Afi - Privacy Policy

PRIVACY POLICY

This privacy policy ("Privacy Policy") details how Afi Technologies (collectively "Afi" or "We") collect, use and safeguard the privacy of the users of Afi software, services and products ("Services") and does not apply to information that may be collected by us off-line or via other websites.

What Information We Collect

Customer Provided Information. We collect personal information from users including first and last names, a valid credit card to process payment for the Services, business postal addresses, an email address and a password.

Personal Information in Content. We provide replication, backup and data storage Services. Certain content that is backed up, stored or hosted using our Services may contain Personal Information.

Session Records. To provide security and maintain the quality of service, we gather data on connection information, including session date and times, Device Internet Protocol ("IP") address, browser type, Device name and/or identification number, and other interactions with the Service.

Cookies. We use "cookies" to collect information. We use cookies to enable certain features of the Service, to better understand how you interact with the Service and to monitor aggregate usage and web traffic routing on the Service. We save your registration ID and login password for future logins to the Service. The cookies are used solely for identifying user sessions and do not store any personal information regarding the user. You can instruct your browser, by changing its options, to stop accepting cookies or to prompt you before accepting a cookie from the websites you visit. If you do not accept cookies, however, you may not be able to use all features of the Service.

Use of Personal Information

We use your personal information in order to provide the Services in accordance with the Master Subscription Agreement and Terms of Service, the Privacy Policy and in compliance with applicable law. We use your personal information to provide you with convenient access to our products and services and to improve what we offer to you. In addition, we use your personal information to keep you up to date on the latest product announcements and other information we think you'd like to hear about.

We may disclose personal information as required by law and to comply with a judicial proceeding, court order, or legal process.

Disclosure of Personal Information

We share certain personal information with third parties whose services we use to help sell, support our products and operate our business such as Customer Relationship Management (CRM), Enterprise Resource Management (ERP) and Accounting software providers. We make sure any third parties with whom we share Personal Data will use the data only for the

purpose of providing their services to us, and in a manner consistent with our privacy practices. We assume responsibility for the processing of Personal Data that we transfer to a 3rd party. We remain liable under the Privacy Shield principles if our agent processes such Personal Data in a manner inconsistent with the principles, unless we prove we are not responsible for the event giving rise to the damage. We may also share personal information as required by law and to comply with a judicial proceeding, court order, or legal process.

Right to access, change and delete personal information

You have the right to access your personal information, and to limit use and disclosure of it. To request access to the personal information we have processed on your behalf or to limit use and disclosure of your personal information, please contact: privacy@afi.ai and provide your name, contact information and observe the required formalities under applicable law.

Data Privacy Framework

Afi complies with the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Afi has certified to the U.S. Department of Commerce that it adheres to the EU-U.S. Data Privacy Framework Principles (EU-U.S. DPF Principles) with regard to the processing of personal data received from the European Union and the United Kingdom in reliance on the EU-U.S. DPF and the UK Extension to the EU-U.S. DPF. Afi has certified to the U.S. Department of Commerce that it adheres to the Swiss-U.S. Data Privacy Framework Principles (Swiss-U.S. DPF Principles) with regard to the processing of personal data received from Switzerland in reliance on the Swiss-U.S. DPF. If there is any conflict between the terms in this privacy policy and the EU-U.S. DPF Principles and/or the Swiss-U.S. DPF Principles, the Principles shall govern. To view our certification, please visit https://www.dataprivacyframework.gov/.

U.S. Federal Trade Commission Enforcement

Afi is subject to the investigatory and enforcement powers of the Federal Trade Commission (FTC) to ensure compliance with the EU-US DPF and the UK Extension to the EU-U.S. DPF, and the Swiss-U.S. DPF.

Binding Arbitration

In instances where other redress possibilities have been exhausted, or where the complaint has not been resolved by any other means, DPF gives you the right to pursue binding arbitration. You may file a complaint with JAMS, our designated independent dispute resolution provider. You can submit your complaint by visiting https://www.jamsadr.com/DPF-Dispute-Resolution. Afi acknowledges that any final decision by the Data Protection Review Court is a legally binding decision, enforceable in U.S. courts.

EU GDPR Representative

We designated Maetzler Rechtsanwalts GmbH & Co KG, located at Schellinggasse 3/10, 1010 Vienna, in compliance with Article 27 GDPR. You can submit your GDPR compliance and privacy requests online at https://prighter.com/q/17421460117.

Security

Our software code is stored in GitHub source code management system hosted in the United States. The system tracks source code access and modification activity. All Pull Requests are automatically run through a comprehensive test suite and verification. Only authorized R&D engineers access the source code and only for the tasks assigned to them. Afi engages external security auditors to evaluate the security of its source code. The latest secure code assesment is available upon request.

Infrastructure and Encryption. Afi uses Google Cloud Platform (GCP) for cloud hosting and backup storage. Customer data is stored in an encrypted archive on redundant object storage, and is accessed via Afi application services that manage user access rights and permissions. We use Transport Layer Security (TLS 1.2+) with secure ciphers to encrypt all the data flows to and from our cloud services. Data at rest is stored in cloud storage protected by Advanced Encryption Standard 256bit (AES256) cipher. Our encryption is independently reviewed and the audit report is available upon request.

System Logs. All access, configuration and modification events within our systems are logged with sufficient detail, and these logs are retained to facilitate audits and analysis as part of security reviews, penetration testing and certification projects. This includes full GCP audit logs for all GCP services, and all other critical infrastructure systems.

Access Control. Afi employees can only access critical internal systems via single sign-on (SSO). All the SSO accounts are configured to only allow devices meeting security requirements, and limit access based on the geographical location. The system is configured to only allow access from the United States and the European Union, reflecting Afi's workforce placement. The device policy requirements include up-to-date device OS, encryption and password-protection.

Controller/Processor Roles

We are primarily a data processor but we also considered a data controller in certain situations described in this Section. We are a business-to-business cloud service provider and our main role is a data processor for our business Customers. We also receive personal information from individual employees inquiring on behalf of their employer.

Afi is the "Processor" of Personal Information in the meaning set forth in Article 4 of the GDPR and any other data protection laws with respect to personal data contained in Customer Content. We collect information under the direction of our business Customers, who remain the data controllers. We have no direct relationship with the individuals (Users) whose personal data we process.

We act as a data-controller when We collect singular data subject personal information such as name, cookies, tags, scripts, your email, and comments on our blog and website. This information is submitted, voluntarily, by individuals representing data-controlling Customers.

Subprocessors/Service Providers

Afi engages the following third party subprocessors to provide the Services:

Stripe, a payment processing company,
Google Cloud Platform and Amazon Web Services, infrastructure hosting providers,
Salesforce, a cloud customer relationship management system,
Zendesk, a cloud-based helpdesk ticketing system,
Hubspot, a cloud-based sales customer relationship (CRM system,
Mailgun, a transactional email delivery service.

Deletion

If Afi is requested to access, correct or remove data, by the data controller, we will respond within a reasonable timeframe. Individuals who have provided data to Afi directly, and who wish to access, correct, or delete data, may contact us via email at privacy@afi.ai. We retain personal data we process on behalf of our Customers for as long as needed to provide the Services. When a Subscription ends, We delete Customer Contents from Our systems.

GDPR

We are compliant with the Regulation (EU) 2016/679 (General Data Protection Regulation). Major GDPR requirements and Afi features that help to address them include:

Storing and processing data within EU. Afi enables customers to select where their data is stored by specifically setting the predefined destinations.

Right to erasure. Afi will remove data from the system in a timely manner upon request.

Security. All the customer data in transit and at rest is encrypted as described in paragraph 4. Afi follows Secure Software Development Cycle as outlined in paragraph 1.

Records of processing activities. Afi audit log provides visibility on all actions performed in the system and enables customers to retrieve these logs when required.

We have a Data Protection Officer who can be reached at privacy@afi.ai.

FERPA

Customer Data may include personally identifiable information from education records that are subject to FERPA. To the extent that Customer Data includes such information, Afi will be considered a "School Official" (as defined in FERPA and its implementing regulations) and will comply with FERPA.

COPPA

Afi services can be used in compliance with COPPA if an organization has parental consent.

Consent

In providing your personal information to us, you are consenting to us dealing with that information in the manner described in this statement. For example, if you give us your fax number or email address, you are consenting to us contacting you by fax or email.

Your consent may also be intrinsic to the circumstances, such as in the case where you have previously provided your personal information to us and either you maintain your relationship with us or, having received communications from us, you did not request us to cease such communications. Use of our Website also constitutes acceptance of this privacy policy.

You may opt out of receiving marketing communications if you want, at any time. Specific communications (such as the newsletter) usually contain instructions on them for how to opt out of receiving them, or you can email us at privacy@afi.ai.

Changes

If we make any material changes we will notify You via email or by other reasonable means.