Effective Date: May 6, 2025This Information Security Addendum (the “Addendum”) sets forth the technical and organizational measures for the
protection of Customer Data processed by the Airfold Platform (if applicable) or data (if any) provided by Customer to
Airfold in connection with the delivery of Support Services (if applicable) (collectively “Customer Information”).
Capitalized terms not defined in this Addendum shall have the meanings set forth in the applicable agreement between
Customer and Airfold for the delivery of the Airfold Platform and/or Support Services (the “Agreement”).Airfold shall maintain an information security program that is designed to protect the security, confidentiality, and
integrity of Customer Information (the “Airfold Information Security Program”). The Airfold Information Security Program
will be implemented on an organization-wide basis. The Airfold Information Security Program will be designed to ensure
Airfold’s compliance with data protection laws and regulations applicable to Airfold’s performance under the applicable
Agreement (including any Data Processing Addendum), and shall include the safeguards set forth below (the “Airfold
Information Security Controls”).
Airfold engages independent third-party auditors to assess the Airfold Information Security Program as described in the
following audits and certifications on at least an annual basis:
Airfold maintains a SOC 2 Type II audit report covering the Trust Services Criteria for Security, Availability, and
Confidentiality. Airfold will make its SOC 2 Type II report available to Customer upon request, subject to appropriate
confidentiality obligations.
Airfold assigns to an individual or a group of individuals appropriate roles for developing, coordinating, implementing,
and managing Airfold’s administrative, physical, and technical safeguards designed to protect the security,
confidentiality, and integrity of Customer Information.
Airfold uses data security personnel that are sufficiently trained, qualified, and experienced to fulfill their
information security-related functions.
Airfold conducts periodic risk assessments designed to analyze existing information security risks, identify potential
new risks, and evaluate the effectiveness of existing security controls.
Airfold establishes procedures designed to ensure all applicable statutory, regulatory, and contractual requirements are
adhered to across the organization.
Airfold requires personnel to sign confidentiality agreements and acknowledge Airfold’s information security policy,
which includes acknowledging responsibilities for reporting security incidents involving Customer Information.
Maintain equipment used to host the Airfold Platform in physical locations that are designed to be protected from
natural disasters, theft, unlawful and unauthorized physical access, problems with ventilation, heating or cooling, and
power failures or outages.
Airfold maintains technical, logical, and administrative controls designed to limit access to Customer Information.
Unique usernames and passwords are required for authentication.
Airfold maintains and follows a secure development lifecycle for the development of the software that is hosted and made
available via the Airfold Platform.
Airfold monitors the access, availability, capacity, and performance of the Airfold Platform, Support Services, and
related system logs and network traffic using various monitoring software and services.
If Airfold becomes aware of a breach of security leading to accidental or unlawful destruction, loss, alteration,
unauthorized disclosure of, or access to Customer Information, Airfold shall notify Customer without undue delay, and in
any case, where feasible, notify Customer within 48 hours after becoming aware and in accordance with Section 7 of
the Data Processing Addendum.
Airfold establishes, documents, implements, and maintains processes, procedures, and controls to ensure the required
level of continuity for information security during an adverse situation.
Airfold creates services for customers to upload data in customer-specified cloud providers and regions that are managed
by Airfold, Inc. based on cloud provider and region availability.
Customer is responsible for managing the security of their Airfold Platform account credentials and for the actions of
their Authorized Users who access the Airfold Platform.
Customer is responsible for properly configuring the Airfold Platform and their own computer networks, servers, and
systems in accordance with the Documentation provided by Airfold.
Customer is responsible for properly configuring and using the security features provided by Airfold and for determining
whether the security settings and features are appropriate and sufficient for Customer’s specific use case, data
sensitivity, and compliance requirements.
Customer is responsible for maintaining secure access to the Airfold Platform, including ensuring that Customer’s
systems and devices used to access the Airfold Platform are running with the latest security patches and updates.
Customer is responsible for implementing appropriate access controls and permission settings for their users and data
within the Airfold Platform, including limiting access to those with a legitimate business need.
