Executive Summary

Afi is deployed as a distributed container-based application in Google Cloud with no on-premise components. You can select the backup storage region when you sign up. We are subject to SOC 2 Type II independent audit and are compliant with major security and privacy standards, including GDPR, Privacy Shield, HIPPA.

Hosting & Deployment

Afi is hosted as a distributed container-based application in Google Cloud Platform (GCP) in the USA, Canada, the EU, the United Kingdom and Australia. These Google facilities hold all major security and data privacy accreditations, including SOC1 – SSAE-16, SOC2, PCI DSS Level 1, ISO 27001, HIPAA, FIPS 140-2.

Users can select the data storage location when they initially sign up in the Afi application. The available locations are:

• Google datacenter us-central1 (Council Bluffs, Iowa, USA)
• Google datacenter eu-west2 (London, England)
• Google datacenter eu-west4 (Eemshaven, Netherlands)
• Google datacenter northamerica-northeast1 (Montreal, Canada)
• Google datacenter australia-southeast1 (Sydney, Australia)

The physical access to the servers in the datacenters is restricted to authorized Google and Amazon personnel. Afi employees have no physical access to the servers. We don't host any on-premise infrastructure and we require two-factor authentication for all employees that work with internal systems (code repositories, build systems, cloud providers). We apply the “least privilege” model meaning we assign access to employees based on the absolute least access someone needs to be able to perform their duties.

Storage & Encryption

All customer data is always encrypted, in transit and at rest. We use TLS 1.3 protocol for all control communications, including data transfer between Afi components, to ensure all traffic is encrypted. For data at rest, we use AES 256-bit, one of the most secure encryption protocols.

In addition to Afi-managed data encryption customers can use their own encryption keys (BYOK) for data at rest. Presently Afi supports Google KMS, AWS KMS and Microsoft Azure KMS.

Afi Platform Security Features

Afi encourages its customers to configure and use security features that are made available as part of the Afi platform. In addition to customer-managed encryption keys (BYOK), the security features include:

• Custom admin and support roles that enable to limit access to backup data based on the user Azure AD group / OU membership, geographical location and data types
• Immutable audit log that captures all configuration, data access and recovery operations in Afi services
• Major access and identity provider systems (Okta SAML, Microsoft or Google) are used to manage access to Afi services. The identity providers support advanced access control features including MFA enforcement and IP filtering.

Backup & Resiliency

Afi services are deployed using Kubernetes Engine. High availability and disaster recovery is built-in into Afi's architecture. In case of a component failure, the platform launches additional container instances and redirects the load.

Afi’s backup policies and procedures outline the critical resources, including the databases, that are backed-up automatically to enable recovery needed to meet our SLAs. All production data is being replicated automatically to a separate infrastructure. Afi tests its data recovery plan continuously.

Sub-processors

We limit the extend of data sharing with our sub-processors to the degree that is minimally necessary to provide our service and make sure that all the technology providers that we use:

• pass regular security reviews and audits;
• comply with data protection and privacy regulations (SOC 2 and/or ISO 27001);
• have good reputation (publicly listed or private companies with reputable backers).

We encrypt (see Encryption & Access Control) all customer data stored in our infrastructure providers' (GCP and AWS) datacenters in transit and at rest. We share only limited information with Stripe, necessary to manage subscriptions, invoice and process payments (including customers' billing addresses, contact details and bank account details). We use customer relations management software, HubSpot and Zendesk, to automate the communication with customers and to store customer contacts in their systems.

Sub-processor	Description	HQ Location
Alphabet Inc.	Google Cloud Platform (GCP) is a cloud computing service. GCP is compliant with SOC 1/2/3, ISO/IEC 27001, PCI DSS and other major security regulations. Afi uses GCP to host its container-based distributed application using Google Kubernetes engine, as well as to store the backup data using encrypted geo-redundant cloud storage.	Mountain View, CA
Amazon.com, Inc.	Amazon Web Services (AWS) is a subsidiary of Amazon providing an on-demand cloud computing service. AWS is compliant with SOC 1/2/3, ISO/IEC 27001, PCI DSS and other major security regulations. We use Amazon Elastic Kubernetes Service to host our application, and store the backup data using encrypted geo-redundant cloud storage.	Seattle, WA
HubSpot, Inc.	HubSpot provides tools for customer relationship management (CRM), support, sales and marketing automation. It has TRUSTe certification for Enterprise Privacy, it is SOC 2/3 compliant and its IT systems are audited as part of the Sarbanes Oxley compliance. Afi uses HubSpot CRM to manage and automate the sales and support processes.	Cambridge, MA
Mailgun Technologies, Inc.	Mailgun cloud email system helps deliver automated email communications. If you enable email notifications and/or configure backup alerts in Afi web application, we will use Mailgun system to send you email messages. Mailgun has SOC 2 and ISO 27001 certifications. Customer information transferred to Mailgun is strictly limited to the service email message contents and the email addresses they are sent to.	San Antonio, TX
Sentry (Functional Software, Inc.)	Sentry is an application performance and error tracking system. Afi Customers have the option to opt in to send anonymous error reports, helping us diagnose and resolve technical issues faster. The option is disabled by default and no information is sent or collected unless you agree to opt in.	San Francisco, CA
Stripe, Inc.	Stripe offers payment processing and anti-fraud tools which Afi uses to accept payments from customers, manage subscriptions, and keep its tax and financial records. Stripe has SOC 1 and SOC 2 Type II certifications, and it is certified as a PCI Level 1 Service Provider, which is the most stringent level of certification available in the payments industry.	San Francisco, CA
Zendesk, Inc.	Zendesk is a cloud helpdesk software provider. It is compliant with SOC 2/3, ISO 27001. Afi uses Zendesk to accept customer support tickets, manage and automate the technical support services.	San Francisco, CA

Compliance

Afi complies with major industry regulations and is independently audited as part of the SOC 2 compliance. Reach out at privacy@afi.ai if you need more details or if you have questions about a country- or industry- specific regulation that is not reviewed in this section.

SOC 2 Type II Certification

Service organization control (SOC) 2 is a framework that requires service providers like Afi to establish and follow strict information security policies and procedures, encompassing the security, availability, processing, integrity, and confidentiality of customer data.

Afi is SOC 2 Type II compliant. Our auditor is IS Partners, LLC.

SOC 2 is specifically focused on detailed information and assurance about the security, availability, and processing integrity of the systems (unlike SOC 1 that focuses on controls related to clients’ financial reporting). A type II report details how security controls are implemented over a period of time (unlike type I report that reviews them based on a specified point in time).

Penetration Testing and Secure Code Review

We perform regular penetration testing and security reviews, engaging the leading security firms including Cobalt Labs, SecureIT, Red Team and Qualys. We also undergo independent code and encryption key management system reviews covering all Afi source code and data encryption infrastructure. Afi stands as one of the few SaaS vendors that have made the investments necessary to complete a comprehensive third-party code analysis, and we believe the project reflects our commitment to security.

Cloud Security Alliance

Cloud Security Alliance (CSA) operates the most popular cloud security provider certification program, the CSA Security, Trust & Assurance Registry (STAR), helping ensure a secure cloud computing environment.

Afi follows the CSA STAR principles and is included in the CSA STAR registry.

GDPR

The General Data Protection Regulation (GDPR) regulates data protection in the European Union (EU) and the European Economic Area (EEA). Afi is compliant with GDPR. Its major requirements and Afi features that help to address them include:

• Storing and processing data within EU. Afi enables customers to select where their data is stored by specifically setting the predefined destinations.
• Right to erasure. Afi will remove data from the system in a timely manner upon request.
• Security. All the customer data in transit and at rest is encrypted. Afi follows Secure Software Development Cycle and is independently audited as part of SOC 2 Type II certification.
• Records of processing activities. Afi audit log provides visibility on all actions performed in the system and enables customers to retrieve these logs when required.
• We have a Data Protection Officer who can be reached at privacy@afi.ai.

The Data Privacy Framework (DPF) Program

The Data Privacy Framework (DPF) Program, developed by the US and the European Commission, replaces the Privacy Shield Program. It provides a mechanism for companies to transfer personal data from the EU to the United States in a way that is privacy-protective and consistent with EU law.

Afi complies with the EU-U.S. Data Privacy Framework and the Swiss-U.S. Data Privacy Framework under the Data Privacy Framework Program. To review our certification, please visit the https://www.dataprivacyframework.gov/.

Afi's Data Processing Addendum (see the Documents section) includes the Standard Contractual Clauses ("SCCs") that the EU Court of Justice has validated as a mechanism for international transfers of personal data. We will enter into the DPA if you use Afi to back up personal data of EU residents.

HIPAA

Afi complies with the HIPAA regulations. For customers that process Protected Health Information (PHI) and Personally Identifiable Information (PII) we will sign a Business Associate Agreement (please see the form below).

UK regulations

The NHS Data Security and Protection Toolkit (DSPT) is a tool designed to evaluate compliance across ten data security standards and help organizations measure and demonstrate their compliance with data security standards set by the National Data Guardian. Afi is certified with the NHS DSPT, to reveiw the certification please visit https://www.dsptoolkit.nhs.uk/.

Cyber Essentials is a set of technical controls developed by UK-government and the Information Security Forum. The framework helps organizations protect against cyber threats. Afi earned Cyber Essentials certification through a self-assessment of our systems, and the assessment was verified independently.

NCSC Cloud Security Guidelines is a framework that helps organizations evaluate the security of cloud services before adopting them. Afi services meet the 14 Cloud Security Principles included in the framework, and our compliance with them is independenty tested as part of SOC 2 annual audit.

Canadian regulations

The Personal Information Protection and Electronic Documents Act (PIPEDA) governs how organizations work with personal information. It gives individuals the right to access and request correction of the personal information these organisations collected. Afi is compliant with PIPEDA requirements and uses appropriate security measures to protect personal information.

Personal Health Information Protection Act (PHIPA) establishes principles for collection, use, and disclosure of personal health information (PHI). Afi complies with PHIPA and uses adequate security and privacy practices to protect PHI.

Transparency Report

As of December 31, 2024, Afi has not received any law enforcement or government information requests. Afi has not built backdoors for any government into our services.

The following summary covers the 2024 calendar year:

Category of Request	Total Requests		Challenged, No Data Disclosed	Completed, Data Disclosed
U.S. Requests
Court Orders	0		0	0
National Security Requests	0		0	0
Search Warrants	0		0	0
Subpoenas	0		0	0
Non-U.S. Requests
All Non-U.S. Countries	0		0	0

The transparency report is refreshed annually no later than in April, providing data for the previous calendar year.

Documents

Document		Description
	Privacy Policy	Contact us at privacy@afi.ai if you have questions about the policy
	Terms of Use	Reach out at sales@afi.ai if you have questions regarding ToS and MSA
	CSR Statement	Our Corporate Social Responsibility statement
	Data Processing Addendum	The DPA includes the European Commission’s standard contractual clauses
	Mutual NDA	The NDA may be required to start trial or get additional security information.
	Business Associate Agreement	We'll enter into the BAA if you're subject to HIPAA regulations