Afi Leadership Statement

Our goal is to build a long-term resilient and secure cloud data management service, one that our customers can rely on over the next 100 years and beyond. To achieve this durability we prioritize investments in product development over aggressive marketing, and focus on sustainable long-term growth.

In our view, the data protection market offers very few options for organizations seeking resilient and dependable backup, as too many vendors pursue short-sighted growth driven by sales and marketing spending, while underinvesting in their technology and maintaining unsustainable pricing. As a result, thousands of customers are locked into multi-year contracts with legacy backup providers, experiencing data losses due to outdated technology, vulnerable infrastructure, and deficient customer service focused on acquiring new business rather than serving existing users.

We deliver value to our customers and partners by building secure and reliable technology, offering transparent terms, and focusing on sustainable long-term growth. The following summary outlines the key elements of our vision.

Sincerely,

Long-Term Focus

We prioritize our long-term vision in every major product, financial and business decision. If there is a choice that could improve our short-term metrics, but such choice comes at a cost to the reliability or security of our service in the long-run, we always decide against it.

Product Development Over Aggressive Marketing

We prioritize investments in product development over aggressive sales and marketing spending. We strongly believe that resources invested in improving our technology yield greater long-term value than many conventional marketing activities.

Specifically, we don’t engage in most forms of email marketing (e.g. 'email blasts'), buyer intent tracking, buying customer lists, or cold calling. There aren't any sports teams bearing Afi's logo, or other branding activities that come at the expense of product development. Our sponsorship programs are limited to 501(c)(3) charity contributions, and working with industry bloggers.

Instead of aggressive marketing, we focus our resources to product development and customer service. Many technologies we implement are beyond the scope of a standard SaaS backup. For example, we invested over three years to develop a search engine that doesn’t compromise backup encryption (see Encryption). We also invest in many features that address customer requests, but are unlikely to yield any financial return in the medium term. Some of these 'overinvestments' in technology include:

• Using fast redundant cloud storage for backups. While it is more expensive than the cheapest 'cold' storage, it enables faster and more reliable data recovery, search, online preview and export.
• Full coverage of cloud workloads, including MS Teams private channels and chats backup at no additional cost (some vendors charge for it, passing Microsoft's API request fees onto customers).
• Complete support of small, often neglected, data types. We support backup and restore of MS Entra ID (Azure AD), Power Platform, Exchange Online Archive, SharePoint site members and permissions, and Google Document IDs.
• Key Management Systems (KMS) and Identity & Access Management (IAM) support. We support all major KMS providers (Azure, AWS and GCP), as well as all major IAMs, including Okta, Microsoft, Google and SAML-based services.
• Extensive API, which not only enables granular reporting, but can also be used for broad backup and management, enabling integration into corporate systems and automation of archival, retention and other workflows.
• Global tenant-wide search, granular access control, extensive audit logging and dozens other advanced capabilities.

Our commitment to research and development (R&D) over sales and marketing (S&M) is inspired by SaaS vendors with a great track record of sustainable growth, such as Atlassian. The chart below shows how our target R&D and S&M investments compare with other vendors, as we aim to manage our S&M conservatively, while prioritizing product development.

Transparency and External Validation

Another area where we invest our resources is transparency and external validation of our technology, infrastructure and processes. We believe that the growing number of high-profile software vendor failures (including SolarWinds and CrowdStrike) undermines the implicit trust in infrastructure technology, and customers increasingly choose to work with vendors that can demonstrate strong evidence of their security and reliability, rather than relying on marketing statements and sales pitches.

Afi complies with SOC 2 security standards and undergoes annual audits that include the assessment of our operating processes, cyber-threats and compliance risks. We perform regular penetration testing and security reviews, engaging the leading security firms including Mandiant (subsidiary of Google), Cobalt Labs, SecureIT, Red Team, DeepSeas and Qualys.

Beyond standard certifications and penetration tests, we undergo independent source code analysis and data encryption assessments that cover all Afi source code and production infrastructure. This makes us one of the few SaaS backup vendors that complete comprehensive third-party technology reviews.

Our SOC 3 report is available at afi.ai/compliance. The latest SOC 2 Type II report, penetration testing, secure code review, and independent assessment reports are available upon request. We also undergo reviews to validate our financial stability, and a report prepared by a credit rating company is available to our customers under an NDA.

In addition to third-party validation projects, we work with our customers to execute regular vendor diligence reviews. In 2022-2024 we completed dozens of customer-initiated audits, security, and business reviews. In each case, the extent of resources we commit to a project is determined based on the duration of our relationship with the customer and the annual contract value.

Sustainable Organic Growth

We regularly receive investment inquiries from private equity firms and debt providers. Having engaged in initial discussions with some of them, we believe that these financing options can accelerate revenue growth, but they also impose significant pressure to make short-sighted customer service, pricing and technology choices.

In our experience, even the friendliest capital providers are motivated by financial goals that are unsustainable and too short-term, and that would compromise our commitment to long-term resilience. While Afi required external capital during the initial stages of product development, we no longer need additional investments to finance future growth, and prefer not to rely on anyone other than our customers and partners for paying our bills.

Our commitment to sustainable organic growth also includes cautious approach to mergers and acquisitions (M&A). The average backup vendor has a rather short lifespan as an independent company, with dozens of data protection companies being acquired, merged, or divested every year. While these transactions benefit investors, we believe they often disrupt business operations and leave customers with unreliable backup products (due to post-merger integration issues), poor customer service (due to cost-cutting and too much emphasis on short-term growth) or outdated technology.

Security-Obsessed Service

We always go with the most secure and scalable technology architecture decisions, even when such decisions entail higher costs and have negative impact on our financial metrics. We are confident that in the long-term the strong technology will result in lower software maintenance and bug fixing efforts, less security risks and better reliability.

Encryption Beyond Standard Implementation

Afi cloud backups are hosted in Google Cloud Platform (GCP) storage, always encrypted by Google. However, we don’t just rely – as many vendors do – on the infrastructure provider’s default storage-level encryption. We implemented a multi-layer encryption and key management technology, which is independently audited and which ensures the highest level of customer data segregation and security.

Using the multi-layer encryption approach, Afi encrypts customer backup data using Tenant Encryption Keys (TEK) and Resource Encryption Keys (REK) that are unique for every customer and every resource, in addition to the GCP native encryption. The encryption assessment report prepared by an independent auditor is available upon request.

We also developed a state-of-the-art search engine that doesn't compromise security and encryption. Most vendors implement full-text search using Elasticsearch engine, whereas indices are shared across multiple tenants in order to lower infrastructure costs. This means that metadata from multiple customers is encrypted by a shared key – therefore compromising client data segregation and making the BYOK encryption impossible to use. In contrast, our search engine maintains a separate index for each tenant, encrypted with a per-tenant key, and fully suports BYOK.

Beyond that, Afi is one of the few vendors that support all three major KMS providers, enabling customer-managed encryption (bring-your-own-key, or BYOK) and giving customers control over their data and encryption keys.

Proactive Security Measures

In addition to the secure technology foundation, we implement strict organizational measures that exceed the requirements of major security frameworks. Specifically, we enforce MFA for all critical systems and use context-aware access controls to ensure that our internal systems can only be accessed from the locations in the US, the European Union, and a limited set of safe countries rated as Free by the Freedom House.

Our support, back-office and other workflows are designed in a way that require authorizations from at least two persons to perform sensitive actions, including scheduling service downtime and maintenance, production code deployment and administrative actions such as electronic fund transfers. To minimize the risk of targeted cyberattacks, we conduct security training and encourage our key team members to refrain from publicly sharing details of their work and contact details on Facebook, LinkedIn, and other social networks. We continuously work to remove our employees' contact information from Zoominfo and other sellers of personal data that are routinely used in phishing attacks.

We use email to verify the authenticity of all customer requests received through social networks, postal mail, or other unsecured channels. We consider all inbound customer requests non-authentic unless they are confirmed through a verified customer email where the domain matches the customer's business domain registered in our service, and has DomainKeys Identified Mail (DKIM), SPF, and DMARC mechanisms enabled.

Operations Confined to Small Number of Cloud Providers

We don't operate any on-premises infrastructure, and we host all service components in the cloud, confining all data flows within a small perimeter of trusted cloud providers. We use Google Cloud Platform (GCP) as our principal infrastructure provider for application hosting and the default cloud backup storage. GCP provides high level of physical security, encryption and access management, anti-malware capabilities, geo-redundancy and high availability. It is compliant with SOC 2/3, ISO 27001, and dozens other externally-validated certifications, which significantly simplifies our own SOC 2 and other security compliance.

We also use Microsoft Azure, Amazon Web Services and Okta for customers that bring their own KMS or use their own IAM services. In addition, we use Stripe, Zendesk, Hubspot and Mailgun for billing and customer service automation, but only limited customer data is shared with these four vendors (billing details, transactional messages and customer service requests).

All cloud providers we use have SOC 2 Type II certifications, and we review their security practices quarterly. You can check the full list of sub-processors on our Compliance page or reach out at security@afi.ai for more details.

We also implemented a comprehensive logging framework which ensures that access, configuration and data modification operations are logged at all times with sufficient detail, and these logs are retained to facilitate audits and analysis as part of security reviews, penetration testing and certification projects.

Data security and privacy are of the utmost importance for us. The security principles outliined below guide all our major sales, marketing and product decisions. Granular Data Residency, Retention And Access Management

Afi implements tenant-level multi-geo capabilities, enabling organizations with offices across different geographical regions to store and manage backups in multiple local datacenters. The data-residency mapping can be auto-configured based on the location of the data source (in case the Microsoft multi-geo capability is enabled) or manually assigned on a per MS Group, OU or individual resource basis. Backups can be replicated and kept in multiple storage locations, with protection for all resources across different regions managed from a single Afi account.

Afi also provides granular version-based and compliance retention that enables administrators to configure data retention not only based on when it was modified or deleted, but also based on the information type, data residency, data creation and modification dates.

In addition, Afi supports IP allow/block lists and has some of the most advanced access role management system that enables administrators to create custom backup operator roles, IT Helpdesk, HR, Legal and other roles with granular data viewing, self-service, recovery, reporting and export permissions. Afi access management also leverages dynamic Microsoft Groups and Google OUs/Groups, and allows you to grant access to only specific backup resources, configure time-limited and geo-based permissions. Rationed Data Collection and Retention

We strictly ration the data we collect, limit the number of vendors we work with (see Cloud-First and Cloud-Only) and minimize the information we transfer to the vendors. This often makes things more complicated and expensive than they'd otherwise be, but we believe that the difficulties are made up by lower exposure to cyber risks associated with excessive data collection.

Specifically, we don't use Google Analytics (GA) to track our existing users. While we use GA to manage Google search advertising and acquire new leads, GA widget is not installed on app.afi.ai (the web application used by our existing customers) since GA service has unresolved problems related to GDPR compliance and has other privacy issues.

Customers have the option – always disabled by default – to enable anonymous error tracking powered by Sentry (a SaaS performance monitoring provider). If enabled, no sensitive or personally identifiable information (PII) is sent to Sentry and all tracking is limited to error reporting (Sentry Session Replay and Profiling features are disabled at all times).

We also use HubSpot, a sales automation tool, to receive sales inquires, provision trial subscriptions, and manage communications with customers. Hubspot's cookie tracking feature is disabled at all times for users from all countries.

When a customer agreement is terminated, we erase all customer data and only retain limited financial and service communication records we are required to keep to substantiate our tax and financial reporting. The retained data is limited to legal agreements, payments data and written communication related to the provision of services.

Customer-Centric Terms and Licensing

We're committed to building long-term relationships with our customers. For this reason, we aim to provide transparent, predictable pricing and never impose restrictive agreements that limit customers' ability to cancel contracts or force them into renewing if they no longer want to continue to work with us.

Predictable Pricing

We explicitly state how much storage is included in each subscription, and what the price will be if customers increase their usage. Emphasizing the licensing limits upfront means that we lose deals to vendors that offer 'unlimited' backup pricing. But in our view, providers that market unlimited subscription plans make misleading promises that can only be kept in the short term.

Storage usage plays a key role in the backup providers' pricing, since the infrastructure hosting (driven by storage usage) is the most important direct cost of a cloud backup service. To be sustainable in the long run, vendors must either cover these hosting costs by tying their subscription prices to storage usage, or be able to consistently lower their infrastructure costs per gigabyte (GB) of stored backups, quickly enough to offset backup storage growth per user (license).

In the past, the average infrastructure cost per GB of storage did decline 30-40% per year, the same rate as storage growth per average backup user (license). While the storage usage per license grew, the declining costs per GB offset the growth and allowed vendors to keep their infrastructure costs per license stable. However, as the chart below shows, infrastructure costs per GB have stopped declining since 2017. This means backup vendors' storage costs per user now grow along with the backup storage, and stable per-user pricing is no longer sustainable.

To accommodate the growing costs per license, backup vendors either have to implement transparent licensing tied to storage, or stick with 'unlimited' pricing policy, increasing them upon renewal and using obscure 'fair use' policies to limit customer backup storage growth.

We believe the right approach is to be upfront about the impact of backup storage on prices, and provide a transparent licensing that allows customers to have predictable prices and take control of the backup spending. Specifically, we provide a number of management tools, including granular backup retention policies, reporting and data governance capabilities that enable customers to recycle old unused data, reducing their storage footprint and the service cost.

No Vendor Lock-in

Our terms of service, customer subscription agreements, and managed service providers partnership contracts always include termination-at-will clauses. This allows our customers to cancel their subscriptions at any time and for any reason, receiving a refund for any unused prepayments.

We also don't impose multi-year subscriptions or agreements with mandatory renewal terms, vendor lock-in, or non-cancellation provisions on our customers and partners. Our two standard subscription terms are monthly (with month-to-month billing), and annual (if cancelled, we refund any unused prepaid amounts).