AIRFOLD INFORMATION SECURITY ADDENDUM

Effective Date: May 6, 2025

This Information Security Addendum (the “Addendum”) sets forth the technical and organizational measures for the protection of Customer Data processed by the Airfold Platform (if applicable) or data (if any) provided by Customer to Airfold in connection with the delivery of Support Services (if applicable) (collectively “Customer Information”). Capitalized terms not defined in this Addendum shall have the meanings set forth in the applicable agreement between Customer and Airfold for the delivery of the Airfold Platform and/or Support Services (the “Agreement”).

Airfold shall maintain an information security program that is designed to protect the security, confidentiality, and integrity of Customer Information (the “Airfold Information Security Program”). The Airfold Information Security Program will be implemented on an organization-wide basis. The Airfold Information Security Program will be designed to ensure Airfold’s compliance with data protection laws and regulations applicable to Airfold’s performance under the applicable Agreement (including any Data Processing Addendum), and shall include the safeguards set forth below (the “Airfold Information Security Controls”).

1. AUDITS AND CERTIFICATIONS

1.1 Audits and Certifications

Airfold engages independent third-party auditors to assess the Airfold Information Security Program as described in the following audits and certifications on at least an annual basis:

1.1.1 SOC 2 Type II

Airfold maintains a SOC 2 Type II audit report covering the Trust Services Criteria for Security, Availability, and Confidentiality. Airfold will make its SOC 2 Type II report available to Customer upon request, subject to appropriate confidentiality obligations.

2. ORGANIZATIONAL CONTROLS

2.1 Governance

Airfold assigns to an individual or a group of individuals appropriate roles for developing, coordinating, implementing, and managing Airfold’s administrative, physical, and technical safeguards designed to protect the security, confidentiality, and integrity of Customer Information.

2.2 Security Personnel

Airfold uses data security personnel that are sufficiently trained, qualified, and experienced to fulfill their information security-related functions.

2.3 Risk Assessments

Airfold conducts periodic risk assessments designed to analyze existing information security risks, identify potential new risks, and evaluate the effectiveness of existing security controls.

2.4 Risk Prioritization

Airfold maintains risk assessment processes designed to evaluate the likelihood of risk occurrence and material potential impacts if risks occur.

2.5 Information Security Policies

Airfold creates information security policies, approved by management, published, and acknowledged by all employees.

2.6 Information Security Policy Review

Airfold reviews and updates policies at planned intervals to maintain their continuing suitability, adequacy, and effectiveness.

2.7 Data Classification

Airfold maintains a data classification standard based on data criticality and sensitivity.

2.8 Data Retention and Destruction

Airfold maintains policies establishing data retention and secure destruction requirements.

2.9 Asset Ownership

Airfold implements procedures to clearly identify assets and assign ownership of those assets.

2.10 Compliance

Airfold establishes procedures designed to ensure all applicable statutory, regulatory, and contractual requirements are adhered to across the organization.

3. PEOPLE CONTROLS

3.1 Information Security Policy Acknowledgement

Airfold creates information security policies, approved by management, published, and acknowledged by all employees.

3.2 Information Security Awareness Training

Airfold requires all employees to undergo security awareness training on at least an annual basis.

3.3 Personnel Agreements

Airfold requires personnel to sign confidentiality agreements and acknowledge Airfold’s information security policy, which includes acknowledging responsibilities for reporting security incidents involving Customer Information.

3.4 Background Checks

Airfold performs background checks on employees in accordance with applicable laws and regulations.

4. PHYSICAL SECURITY

4.1 Cloud Service Providers

For the Airfold Platform, Airfold uses Hosting Service Providers that have:

4.1.1 Physical Security

Implemented controls designed to restrict unauthorized physical access to areas containing equipment used to provide the Airfold Platform.

4.1.2 Environmental Security

Maintain equipment used to host the Airfold Platform in physical locations that are designed to be protected from natural disasters, theft, unlawful and unauthorized physical access, problems with ventilation, heating or cooling, and power failures or outages.

5. TECHNOLOGICAL CONTROLS

5.1 Logical Access Control

Airfold maintains technical, logical, and administrative controls designed to limit access to Customer Information. Unique usernames and passwords are required for authentication.

5.2 Privileged Access Restriction

Airfold restricts privileged access to Customer Data to authorized users with a business need.

5.3 Access Review

Airfold reviews personnel access rights on a regular and periodic basis. Access to production environments is reviewed at least quarterly.

5.4 Access Revocation

Airfold maintains policies requiring termination of access to Customer Information within 24 hours of employee termination.

5.5 Multi-Factor Authentication

Airfold implements access controls designed to authenticate users and limit access to Customer Information, including multi-factor authentication.

5.6 Cryptographic Key Management

Airfold implements encryption key management procedures.

5.7 Encryption in Transit

Airfold encrypts Customer Information in transit using a minimum of TLS 1.2 with strong ciphers.

5.8 Encryption at Rest

Airfold encrypts Customer Information at rest using a minimum of AES-256 with strong ciphers.

5.8.1 Encryption Key Rotation

Airfold utilizes Hosting Service Provider managed keys that are rotated at least annually.

5.9 Separation of Environments

Airfold requires internal segmentation to isolate production systems hosting the Airfold Platform from non-production environments.

5.10 Vulnerability Testing

Airfold performs periodic network, infrastructure, and application vulnerability testing.

5.11 Penetration Testing

Airfold performs network and application penetration testing at least annually.

5.12 Technical Vulnerability Management

Airfold implements procedures to document and address vulnerabilities discovered during vulnerability and penetration tests.

5.13 Network Security Reviews

Airfold requires periodic reviews and testing of network controls.

5.14 Workstation Security

Airfold centrally manages workstations via endpoint security solutions for deployment and management of end-point protections.

5.15 Local Separation of Customer Environments

For the Airfold Platform, customer environments are logically separated.

5.16 Change Management

Airfold assigns responsibility for security, changes, and maintenance for all information systems processing Customer Information.

5.17 Change Authorization

For the Airfold Platform, Airfold tests, evaluates, and authorizes major information system components prior to implementation.

5.18 Secure Development

Airfold maintains and follows a secure development lifecycle for the development of the software that is hosted and made available via the Airfold Platform.

5.19 System Monitoring

Airfold monitors the access, availability, capacity, and performance of the Airfold Platform, Support Services, and related system logs and network traffic using various monitoring software and services.

5.20 Security Incident Response Procedures

Airfold maintains incident response procedures for identifying, reporting, and acting on Security Breaches.

5.21 Security Incident Reporting

If Airfold becomes aware of a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Information, Airfold shall notify Customer without undue delay, and in any case, where feasible, notify Customer within 48 hours after becoming aware and in accordance with Section 7 of the Data Processing Addendum.

5.22 Security Incident Response Tabletop

Airfold exercises the incident response process on a periodic basis.

5.23 Security Incident Response Improvement

Airfold implements plans to address gaps discovered during incident response exercises.

5.24 Incident Response Team

Airfold establishes a cross-disciplinary security incident response team.

5.25 Business Continuity Plans

Airfold establishes, documents, implements, and maintains processes, procedures, and controls to ensure the required level of continuity for information security during an adverse situation.

5.26 Business Continuity Tests

Airfold conducts scenario-based testing annually.

6. CUSTOMER DATA STORAGE LOCATION

6.1 Airfold Platform

Airfold creates services for customers to upload data in customer-specified cloud providers and regions that are managed by Airfold, Inc. based on cloud provider and region availability.

7. CUSTOMER RESPONSIBILITIES

7.1 Account Security

Customer is responsible for managing the security of their Airfold Platform account credentials and for the actions of their Authorized Users who access the Airfold Platform.

7.2 Customer Content

Customer is responsible for properly configuring the Airfold Platform and their own computer networks, servers, and systems in accordance with the Documentation provided by Airfold.

7.3 Security Settings

Customer is responsible for properly configuring and using the security features provided by Airfold and for determining whether the security settings and features are appropriate and sufficient for Customer’s specific use case, data sensitivity, and compliance requirements.

7.4 Security Patches

Customer is responsible for maintaining secure access to the Airfold Platform, including ensuring that Customer’s systems and devices used to access the Airfold Platform are running with the latest security patches and updates.

7.5 Access Control

Customer is responsible for implementing appropriate access controls and permission settings for their users and data within the Airfold Platform, including limiting access to those with a legitimate business need.

Data Privacy Framework Subprocessors and Affiliates

On this page

AIRFOLD INFORMATION SECURITY ADDENDUM
1. AUDITS AND CERTIFICATIONS
1.1 Audits and Certifications
1.1.1 SOC 2 Type II
2. ORGANIZATIONAL CONTROLS
2.1 Governance
2.2 Security Personnel
2.3 Risk Assessments
2.4 Risk Prioritization
2.5 Information Security Policies
2.6 Information Security Policy Review
2.7 Data Classification
2.8 Data Retention and Destruction
2.9 Asset Ownership
2.10 Compliance
3. PEOPLE CONTROLS
3.1 Information Security Policy Acknowledgement
3.2 Information Security Awareness Training
3.3 Personnel Agreements
3.4 Background Checks
4. PHYSICAL SECURITY
4.1 Cloud Service Providers
4.1.1 Physical Security
4.1.2 Environmental Security
5. TECHNOLOGICAL CONTROLS
5.1 Logical Access Control
5.2 Privileged Access Restriction
5.3 Access Review
5.4 Access Revocation
5.5 Multi-Factor Authentication
5.6 Cryptographic Key Management
5.7 Encryption in Transit
5.8 Encryption at Rest
5.8.1 Encryption Key Rotation
5.9 Separation of Environments
5.10 Vulnerability Testing
5.11 Penetration Testing
5.12 Technical Vulnerability Management
5.13 Network Security Reviews
5.14 Workstation Security
5.15 Local Separation of Customer Environments
5.16 Change Management
5.17 Change Authorization
5.18 Secure Development
5.19 System Monitoring
5.20 Security Incident Response Procedures
5.21 Security Incident Reporting
5.22 Security Incident Response Tabletop
5.23 Security Incident Response Improvement
5.24 Incident Response Team
5.25 Business Continuity Plans
5.26 Business Continuity Tests
6. CUSTOMER DATA STORAGE LOCATION
6.1 Airfold Platform
7. CUSTOMER RESPONSIBILITIES
7.1 Account Security
7.2 Customer Content
7.3 Security Settings
7.4 Security Patches
7.5 Access Control

Get Started

Concepts

Ingest

Query

Workspace Files

Management

Production

Connectors

Legal

​AIRFOLD INFORMATION SECURITY ADDENDUM

​1. AUDITS AND CERTIFICATIONS

​1.1 Audits and Certifications

​1.1.1 SOC 2 Type II

​2. ORGANIZATIONAL CONTROLS

​2.1 Governance

​2.2 Security Personnel

​2.3 Risk Assessments

​2.4 Risk Prioritization

​2.5 Information Security Policies

​2.6 Information Security Policy Review

​2.7 Data Classification

​2.8 Data Retention and Destruction

​2.9 Asset Ownership

​2.10 Compliance

​3. PEOPLE CONTROLS

​3.1 Information Security Policy Acknowledgement

​3.2 Information Security Awareness Training

​3.3 Personnel Agreements

​3.4 Background Checks

​4. PHYSICAL SECURITY

​4.1 Cloud Service Providers

​4.1.1 Physical Security

​4.1.2 Environmental Security

​5. TECHNOLOGICAL CONTROLS

​5.1 Logical Access Control

​5.2 Privileged Access Restriction

​5.3 Access Review

​5.4 Access Revocation

​5.5 Multi-Factor Authentication

​5.6 Cryptographic Key Management

​5.7 Encryption in Transit

​5.8 Encryption at Rest

​5.8.1 Encryption Key Rotation

​5.9 Separation of Environments

​5.10 Vulnerability Testing

​5.11 Penetration Testing

​5.12 Technical Vulnerability Management

​5.13 Network Security Reviews

​5.14 Workstation Security

​5.15 Local Separation of Customer Environments

​5.16 Change Management

​5.17 Change Authorization

​5.18 Secure Development

​5.19 System Monitoring

​5.20 Security Incident Response Procedures

​5.21 Security Incident Reporting

​5.22 Security Incident Response Tabletop

​5.23 Security Incident Response Improvement

​5.24 Incident Response Team

​5.25 Business Continuity Plans

​5.26 Business Continuity Tests

​6. CUSTOMER DATA STORAGE LOCATION

​6.1 Airfold Platform

​7. CUSTOMER RESPONSIBILITIES

​7.1 Account Security

​7.2 Customer Content

​7.3 Security Settings

​7.4 Security Patches

​7.5 Access Control