Data Security Policy
1.1 The following describes Relevance AI’s Data Security Policy. This policy may be updated from time to time, however, terms effective at the time of signing a Proposal will apply throughout the duration of the applicable Term.
1.2 Defined terms provided under clause 1 of the Relevance AI SaaS Terms and Conditions shall apply to this policy.
2 Organisational Access Control
2.1 Relevance AI employees are required to comply with the company’s policies and procedures. These policies include:
- (a) an obligation to not disclose proprietary or confidential information (including Subscriber-related information) to unauthorised parties; and
- (b) an obligation to report any known security incidents to the company’s management for investigation and action.
2.2 Relevance AI employees do not have direct access to Subscriber Data, except where necessary on a need-to-know basis to undertake:
- (a) Technical support;
- (b) system management, maintenance, backups; and
- (c) other actions authorised by the Subscriber in writing.
2.3 Criminal background checks are performed for employees with access to Subscriber Data as part of the hiring process.
2.4 Relevance AI trains its employees on the importance of information security and the Company’s approach to maintenance of information security. This training is conducted at the commencement of the employment and at regular intervals after commencement.
2.5 Relevance AI may engage Enrichment Providers to perform some of its obligations the terms and conditions. Enrichment Providers will only access and use Subscriber Data in a manner consistent with the terms and conditions and this policy.
2.6 At the written request of a Subscriber, Relevance AI will provide additional information regarding its Enrichment Providers and their locations. The Subscriber may send such requests to Relevance AI’s Data Privacy Officer at firstname.lastname@example.org.
Note: As part of providing the Platform, Relevance AI or its Enrichment Providers may transfer, store and process the Subscriber Data in other countries in which Relevance AI and its Enrichment Providers maintain facilities.
3 Cloud Infrastructure
3.1 Relevance AI engages a cloud infrastructure provider (IaaS Provider) to host data in data centre facilities.
3.2 An IaaS Provider will:
- (a) only allow its staff to access information relating to or data or a Subscriber for the period of time in which a legitimate business need for such privileges exists;
- (b) only allow its staff to access the cloud infrastructure under its control for the period of time in which a legitimate business need for such privileges exists;
- (c) log and audit all physical access to its data centre facilities;
- (d) Notify Relevance AI of the location of the data centres facilities (which may be located in various global regions);
- (e) monitor electrical, mechanical, and life support systems and equipment at its data centre facilities to ensure any issues are immediately identified; and
- (f) perform preventative maintenance to maintain the continued operability of the electrical, mechanical, and life support systems and equipment at its data centre facilities.
3.3 All data centre facilities used by a IaaS Provider:
- (a) are online and serving customers i.e., no data centre facility is “cold”;
- (b) in the event of failure, have automated processes to move Subscriber Data traffic away from the affected area;
- (c) have backup power and environmental protection systems, which are regularly maintained and tested;
- (d) have automatic fire detection and suppression equipment that has been installed to reduce risk and damage to data centre environments;
- (e) have power backup and environmental protection systems in the event of an electrical failure for critical and essential loads in the facility;
- (f) have electrical power systems designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week; and
- (g) are conditioned to maintain systems, monitor and control temperature and humidity at appropriate levels.
4 Technical Security Measures
4.1 The Platform will include reasonably up-to-date versions of system security agent software which will include reasonably current and tested malware protection, patches and anti-virus protection.
4.2 Relevance AI will create a disaster recovery plan designed to provide appropriate technical and operational controls to deliver the recovery time objective (RTO) and recovery point objective (RPO), as outlined in its Service Level Policy.
4.3 Unless otherwise agreed by Relevance AI in writing, Subscriber are prohibited from performing their own penetration testing on any system of Relevance AI.
4.4 Relevance AI ensures that database infrastructure is segregated from the application servers and the internet via firewalls.
4.5 All communications are encrypted between the data exporter and the data centres using high-grade encryption (AES-256).
4.6 Access to Relevance AI’s on-demand applications and services is only available:
- (a) through secure sessions (https); and
- (b) with an authenticated login and password.
4.7 Passwords for Relevance AI’s on-demand applications and services are never transmitted or stored in their original form.
4.8 Relevance AI’s application infrastructure is protected against intrusion by industry standard firewalls at the network, host, and application levels.
4.9 Several IaaS Provider instances are hosted on the same physical machine and are isolated from each other through a hypervisor layer.
4.10 IaaS Provider infrastructure has no access to raw disk devices, but instead are presented with virtualised disks.
5.1 The Platform may allow third party services interoperating with it to access, use, or otherwise process and transmit Subscriber Data.
5.2 This Data Security Policy does not apply to any processing, storage, or transmission of data outside the Platform.
5.3 Relevance AI is not responsible for the security practices (or any acts or omissions) of any third party service providers engaged by or on behalf of Subscriber.
5.4 The Data Security Policy excludes:
- (a) data or information shared with Relevance AI that is not stored in the Platform; and
- (b) data in a Subscriber’s virtual private network (VPN) or a third party network other than one that is under a contract with Relevance AI to assist Relevance AI in fulfilling its obligations to that Subscriber.
5.5 Relevance AI excludes liability for any data used, processed, stored or transmitted by a Subscriber or other third parties in violation of these terms and conditions.