigation efforts across the organization.

2.4 Compliance Management

We maintain a compliance management program that ensures our practices meet applicable legal and regulatory requirements, align with industry standards, and fulfill our contractual obligations to users and partners.

Our regulatory monitoring includes tracking applicable privacy and security laws, assessing requirements for compliance, and evaluating our current practices against those requirements. Our industry standard alignment includes alignment with ISO 27001 information security standards, SOC 2 audit standards, and the NIST Cybersecurity Framework.

Our compliance assessment includes internal audits, third-party security assessments, and regular compliance reviews. We maintain comprehensive documentation of our policies, evidence of control implementation, assessment results, and incident records to demonstrate compliance.

We provide regular compliance reporting to leadership, identify gaps between current practices and requirements, develop remediation plans for identified gaps, and track progress on remediation efforts.

3. Data Classification and Protection

3.1 Information Classification Framework

The Allybi Service processes various types of information that require different levels of protection based on their sensitivity, regulatory requirements, and potential impact if compromised. We classify information into four categories:

Public Information is intended for public disclosure and includes information such as marketing materials, publicly available documentation, and other information that would cause no harm if disclosed. Public information requires minimal protection beyond basic security controls.

Internal Information is intended for internal organizational use and is not particularly sensitive. This category includes internal communications, operational procedures, and other information that would cause minimal harm if disclosed to unauthorized parties.

Confidential Information includes sensitive business information, user personal information, account information, usage analytics, and other information that could cause significant harm if disclosed. This category includes most information processed by the Allybi Service and requires strong protection measures.

Restricted Information includes highly sensitive information that could cause severe harm if disclosed, including authentication credentials, encryption keys, financial information, and other information requiring the strongest available protections.

3.2 Document and Content Protection

User documents uploaded to the Allybi Service are classified as Confidential Information by default, reflecting our recognition that documents may contain sensitive personal information, confidential business data, proprietary information, or other sensitive content.

Document Encryption protects all user content in transit and at rest using industry-standard encryption. All user documents stored in Allybi systems are protected using AES-256 encryption. All communications between user devices and Allybi servers use TLS 1.3 or higher encryption protocols. This encryption provides strong protection against unauthorized access even if storage systems or network communications are compromised.

Access Control ensures that user documents are accessible only to authorized individuals, including the document owner and explicitly authorized users through document sharing and collaboration features. We implement the principle of least privilege, ensuring that users have access only to documents and features necessary for their legitimate purposes.

Document Integrity measures detect and prevent unauthorized modification of documents. We implement checksums and integrity verification mechanisms to ensure that documents are not corrupted or tampered with during storage or transmission. These measures maintain the reliability and trustworthiness of documents throughout their lifecycle.

Version Control and Backup protect documents against accidental loss or corruption. We maintain encrypted backup copies of user documents stored in geographically distributed locations. These backups protect against various types of disasters and system failures.

3.3 Personal Information Protection

Personal information processed by the Allybi Service receives enhanced protection measures that comply with applicable privacy laws and reflect the sensitivity of this information category.

Data Minimization means that we collect only the personal information necessary to provide the Allybi Service. We regularly review our collection practices to identify opportunities for reduction. We maintain functionality and effectiveness while minimizing information collection.

Purpose Limitation means that personal information is used only for the purposes for which it was collected or compatible purposes explicitly disclosed to users. We maintain clear documentation of processing purposes and implement controls to prevent unauthorized use.

Retention Limitation means that personal information is retained only as long as necessary for collection purposes, to fulfill legal obligations, or to resolve disputes. We establish specific retention periods for different categories of personal information and implement automated deletion procedures for appropriate disposal.

Special Category Personal Information such as health information, biometric data, or other sensitive personal information contained in user documents receives additional protection including enhanced access controls, stronger encryption, and restrictive processing limitations. Such information is processed only when necessary with appropriate safeguards.

3.4 AI and Machine Learning Data Protection

The Allybi Service includes artificial intelligence and machine learning capabilities for document management and analysis. Our AI data protection framework ensures appropriate protection of information and respect for user privacy and confidentiality.

Training Data Protection means that information used to train or improve AI models is appropriately protected. We do not use user documents or user queries to train AI models without explicit user consent. We implement technical measures to prevent inadvertent use of user information for model training.

Model Security means that AI models are protected against unauthorized access, modification, or misuse. We maintain access controls, version control, and monitoring of model usage to ensure appropriate protection.

Output Security means that outputs generated by AI models are protected with the same care as the input information. AI-generated summaries, extractions, and other outputs are subject to the same access controls and encryption as user documents.

4. Access Control and Authentication

4.1 User Authentication

The Allybi Service implements strong authentication mechanisms to verify user identity and prevent unauthorized access to user accounts and information.

Password Requirements establish minimum standards for password strength, including minimum length, complexity requirements, and prohibition of common passwords. Users are required to establish strong passwords that are resistant to guessing and brute-force attacks.

Multi-Factor Authentication (MFA) is available to all users and required for users with administrative privileges or access to sensitive information. MFA requires users to provide multiple forms of authentication, such as a password and a time-based one-time password generated by an authenticator application or received via SMS. This significantly increases security against unauthorized account access.

Session Management ensures that user sessions are properly managed and terminated when appropriate. Session cookies are encrypted and include security tokens to prevent session hijacking. Sessions automatically expire after periods of inactivity to reduce the risk of unauthorized access through abandoned sessions.

Account Recovery procedures allow users to recover access to their accounts if they forget their passwords or lose access to their authentication devices. Account recovery procedures include verification of user identity through security questions, verification emails, or other mechanisms to prevent unauthorized account recovery.

4.2 Third-Party Integration Authentication

The Allybi Service integrates with third-party services including Outlook, OneDrive, SharePoint, and other connected sources to enable enhanced functionality and user workflows. These integrations use OAuth 2.0 authentication protocols to securely connect user accounts with minimal exposure of credentials.

OAuth 2.0 Authorization Flow enables users to authorize Allybi to access their third-party accounts without sharing passwords. Users are redirected to the third-party service to authenticate and authorize specific permissions. Allybi receives an authorization token that can be used to access authorized resources on behalf of the user.

Scoped Access and Least Privilege means that Allybi requests only the minimum permissions necessary to provide integrated functionality. For Outlook, we request access to email headers, threads, and attachments as authorized. For OneDrive, we request access to selected files and folders. For SharePoint, we request access to selected sites, libraries, and files. For WhatsApp, we store contacts and message drafts for handoff. Gmail and Google Drive scopes will be requested only when those integrations become available. Users can review and modify permissions at any time.

Token Security means that authorization tokens are encrypted and stored securely. Tokens are never logged, displayed to users, or transmitted in unencrypted communications. Tokens are protected with the same security measures as user passwords.

Token Revocation allows users to disconnect their third-party accounts at any time through their Allybi account settings. When a user revokes authorization, Allybi immediately stops accessing new data from the third-party service. Previously imported data remains in Allybi according to our data retention policies unless the user requests deletion.

Access Logging maintains comprehensive logs of all access to third-party account data. These logs record when data was accessed, what data was accessed, and by which user or system component. Access logs are protected from unauthorized modification and are reviewed regularly for suspicious activity.

Restricted Employee Access means that Allybi employees have restricted access to third-party account data. Employee access requires explicit authorization, is logged and monitored, and is limited to the minimum necessary for legitimate business purposes such as customer support or security investigation.

4.3 Privileged Access Management

Allybi implements strong controls over privileged access to systems, data, and administrative functions to prevent unauthorized use of elevated privileges.

Principle of Least Privilege means that users and system components are granted only the minimum access necessary to perform their legitimate functions. Access is regularly reviewed and revoked when no longer needed.

Privileged Access Approval requires explicit authorization before granting privileged access. Access requests are reviewed and approved by appropriate managers or security personnel. Approval decisions are documented and maintained for audit purposes.

Privileged Access Monitoring includes comprehensive logging and monitoring of all privileged access. All actions taken with privileged access are logged and reviewed regularly for suspicious activity. Anomalous access patterns trigger alerts for investigation.

Privileged Access Termination ensures that privileged access is promptly revoked when employees leave the organization or change roles. Termination procedures include verification that all access has been revoked and that no residual access remains.

4.4 Document and Collaboration Access Controls

The Allybi Service provides granular access controls for user documents and collaboration features to enable secure sharing and teamwork.

Owner and Sharing Controls allow document owners to explicitly grant access to other users. Owners can specify whether other users have viewer access (read-only) or editor access (ability to modify documents). Owners can revoke access at any time.

Viewer Access allows authorized users to view document content without the ability to modify documents. Viewers can search documents, view AI-generated summaries and extractions, and participate in document discussions, but cannot modify document content or sharing permissions.

Editor Access allows authorized users to modify document content, update document properties, and manage document sharing. Editors can add collaborators, modify permissions, and make changes to document content.

Audit Logging maintains comprehensive records of all document access and modifications. These logs record who accessed documents, when they accessed them, what actions they performed, and what changes they made. Audit logs are protected from unauthorized modification and are available for user review.

Change History allows users to view the complete history of changes to documents, including who made changes, when changes were made, and what specific changes were made. Users can review change history to understand document evolution and identify unauthorized modifications.

5. Encryption and Technical Safeguards

5.1 Data Encryption

The Allybi Service implements comprehensive encryption to protect information in transit and at rest.

Encryption at Rest protects stored information from unauthorized access if storage systems are compromised. All user documents and other sensitive information stored in Allybi systems are encrypted using AES-256 encryption. Encryption keys are managed securely and are not stored with encrypted data.

Encryption in Transit protects information transmitted between user devices and Allybi servers from interception or modification. All communications use TLS 1.3 or higher encryption protocols. This includes web browser communications, mobile application communications, and API communications.

Key Management includes secure generation, storage, rotation, and destruction of encryption keys. Encryption keys are generated using cryptographically secure random number generators. Keys are stored in secure key management systems with restricted access. Keys are rotated regularly to limit the impact of potential key compromise. Keys are securely destroyed when no longer needed.

End-to-End Encryption for sensitive communications ensures that information is encrypted on the user’s device before transmission and can only be decrypted by the intended recipient. This prevents Allybi from accessing the plaintext content of encrypted communications.

5.2 AI and Document Processing Security

The Allybi Service implements security measures specific to AI processing and document analysis to protect user information while enabling AI functionality.

Secure Document Processing means that documents are processed in isolated environments with restricted access. Document processing occurs on secure servers with network segmentation to prevent unauthorized access. Processing results are encrypted and stored securely.

Secure Storage and Transit means that documents are protected throughout the processing pipeline. Documents are encrypted during transmission to processing systems. Processing results are encrypted before storage. Temporary processing files are securely deleted after processing completes.

Controlled Access means that AI processing results are accessible only to authorized users. Access controls prevent unauthorized users from viewing AI-generated summaries, extractions, or other processing results. Access logging records all access to processing results.

Isolation Between Tenants and Users means that documents and information from different users and organizations are strictly isolated from each other. Processing systems maintain separate data stores for each user. Access controls prevent cross-user access to documents or information. Processing systems are configured to prevent information leakage between users.

Safe File Handling means that uploaded files are validated before processing to ensure they are readable and processable. Files that cannot be processed are rejected with clear error messages. Corrupted, malicious, or unsupported files are prevented from being added to user documents.

Extraction Process Security means that information extracted from documents is protected with the same security measures as the original documents. Extracted information is encrypted, access-controlled, and audit-logged. Extraction processes are monitored for unauthorized access or suspicious activity.

5.3 Secure Communication Channels

The Allybi Service uses secure communication channels to protect information transmitted between users, systems, and third parties.

HTTPS/TLS is used for all web-based communications between users and the Allybi Service. All URLs use the HTTPS protocol with TLS 1.3 or higher encryption. Users are warned if they attempt to access Allybi services over unencrypted HTTP connections.

API Security includes encryption of all API communications, authentication of API requests, and authorization checks to ensure that only authorized clients can access APIs. API communications use TLS 1.3 or higher encryption.

Mobile Application Security includes encryption of all communications between mobile applications and Allybi servers. Mobile applications use TLS 1.3 or higher encryption for all network communications.

Third-Party Communications with integrated services such as Slack, Gmail, and Outlook use secure communication channels. All communications with third-party APIs use TLS 1.3 or higher encryption and follow OAuth 2.0 security protocols.

6. Network and Infrastructure Security

6.1 Network Security Architecture

The Allybi Service implements comprehensive network security controls to protect systems and information from unauthorized access and attacks.

Firewall Protection includes firewalls at network perimeters and internal network segments to control traffic flow and prevent unauthorized access. Firewalls are configured to allow only necessary traffic and block potentially malicious traffic.

Intrusion Detection and Prevention systems monitor network traffic for signs of attacks or unauthorized access attempts. These systems can automatically block suspicious traffic and alert security personnel to potential incidents.

Network Segmentation divides the network into separate segments with restricted communication between segments. This limits the impact of security breaches by preventing attackers from accessing all systems if they compromise one segment.

Virtual Private Networks (VPNs) are used for secure remote access to Allybi systems. VPNs encrypt all traffic between remote users and Allybi networks, protecting information transmitted over potentially insecure networks.

Denial of Service (DoS) Protection includes measures to protect against attacks designed to overwhelm systems with traffic. These measures include traffic rate limiting, traffic filtering, and distributed denial of service mitigation services.

6.2 Infrastructure Security

The Allybi Service operates on secure infrastructure with comprehensive security controls.

Server Hardening includes removing unnecessary services, applying security patches, configuring secure settings, and implementing access controls. Servers are configured with minimal software to reduce attack surface.

Operating System Security includes regular security updates, security patches, and configuration hardening. Operating systems are configured with security controls such as mandatory access controls and audit logging.

Database Security includes encryption of databases, access controls limiting database access, audit logging of database access, and regular backups. Databases are protected from unauthorized access and data is protected from unauthorized modification.

Monitoring and Logging includes comprehensive logging of system events, security events, and user activities. Logs are protected from unauthorized modification and are reviewed regularly for suspicious activity. Log retention complies with legal requirements and operational needs.

6.3 Third-Party Integration Security

The Allybi Service implements security controls for integrations with third-party services including Slack, Gmail, and Outlook.

API Security includes authentication and authorization controls for third-party APIs. API communications are encrypted and authenticated. API access is logged and monitored for suspicious activity.

Data Validation ensures that data received from third-party services is validated before processing. Invalid or suspicious data is rejected or quarantined for investigation.

Rate Limiting prevents excessive API calls that could indicate abuse or attacks. Rate limits are enforced on both inbound and outbound API communications.

Error Handling ensures that errors in third-party integrations are handled securely without exposing sensitive information. Error messages do not reveal system architecture or sensitive data.

7. Privacy Protection and User Rights

7.1 Privacy Principles

The Allybi Service is designed and operated according to privacy principles that reflect our commitment to protecting user information and respecting user privacy rights.

Privacy by Design means that privacy considerations are built into the design of all Allybi Service features. Privacy protections are implemented at the technical level, not as afterthoughts. Privacy-protective settings are enabled by default.

Data Minimization means that we collect only the information necessary to provide the Allybi Service. We regularly review collection practices to identify opportunities for reduction.

Purpose Limitation means that information is used only for the purposes for which it was collected or compatible purposes explicitly disclosed to users.

Transparency means that we provide clear information about what information we collect, how we use it, how long we retain it, and what rights users have regarding their information.

User Control means that users have meaningful control over their information, including the ability to access, correct, delete, and port their information.

7.2 User Privacy Rights

Users of the Allybi Service have privacy rights that we respect and facilitate.

Right to Know allows users to request information about what personal information we collect, how we use it, and who we share it with. We respond to these requests within applicable legal timeframes.

Right to Access allows users to access their personal information stored by the Allybi Service. We provide users with copies of their information in commonly used formats.

Right to Correct allows users to correct inaccurate or incomplete personal information. We provide mechanisms for users to update their information directly through account settings.

Right to Delete allows users to request deletion of their personal information. We delete information as requested, subject to legal retention requirements and legitimate business needs.

Right to Opt-Out allows users to opt out of certain uses of their information, such as marketing communications or analytics. We respect user opt-out choices and do not use information for opted-out purposes.

Right to Port allows users to obtain their personal information in a commonly used format and transfer it to other services. We facilitate data portability by providing information in standard formats.

Right to Non-Discrimination means that users who exercise their privacy rights are not discriminated against or charged different prices for exercising those rights.

7.3 Privacy Requests and Procedures

The Allybi Service maintains procedures for users to exercise their privacy rights.

Request Submission allows users to submit privacy requests through multiple channels including email, web forms, and account settings. Users can specify which rights they wish to exercise and provide necessary information to identify their account.

Request Processing includes verification of user identity, determination of applicable legal requirements, and fulfillment of requests within applicable timeframes. We respond to requests within 5 business days for general inquiries and within 30 days for formal privacy rights requests as required by applicable law.

Request Documentation maintains records of all privacy requests, responses provided, and actions taken. Documentation is maintained for compliance and audit purposes.

Appeal Procedures allow users to appeal if they believe we have not properly responded to their privacy requests. Appeal procedures include review by appropriate personnel and reconsideration of the request.

8. Data Processing and Legal Basis

8.1 Lawful Basis for Processing

The Allybi Service processes personal information only when we have a lawful basis for processing under applicable privacy laws.

Consent is obtained from users for processing that is not necessary to provide the Allybi Service. Users provide explicit consent for marketing communications, analytics, and other optional processing. Users can withdraw consent at any time.

Contract is the basis for processing necessary to provide the Allybi Service to users. Processing necessary to create accounts, store documents, provide AI analysis, and deliver other core services is based on the user’s agreement to our Terms of Service.

Legal Obligation is the basis for processing required by law, such as tax reporting, legal holds, and law enforcement requests. We process information to the minimum extent required by law.

Legitimate Interest is the basis for processing necessary to operate the Allybi Service and protect our legitimate interests, such as fraud prevention, security, and service improvement. We balance our legitimate interests against user privacy rights.

Vital Interests is the basis for processing necessary to protect vital interests of users or other persons, such as emergency situations.

8.2 Data Subject Rights Under GDPR

For users in the European Union or other jurisdictions where GDPR applies, we respect the following data subject rights:

Right to Access allows data subjects to request access to their personal information. We provide copies of personal information in commonly used electronic formats.

Right to Rectification allows data subjects to correct inaccurate or incomplete personal information. We correct information as requested.

Right to Erasure allows data subjects to request deletion of their personal information in certain circumstances. We delete information as requested, subject to legal retention requirements.

Right to Restrict Processing allows data subjects to request that we limit our processing of their information. We restrict processing as requested and notify third parties of restriction requests.

Right to Data Portability allows data subjects to obtain their personal information in a commonly used format and transfer it to other services.

Right to Object allows data subjects to object to certain types of processing, such as marketing or profiling. We respect objections and cease processing for objected-to purposes.

Rights Related to Automated Decision-Making allow data subjects to request human review of automated decisions that produce legal or similarly significant effects. We provide mechanisms for human review of automated decisions.

8.3 Data Subject Rights Under CCPA

For users in California or other jurisdictions where CCPA applies, we respect the following consumer rights:

Right to Know allows consumers to request information about personal information we collect, use, and share. We provide this information in commonly used formats.

Right to Delete allows consumers to request deletion of personal information we have collected. We delete information as requested, subject to legal exceptions.

Right to Opt-Out allows consumers to opt out of the sale or sharing of their personal information. We honor opt-out requests and do not sell or share information from users who have opted out.

Right to Correct allows consumers to request correction of inaccurate personal information. We correct information as requested.

Right to Limit Use allows consumers to limit our use of personal information to purposes necessary to provide requested services or as otherwise permitted by law.

Right to Non-Discrimination means that we do not discriminate against consumers who exercise their privacy rights.

9. International Data Transfers

9.1 Transfer Mechanisms and Safeguards

The Allybi Service operates globally and may transfer personal information between jurisdictions. We implement appropriate safeguards for international data transfers.

Standard Contractual Clauses are used for transfers of personal information from the European Union to countries that do not have an adequacy decision. These contractual clauses are approved by the European Commission and provide appropriate safeguards for data protection.

Binding Corporate Rules establish consistent data protection standards across Allybi entities and ensure appropriate protection of personal information regardless of which entity processes it.

We also conduct transfer impact assessments where appropriate and ensure subprocessors have appropriate contractual controls.

Adequacy Decisions are relied upon where applicable for transfers to countries that have received adequacy decisions from the European Commission or equivalent regulatory bodies.

9.2 Data Localization and Regional Compliance

We recognize that different jurisdictions have varying requirements for data processing and storage. We implement data localization measures where required by law.

European Union Data Processing complies with GDPR requirements including lawful basis determination, data subject rights, privacy impact assessments, privacy by design, and appropriate transfer mechanisms.

California Data Processing complies with CCPA requirements including consumer rights, opt-out mechanisms, and non-discrimination protections.

Brazil Data Processing complies with LGPD requirements including lawful basis, data subject rights, and appropriate safeguards.

Canada Data Processing complies with PIPEDA requirements including lawful basis, individual rights, and appropriate safeguards.

9.3 Cross-Border Data Protection

Our international data transfer practices maintain consistent privacy protection regardless of where personal information is processed. We implement uniform security standards, privacy controls, and access restrictions across all jurisdictions where we operate.

10. Incident Response and Management

10.1 Incident Detection and Classification

The Allybi Service maintains comprehensive procedures for detecting and responding to security incidents and data breaches.

Incident Detection includes continuous monitoring of systems and networks for signs of security incidents. Detection methods include intrusion detection systems, security monitoring tools, user reports, and third-party notifications.

Incident Classification categorizes incidents by severity, type, and potential impact. Classification determines the urgency of response and the resources allocated to incident handling.

Severity Levels include Critical (immediate threat to system availability or data security), High (significant security impact), Medium (moderate security impact), and Low (minimal security impact).

Incident Types include unauthorized access, data breaches, malware infections, denial of service attacks, configuration errors, and other security events.

10.2 Incident Response Procedures

Our incident response procedures ensure rapid and effective response to security incidents.

Incident Reporting establishes procedures for reporting security incidents to appropriate personnel. Any employee who discovers or suspects a security incident must report it immediately to the security team.

Incident Investigation includes analysis of incident scope, cause, and impact. Investigation procedures include preservation of evidence, analysis of logs and system state, and determination of what information was affected.

Incident Containment includes steps to stop ongoing attacks, prevent further damage, and isolate affected systems. Containment procedures may include disconnecting systems from networks, disabling compromised accounts, or other measures to prevent further compromise.

Incident Eradication includes removing the cause of the incident to prevent recurrence. Eradication procedures may include patching vulnerabilities, removing malware, or changing compromised credentials.

Incident Recovery includes restoring systems and data to normal operation. Recovery procedures may include restoring from backups, rebuilding systems, or other measures to restore functionality.

10.3 Breach Notification

The Allybi Service maintains procedures for notifying affected individuals and regulatory authorities of data breaches as required by applicable law.

Breach Assessment determines whether an incident constitutes a breach of personal data that requires notification. Breaches are incidents where personal information has been accessed, disclosed, or modified without authorization.

Notification Timing complies with applicable legal requirements. We notify affected users and regulators as required by applicable law. For example, GDPR supervisory authority notice may be required within 72 hours after becoming aware of a reportable personal data breach. Other laws may use different timing standards.

Notification Content includes information about the breach, affected information, steps individuals should take to protect themselves, and contact information for questions.

Regulatory Notification includes notification to regulatory authorities as required by applicable law. GDPR requires notification to data protection authorities. CCPA requires notification to California Attorney General in certain circumstances.

User Notification includes notification to affected users through email, account notifications, or other appropriate channels.

10.4 Emergency Security Contacts

For urgent security matters requiring immediate attention, including suspected security breaches or active security threats, users and security researchers should contact us immediately:

Email: info@allybi.co
Subject Line: “URGENT SECURITY”

We monitor our security communications continuously and respond to urgent security matters as quickly as possible. Please clearly indicate the urgent nature of your communication to ensure rapid response.

11. Business Continuity and Disaster Recovery

11.1 Business Continuity Planning

The Allybi Service maintains comprehensive business continuity plans to ensure that critical services remain available during disruptions.

Continuity Objectives establish targets for recovery time and recovery point objectives for critical services. These objectives ensure that services are restored quickly and that data loss is minimized.

Continuity Procedures establish procedures for maintaining critical services during disruptions. Procedures include identification of critical functions, backup procedures, and alternative processing arrangements.

Continuity Testing includes regular testing of continuity procedures to ensure they are effective. Testing includes full-scale exercises, tabletop exercises, and component testing.

11.2 Disaster Recovery

The Allybi Service maintains disaster recovery procedures to restore systems and data after disasters.

Backup Procedures include regular backups of critical data and systems. Backups are stored in geographically distributed locations to protect against regional disasters.

Backup Testing includes regular testing of backups to ensure they can be restored successfully. Testing includes verification of backup integrity and restoration procedures.

Recovery Procedures establish procedures for restoring systems and data after disasters. Recovery procedures include prioritization of critical systems, restoration from backups, and verification of restored systems.

Recovery Time Objectives establish targets for how quickly systems should be restored after disasters. Recovery time objectives are established for different categories of systems based on their criticality.

12. Third-Party Risk Management

12.1 Third-Party Assessment

The Allybi Service assesses the security and privacy practices of third-party service providers before engaging them.

Security Assessment includes evaluation of third-party security controls, certifications, audit results, and security practices. Assessments verify that third parties maintain appropriate security standards.

Privacy Assessment includes evaluation of third-party privacy practices, data handling procedures, and compliance with applicable privacy laws.

Contractual Requirements establish security and privacy requirements in contracts with third parties. Contracts require third parties to implement appropriate security controls, maintain confidentiality, comply with privacy laws, and notify us of security incidents.

12.2 Third-Party Monitoring

The Allybi Service monitors third-party compliance with security and privacy requirements.

Ongoing Monitoring includes regular review of third-party security practices, review of audit reports, and assessment of any security incidents involving third parties.

Incident Notification requires third parties to notify us promptly of any security incidents that may affect information we have shared with them.

Access Controls limit third-party access to information to the minimum necessary for legitimate purposes. Access is regularly reviewed and revoked when no longer needed.

12.3 Third-Party Termination

When relationships with third parties end, we ensure that information is appropriately handled.

Data Return and Deletion requires third parties to return or delete information we have shared with them. We verify that deletion is complete.

Access Revocation ensures that third-party access to our systems and information is promptly revoked.

Transition Planning ensures that services are transitioned to alternative providers without disruption or data loss.

13. Compliance and Audit

13.1 Internal Audits

The Allybi Service conducts regular internal audits to assess compliance with security and privacy policies and applicable laws.

Audit Planning includes identification of areas to be audited, development of audit procedures, and allocation of audit resources.

Audit Execution includes assessment of compliance with policies, evaluation of control effectiveness, and identification of gaps or deficiencies.

Audit Reporting includes comprehensive documentation of audit findings, recommendations for improvement, and responses to audit recommendations.

13.2 Third-Party Audits and Certifications

The Allybi Service engages third-party auditors to provide independent assessment of our security and privacy practices.

SOC 2 Audits include independent audits of our security controls and operational procedures. SOC 2 reports provide assurance to users and partners about our security practices.

ISO 27001 Certification demonstrates our compliance with international information security standards. ISO 27001 certification includes regular audits and assessments.

Penetration Testing includes authorized testing of our systems by qualified security professionals to identify vulnerabilities and assess the effectiveness of security controls.

Vulnerability Assessments include regular scanning of systems for known vulnerabilities. Identified vulnerabilities are prioritized and remediated based on severity.

13.3 Assessment Reporting and Improvement

Assessment results are used to guide ongoing improvements to our security and privacy programs.

Assessment Reporting includes comprehensive documentation of assessment findings, recommendations for improvement, and our responses to assessment recommendations.

Continuous Improvement includes systematic procedures for continuous improvement based on assessment findings, regulatory changes, industry best practices, and evolving user needs and expectations.

Performance Metrics include key indicators that help measure the effectiveness of our security and privacy programs and identify trends that may indicate areas for improvement.

Benchmarking includes comparison of our practices with industry standards, peer organizations, and best practice frameworks to identify opportunities for improvement and ensure that our practices remain current with industry developments.

Innovation and Enhancement includes ongoing efforts to improve our security and privacy practices through adoption of new technologies, implementation of enhanced procedures, and development of innovative approaches to privacy and security protection.

Stakeholder Feedback includes input from users, regulators, auditors, and other stakeholders about our security and privacy practices and suggestions for improvement. We actively seek feedback and incorporate relevant suggestions into our ongoing improvement efforts.

14. Training and Awareness

14.1 Security Awareness Program

The Allybi Service maintains a comprehensive security awareness program that ensures all personnel understand their roles and responsibilities in protecting user information and maintaining the security of our systems and operations.

Security Training Curriculum includes comprehensive coverage of security topics relevant to different roles and responsibilities within our organization. Our training includes general security awareness for all personnel as well as specialized training for personnel with specific security responsibilities.

Training Delivery Methods include multiple formats and approaches to ensure that training is accessible and effective for all personnel. Our training methods include online courses, in-person sessions, workshops, simulations, and other approaches that accommodate different learning styles and schedules.

Training Frequency and Updates ensure that personnel receive regular refresher training and that training content remains current with evolving threats, changing regulations, and new technologies. Our training program includes both scheduled regular training and event-driven training for new threats or incidents.

Training Effectiveness Measurement includes assessment of training outcomes, evaluation of knowledge retention, and monitoring of security behavior to ensure that training is achieving its intended objectives. We use training metrics to identify areas for improvement and to demonstrate the effectiveness of our training program.

14.2 Privacy Training Program

The Allybi Service maintains a privacy training program that ensures all personnel understand privacy requirements, user rights, and their responsibilities for protecting personal information processed through the Allybi Service.

Privacy Law Education includes training on applicable privacy laws and regulations, including GDPR, CCPA, and other relevant requirements that may affect our operations. Our privacy training helps personnel understand their obligations under these laws and how to fulfill them effectively.

Data Handling Procedures Training includes specific guidance on how to handle personal information appropriately, including collection, processing, storage, sharing, and disposal procedures. Our training ensures that personnel understand how to handle personal information in compliance with our policies and applicable laws.

User Rights Training includes education about user privacy rights and how to respond to user requests for access, correction, deletion, and other privacy rights. Our training ensures that personnel can effectively assist users in exercising their privacy rights.

Incident Response Training includes specific guidance on how to recognize and respond to privacy incidents, including data breaches, unauthorized access, and other events that may affect personal information. Our training ensures that personnel know how to respond appropriately to privacy incidents.

14.3 Role-Specific Training

The Allybi Service provides specialized training for personnel with specific security and privacy responsibilities to ensure they have the knowledge and skills necessary to fulfill their roles effectively.

Technical Security Training includes specialized education for personnel responsible for implementing and maintaining security controls, including system administrators, developers, and security specialists. This training covers technical security topics relevant to their specific responsibilities.

Privacy Officer Training includes specialized education for personnel responsible for privacy compliance, including privacy officers, legal staff, and compliance personnel. This training covers advanced privacy topics and regulatory requirements relevant to their roles.

Management Training includes education for managers and supervisors about their responsibilities for security and privacy oversight, including how to support their teams in meeting security and privacy requirements and how to escalate issues appropriately.

Customer-Facing Training includes specialized education for personnel who interact with users about security and privacy topics, including customer support staff and sales personnel. This training ensures that customer-facing personnel can accurately represent our security and privacy practices and assist users with security and privacy questions.

14.4 Security Culture Development

The Allybi Service promotes an organizational culture that values security and privacy protection and encourages all personnel to contribute to our security and privacy objectives.

Security Communication includes regular updates about security topics, threat intelligence, best practices, and other information that helps personnel stay informed about security and privacy matters. Our communication includes newsletters, briefings, and other formats that keep security and privacy topics visible and relevant.

Recognition and Incentive Programs acknowledge personnel who contribute to security and privacy protection through their actions, suggestions, or other contributions. Our recognition programs help reinforce the importance of security and privacy and encourage continued engagement.

Security Participation Opportunities include ways for personnel to contribute to security and privacy initiatives, such as security committees, incident response teams, and improvement projects. These opportunities help build security expertise throughout our organization and encourage broad participation in security and privacy protection.

Feedback and Suggestion Mechanisms enable personnel to provide input about security and privacy practices, report potential issues, and suggest improvements. We actively encourage feedback and use personnel suggestions to improve our security and privacy programs.

15. Policy Management and Updates

15.1 Policy Governance Framework

Our policy governance framework ensures that this Security and Privacy Policy and related policies remain current, accurate, and effective in protecting user information and meeting our security and privacy objectives.

Policy Ownership includes clear assignment of responsibility for policy development, maintenance, and implementation to ensure that policies receive appropriate attention and expertise. Our policy ownership structure includes both technical and legal expertise to ensure comprehensive coverage of security and privacy requirements.

Review and Update Procedures include regular assessment of policy effectiveness, evaluation of changes in legal requirements, and incorporation of lessons learned from incidents and assessments. Our review procedures ensure that policies remain current with evolving threats, changing regulations, and new business requirements.

Approval Processes ensure that policy changes receive appropriate review and authorization before implementation. Our approval processes include technical review, legal review, and executive approval to ensure that policy changes are appropriate and effective.

Communication and Training Procedures ensure that policy changes are effectively communicated to relevant personnel and that necessary training is provided to support policy implementation. Our communication procedures include multiple channels and formats to ensure that policy changes reach all relevant stakeholders.

15.2 Change Management

Our change management procedures ensure that modifications to our security and privacy practices are implemented effectively while maintaining appropriate protection for user information and service availability.

Change Assessment includes evaluation of proposed changes to determine their potential impact on security, privacy, compliance, and service delivery. Our assessment procedures help ensure that changes are implemented safely and that any risks are appropriately addressed.

Testing and Validation Procedures ensure that changes are thoroughly tested before implementation and that they achieve their intended objectives without creating new risks or issues. Our testing procedures include both technical testing and process validation to ensure comprehensive coverage.

Implementation Planning includes detailed procedures for deploying changes in a controlled manner that minimizes risks and ensures that rollback procedures are available if issues arise. Our implementation procedures include coordination across different teams and systems to ensure smooth deployment.

Monitoring and Evaluation Procedures ensure that implemented changes are working as intended and that any issues are promptly identified and addressed. Our monitoring includes both technical monitoring and process evaluation to ensure comprehensive oversight of change implementation.

15.3 Version Control and Documentation

Our documentation management procedures ensure that policy versions are properly controlled and that historical information is maintained for compliance and audit purposes.

Version Control Systems maintain comprehensive records of policy changes, including what changes were made, when they were made, who made them, and why they were made. Our version control systems ensure that we can track policy evolution and demonstrate compliance with documentation requirements.

Document Retention Procedures ensure that policy documents and related records are retained for appropriate periods and are available for compliance, audit, and legal purposes. Our retention procedures balance the need for historical information with storage and privacy considerations.

Access Controls ensure that policy documents are available to personnel who need them while protecting sensitive information from unauthorized access. Our access controls include both technical measures and procedural controls to ensure appropriate document security.

Backup and Recovery Procedures ensure that policy documents and related records are protected against loss and can be recovered if needed. Our backup procedures include both technical backups and procedural safeguards to ensure document availability.

15.4 Stakeholder Communication

Our stakeholder communication procedures ensure that relevant parties are informed about policy changes and their implications for security, privacy, and service delivery.

User Communication includes notification of policy changes that may affect users and provision of clear information about what changes mean for user privacy and security. Our user communication procedures include multiple channels and formats to ensure that users receive timely, accurate information about policy changes.

Regulatory Communication includes notification of policy changes to regulatory authorities when required and provision of information about our compliance practices when requested. Our regulatory communication procedures ensure that we meet our obligations for transparency and cooperation with regulatory authorities.

Partner and Vendor Communication includes notification of policy changes that may affect third-party relationships and coordination of any necessary changes to contractual arrangements or operational procedures. Our partner communication procedures ensure that third-party relationships remain aligned with our security and privacy requirements.

Internal Communication includes notification of policy changes to all relevant personnel and provision of necessary training and support to ensure effective implementation. Our internal communication procedures ensure that policy changes are understood and implemented consistently throughout our organization.

16. Contact Information

16.1 Security and Privacy Contacts

For questions, concerns, or requests related to this Security and Privacy Policy, our security practices, or your privacy rights, please contact us using the information provided below. We are committed to responding to your inquiries promptly and providing the assistance you need to understand our practices and exercise your rights.

Email: info@allybi.co
Company: Camasmie Gillet Inc.
Jurisdiction: Delaware, United States

16.2 Response Procedures and Timelines

We strive to respond to security and privacy inquiries within 5 business days for general questions and within the timeframes required by applicable law for formal privacy rights requests (typically 30 days). For urgent security concerns, such as suspected security incidents or immediate assistance with account security, please clearly indicate the urgent nature of your request in your communication.

When contacting us about security or privacy matters, please include as much relevant information as possible to help us respond effectively to your inquiry. This may include your account email address (if you have an Allybi account), specific details about the security or privacy issue you’re experiencing, and clear information about what assistance you need.

16.3 Regulatory Authority Information

If you have concerns about our privacy practices that cannot be resolved through direct communication with us, you may have the right to lodge a complaint with relevant privacy regulatory authorities in your jurisdiction. Some key regulatory authorities include:

• European Union: Your local Data Protection Authority or the European Data Protection Board
• United States: Federal Trade Commission or your state’s Attorney General
• Canada: Office of the Privacy Commissioner of Canada
• Other Jurisdictions: Your local privacy or data protection authority

16.4 Emergency Security Contacts

For urgent security matters that require immediate attention, such as suspected security breaches or active security threats, please contact us immediately at:

Email: info@allybi.co
Subject Line: “URGENT SECURITY”

We monitor our security communications continuously and will respond to urgent security matters as quickly as possible.

Effective Date: April 30, 2026
Last Updated: April 30, 2026
Version: 2.0

This Security and Privacy Policy represents our comprehensive commitment to protecting your information and maintaining the highest standards of security and privacy protection. We are dedicated to transparency, user control, and continuous improvement in all aspects of our security and privacy practices.