Data & InfoSec Policy

v1.2 · May 2026

← All Docs

Changes from v1.1: Added Section 1 (Compliance Roadmap) consolidating 365Agents' current and planned attestations and certifications (SOC 2, ISO/IEC 42001, PCI DSS, HIPAA, USDP). Renumbered subsequent sections accordingly. From v1.0 (carried forward): Renumbered sections to fix the duplicate "Section 7" bug. Harmonized terminology with the MSA, Reseller Agreement, and SLA. Added incident-notification timing aligned with the agreements (72 hours from confirmation; ≤ 24 hours for active material risk). Aligned defined terms.

This Data & InfoSec Policy ("Policy") is incorporated into and governed by the terms of a customer's agreement with 365Agents, Inc. ("365Agents") for access to and use of the 365Agents Platform (the "Agreement"). Capitalized terms not defined here have the meanings given in the Agreement. "Customer" includes both direct customers under the MSA and Resellers under the Reseller / White-Label Agreement.

1 COMPLIANCE ROADMAP

365Agents pursues an aggressive compliance posture appropriate to a modern AI voice and text platform serving regulated and unregulated SMB markets. Status as of the date of this Policy:

Framework	Status	Detail
SOC 2 Type I	✓ Achieved	Independent attestation by ; report dated . Renewed annually.
SOC 2 Type II	● Planned	Type II observation period commencing ; target attestation .
ISO/IEC 42001:2023	✓ Certified	Certificate issued by ; certificate dated . The first ISO standard specifically for AI governance — covers risk management, lifecycle controls, transparency, and human oversight.
PCI DSS — Service Provider	✓ Attested	Attestation of Compliance (AOC) dated ; scope-minimization design — cardholder data is not stored on the Platform unless Customer enables PCI-compliant payment flows.
HIPAA	✓ BAA-ready	365Agents implements administrative, physical, and technical safeguards consistent with the HIPAA Security Rule and is prepared to execute a Business Associate Agreement (BAA) for Customer use cases involving PHI. PHI processing requires (a) an executed BAA and (b) PHI-mode enabled at the account level.
U.S. Data Privacy (USDP)	● In Progress	365Agents is implementing a unified U.S. multi-state privacy program harmonizing obligations under CCPA/CPRA, VCDPA, CPA, CTDPA, UCPA, and the rolling wave of similar state laws. Target completion .
GDPR / UK GDPR / Swiss FADP	✓ DPA-ready	Data Processing Addendum incorporates EU Standard Contractual Clauses (SCCs) and UK Addendum; available on request prior to processing EU/UK personal data.
CCPA / CPRA	✓ Compliant	Consumer rights portal at https://365agents.com/privacy-requests; "Do Not Sell or Share" honored; 45-day response window with permitted 45-day extension.
TCPA / TSR / State Laws	✓ Configurable	Platform provides consent capture, do-not-call list integration, AI-disclosure prompts, "click-to-cancel" mechanics, and time-window controls; Customer is responsible for configuration consistent with applicable jurisdictions.

Forward-looking statements. Items listed as "Planned" or "In Progress" are targets, not contractual commitments. Achieved attestations and certifications are subject to annual renewal and may lapse if not renewed; Customers will be notified through this Policy when material changes occur. Copies of attestation reports, AOCs, and certificates are available under NDA on written request to security@365agents.com.

2 SECURITY INFRASTRUCTURE AND COMMITMENTS

2(a) Security standards.

•Encryption at rest using AES-256 encryption for all stored data
•Encryption in transit using TLS 1.3 or higher for all data transmissions
•Multi-factor authentication required for all administrative access
•Regular security audits conducted by independent third-party security firms
•SOC 2 Type I compliance with annual attestation updates (Type II in progress)
•ISO/IEC 42001:2023 AI-Management-System controls applied across the model lifecycle

2(b) Access controls.

•Role-based access control with minimum-necessary permissions
•Regular access reviews and timely deprovisioning procedures
•Background checks for personnel with access to Customer Data
•Secure development practices, including code reviews and automated vulnerability scanning
•Annual security awareness training for all employees and contractors with system access

3 DATA BREACH RESPONSE PROCEDURES

3(a) Incident detection and classification.

365Agents maintains 24×7 security monitoring to detect: unauthorized access to Customer Data or systems; data exfiltration attempts or successful breaches; system vulnerabilities that could compromise security; malware or ransomware incidents; and insider threats or suspicious employee activity.

3(b) Immediate response (0–4 hours).

Upon detecting a potential security incident: incident response team activation within 1 hour of detection; preliminary assessment of scope and severity; containment measures to prevent further unauthorized access; evidence preservation for forensic analysis; and initial documentation of incident timeline and affected systems.

3(c) Investigation phase (4–72 hours).

Incident response includes: forensic analysis to determine root cause and scope; assessment of data types and volume of information potentially compromised; identification of affected customers and data subjects; documentation of unauthorized access methods and duration; and coordination with law enforcement if criminal activity is suspected.

4 CUSTOMER NOTIFICATION PROCEDURES

4(a) Notification timeline.

•Without unreasonable delay and no later than 72 hours after confirming a Personal Data breach (consistent with GDPR requirements)
•Immediately, by reasonable means available, if ongoing risk requires urgent customer action (target: within 24 hours of confirmation)
•As required by applicable law in Customer's jurisdiction

4(b) Notification content.

Breach notifications will include: description of the incident, including date, time, and duration; types of data involved and estimated number of affected records; likely consequences of the breach for affected individuals; measures taken to address the breach and prevent recurrence; contact information for questions and additional details; and recommendations for Customers to protect affected individuals.

4(c) Regulatory notifications.

365Agents will handle required notifications to: data protection authorities within 72 hours when required; law enforcement agencies when criminal activity is involved; other regulatory bodies as required by applicable law; and credit-monitoring services when financial data is involved.

5 DATA RECOVERY AND BUSINESS CONTINUITY

5(a) Backup and recovery.

•Automated daily backups with geographically distributed storage
•Point-in-time recovery capabilities for database restoration
•Disaster recovery sites with maximum 4-hour RTO and 24-hour RPO
•Regular backup testing and restoration procedures
•Business continuity planning with defined escalation procedures

6 POST-INCIDENT PROCEDURES

6(a) Incident analysis.

After resolution, 365Agents conducts: root cause analysis to identify failure points; security control assessment and enhancement recommendations; process improvement review for incident response procedures; documentation update for policies and procedures; and staff training updates based on incident findings.

6(b) Ongoing monitoring.

Enhanced security measures include: increased monitoring of affected systems for 90 days; additional security controls implementation as appropriate; regular vulnerability assessments and penetration testing (annually at minimum); and third-party security reviews for affected components.

7 COMPREHENSIVE GDPR COMPLIANCE

7(a) Legal basis for processing.

365Agents processes Personal Data under the following legal bases: contract performance for providing services requested by customers; legitimate interests for improving services and preventing fraud; consent where specifically obtained for marketing or optional features; and legal obligations for compliance with applicable laws and regulations.

7(b) Data subject rights.

Under GDPR, individuals have the right to: access their Personal Data and obtain a copy; rectification of inaccurate or incomplete Personal Data; erasure ("right to be forgotten") under specific circumstances; restriction of processing in certain situations; data portability in machine-readable format; object to processing based on legitimate interests; and withdraw consent where processing is based on consent.

7(c) Data Protection Impact Assessments (DPIAs).

365Agents conducts DPIAs for: high-risk processing activities involving Personal Data; new AI model training using customer voice data; system changes that may affect data protection; and cross-border data transfers to new jurisdictions.

8 DATA RETENTION AND DELETION

Data Type	Retention Period
Voice recordings	Deleted within 30 days unless Customer requests longer retention via Order or admin setting
Voice models (synthetic voices)	Retained until Customer requests deletion or account termination
Usage logs and telemetry	12 months (for security, performance, and fraud monitoring)
Customer account data	Up to 7 years after account closure for legal and tax compliance
Billing and transaction records	7 years (as required by tax and financial regulations)
Customer Data (other)	For the Subscription Term plus 30 days post-termination, then deleted; archive backups retained until expiry per backup rotation

Automated deletion processes: scheduled deletion jobs run daily to remove expired data; customer-initiated deletion processed within 30 days of verified request; backup purging on rotation to remove deleted data from all systems; verification procedures confirm complete data removal.

9 RIGHTS UNDER CCPA AND SIMILAR LAWS

9(a) Consumer rights under CCPA.

California residents have the right to: know what Personal Information is collected and how it is used; delete Personal Information held by businesses; opt out of "sale" or "sharing" of Personal Information; non-discrimination for exercising CCPA rights; and access specific pieces of Personal Information.

9(b) CCPA disclosures.

365Agents provides: annual privacy policy updates with required CCPA disclosures; a consumer request portal for exercising CCPA rights (https://365agents.com/privacy-requests); verification procedures for identity confirmation; and response timelines of 45 days, with possible 45-day extension as permitted.

9(c) State-law equivalents.

365Agents extends comparable rights to consumers in states with substantially similar privacy laws (including VCDPA, CPA, CTDPA, UCPA, and other applicable state laws), as required.

10 INTERNATIONAL DATA TRANSFER SAFEGUARDS

10(a) Transfer mechanisms.

For international data transfers, 365Agents uses: Standard Contractual Clauses approved by the European Commission; adequacy decisions where available for specific countries; Binding Corporate Rules for intra-group transfers; and certification schemes where recognized by data protection authorities.

10(b) Country-specific restrictions.

Data transfers are restricted or prohibited to: countries under sanctions by the U.S., EU, or other applicable jurisdictions; and jurisdictions without adequate protection unless appropriate safeguards are in place.

11 UPDATES TO THIS POLICY

365Agents may update this Policy from time to time and will post the current version at https://365agents.com/legal/infosec. 365Agents will not materially diminish the protections set forth in this Policy as of a Customer's Effective Date during the then-current Subscription Term.

Document version: 1.2 · Owner: Information Security Officer, 365Agents, Inc. · Contact: security@365agents.com