SERVICE LEVEL AGREEMENT (SLA)

Last Updated: 11/May/2025 12:50

1. INTRODUCTION

1.1 Purpose

This Service Level Agreement (“SLA”) establishes the terms and conditions under which Innovatica Technologies FZ-LLC (“Innovatica,” “Company,” “we,” or “us”) provides the Brilio AI Platform services (“Brilio,” “Platform,” or “Services”) to its customers (“Customer,” “you,” or “your”) and forms a legally binding agreement between you and Innovatica.

1.2 Scope

This SLA applies to all subscription tiers of the Brilio AI Platform, including free, standard, plus, premium, and enterprise subscriptions, unless otherwise specified in a separate Enterprise Subscription Agreement.

1.3 Related Documents

This SLA forms part of the legal framework governing the use of Brilio and should be read in conjunction with our Master Terms of Service, Privacy Policy, Acceptable Use Policy, Agent Content Guidelines, Data Processing Agreement, Security Policy, and other applicable legal documents referenced herein.

2. SERVICE AVAILABILITY AND UPTIME COMMITMENTS

2.1 Uptime Guarantee

Innovatica guarantees a combined 99.9% uptime for all Brilio platform critical components. This guarantee is based on the underlying Microsoft Azure infrastructure performance and availability on which the Platform is hosted in North Europe – Ireland.

2.2 Measurement Period

Service availability is measured on a monthly basis, calculated as:

(Total Minutes in Month – Minutes of Downtime) / Total Minutes in Month × 100 = Service Availability Percentage

2.3 Downtime Definition

“Downtime” is defined as periods when Brilio services are unavailable due to:

 

  • Platform unavailability resulting in users being unable to access or use core functionality
  • Errors resulting in complete service failure
  • Unscheduled maintenance
  • Infrastructure failures directly attributable to Innovatica’s systems or implementation of Microsoft Azure services
  • Service interruptions that prevent users from accessing, creating, or managing AI Agents

2.4 Exclusions from Downtime Calculation

The following are explicitly excluded from Downtime calculations:

  • Planned maintenance (as defined in Section 3)
  • Issues resulting from Customer’s equipment, software, or connectivity
  • Force majeure events (as defined in the Terms of Service)
  • Suspension or termination in accordance with the Terms of Service
  • Issues with third-party services or integrations not directly under Innovatica’s control
  • Beta features explicitly marked as such

3. MAINTENANCE AND NOTIFICATIONS

3.1 Scheduled Maintenance

Maintenance is planned during off-peak hours with 72 hours advance notice to minimize disruption. Some services may be briefly unavailable during these periods. The notification will include the estimated duration and impact of the maintenance.

3.2 Emergency Maintenance

In cases requiring emergency maintenance, Innovatica will make reasonable efforts to inform users promptly of the need for such maintenance. Emergency maintenance may be conducted with less than 72 hours’ notice when necessary to address critical security vulnerabilities or service-affecting issues.

3.3 Notification Methods

Maintenance notifications will be delivered through:

  • Email notifications to the registered account administrator
  • In-platform notifications
  • Status updates on the Brilio status page (status.brilio.ai)

4. SERVICE CREDITS

4.1 Service Credit Calculation

In case of downtime that falls below our guaranteed uptime commitment, service credits will be issued to affected users according to the following schedule:

  • Less than 99.9% but ≥ 99.0% uptime: 10% service credit
  • Less than 99.0% but ≥ 95.0% uptime: 20% service credit
  • Less than 95.0% uptime: 30% service credit

4.2 Service Credit Application

Service credits are calculated as a percentage of the monthly subscription fee for the affected service during the month in which the downtime occurred. For annual subscriptions, the credit will be calculated based on the prorated monthly equivalent.

4.3 Extended Outage Credit

For outages exceeding 12 consecutive hours, users are eligible for a 5% service credit on their monthly subscription fee, applied to the next billing cycle after verification. This credit is in addition to any service credits earned under Section 4.1.

4.4 Credit Request Process

To receive a service credit, Customers must submit a credit request within 30 days following the month in which the downtime occurred. Requests must include:

  • A detailed description of the service disruption
  • The dates and times of the service disruption
  • Account information and affected resources
  • Any relevant logs or error messages

4.5 Credit Issuance

Service credits will be applied to the Customer’s account within two billing cycles following the approval of the credit request. Credits have no cash value and can only be applied toward future service fees.

4.6 Credit Limitations

The maximum service credit issued for all downtime in a single monthly billing period will not exceed 100% of the monthly subscription fee. For free tier users, alternative compensation in the form of bonus credits may be offered at Innovatica’s discretion.

5. PERFORMANCE METRICS AND MONITORING

5.1 Key Performance Indicators

Brilio monitors the following key performance indicators:

  • Service availability (uptime)
  • Average response time
  • Error rates
  • API performance
  • Data processing time

5.2 Performance Dashboards

Enterprise customers receive access to a performance dashboard showing historical performance against these metrics. All customers can view the current platform status at status.brilio.ai.

5.3 Monitoring Systems

Innovatica employs comprehensive monitoring systems to track platform performance, detect anomalies, and trigger alerts for potential service disruptions.

6. SUPPORT RESPONSE TIMES

6.1 Incident Severity Classification

Support issues are classified into the following severity levels:

Critical (P1): Complete platform unavailability or severe degradation affecting all users.

High (P2): Significant functionality impairment affecting multiple users or core platform features.

Medium (P3): Limited functionality issues affecting a subset of users or non-critical features.

Low (P4): General inquiries, feature requests, or minor issues with minimal business impact.

6.2 Response Time Commitments

Innovatica commits to the following initial response times:

  • Critical (P1) issues: Within 4 hours, 24/7
  • High (P2) issues: Within 1 business day
  • Medium (P3) issues: Within 3 business days
  • Low (P4) issues: Within 5 business days

6.3 Resolution Time Targets

While resolution times may vary based on issue complexity, Innovatica targets the following resolution timeframes:

  • Critical (P1) issues: 24 hours
  • High (P2) issues: 3 business days
  • Medium (P3) issues: 5 business days
  • Low (P4) issues: 10 business days or scheduled for future release

6.4 Support Hours

Standard Support: Monday to Friday, 9:00 AM to 5:00 PM Gulf Standard Time (GST), excluding UAE public holidays.

Premium and Enterprise Support: 24/7 support for Critical (P1) issues, with standard hours for all other severity levels.

6.5 Support Channels

Support is available through:

  • Email: support@brilio.ai
  • In-platform ticketing system
  • Documentation and knowledge base
  • Live chat (Premium and Enterprise tiers only)

7. ESCALATION PROCEDURES

7.1 Escalation Path

If a support issue remains unresolved within the target resolution time, Customers may escalate as follows:

  1. First-level escalation: Support Team Lead
  2. Second-level escalation: Technical Operations Manager
  3. Final escalation: Chief Technology Officer

7.2 Escalation Process

To initiate an escalation, Customers should reference their original support ticket number and contact support@brilio.ai with “ESCALATION” in the subject line, providing:

  • Ticket number
  • Reason for escalation
  • Business impact
  • Requested resolution timeframe

7.3 Status Updates

During critical incidents, Innovatica will provide regular status updates at intervals appropriate to the issue severity:

  • Critical (P1): Every 4 hours or upon significant developments
  • High (P2): Daily
  • Medium (P3) and Low (P4): As developments occur

8. DISASTER RECOVERY AND BUSINESS CONTINUITY

For complete details on our disaster recovery procedures, please refer to our Business Continuity and Disaster Recovery Policy, which is incorporated by reference into this SLA.

8.1 Data Backup

Customer data is backed up daily to ensure recovery in case of system failure. Backup retention periods are as follows:

  • Daily backups: 7 days
  • Weekly backups: 4 weeks
  • Monthly backups: 3 months

8.2 Recovery Time Objective (RTO)

In the event of a disaster, Innovatica targets the following recovery timeframes:

  • Critical systems: 4 hours
  • Secondary systems: 12 hours
  • Non-critical systems: 24 hours

8.3 Recovery Point Objective (RPO)

Innovatica’s target for data recovery point is 24 hours, meaning that in a disaster scenario, data loss should not exceed 24 hours of data.

8.4 Disaster Recovery Testing

Disaster recovery procedures are tested quarterly to ensure their effectiveness and identify areas for improvement.

9. SECURITY INCIDENT RESPONSE

9.1 Security Incident Notification

In the event of a confirmed security breach affecting Customer data, Innovatica will notify affected Customers within 72 hours of confirmation, in accordance with applicable data protection regulations, including but not limited to GDPR and CCPA as referenced in our Security Policy.

9.2 Incident Response Plan

Innovatica maintains a comprehensive security incident response plan that includes:

  • Incident detection and classification
  • Containment strategies
  • Forensic investigation
  • Remediation and recovery
  • Post-incident analysis

9.3 Security Assessments

Innovatica conducts regular security assessments, including vulnerability scans and penetration testing, to identify and address potential security risks. The Brilio platform infrastructure is independently reviewed by security experts to ensure that breaches cannot happen within platform components.

For complete details on our security practices, please refer to our Security Policy, which is incorporated by reference into this SLA.

10. CHANGES TO SERVICE

10.1 Platform Evolution

The Brilio platform is designed to evolve over time, allowing incorporation of newly available components such as LLMs, data parsing, processing and transforming tools, and other features needed to stay competitive. As specified in our Master Terms of Service, such evolution may include updates to third-party integrations, including but not limited to OpenAI, Claude, LlamaIndex, Stripe, and other providers that enhance platform functionality.

10.2 Change Notification

For any significant changes to the platform, including major updates, feature removals, or system upgrades, Innovatica will provide users with a minimum 30 days’ notice via email, in-app notifications, or other appropriate channels.

10.3 Emergency Changes

In cases of emergency or unforeseen circumstances, Innovatica may provide a shorter notice period but will make every effort to minimize disruption and ensure users are adequately informed.

11. SERVICE DISCONTINUATION

11.1 Notice Period

If the Brilio platform service is discontinued, Innovatica will provide users with a 60-day notice to ensure a smooth transition.

11.2 Data Export

During this period, users will have the option to export their data in a commonly used format (e.g., CSV, JSON) to facilitate migration to another service. Innovatica will make tools available to assist with the export process, ensuring that data can be transferred securely in accordance with our Data Retention and Deletion Policy. For Agent creators, this will include the ability to export their agents’ knowledge bases, training data, and configuration settings.

11.3 Transition Assistance

In the event of service discontinuation, Innovatica will provide transition assistance to help users migrate their data and operations to alternative solutions, including:

  • Data Export Tools: Tools for exporting data in standard formats available during the 60-day notice period
  • Technical Support: Support team assistance with data export, migration-related questions, and guidance on the transition process
  • Documentation: Clear documentation outlining the steps for data export and migration
  • Extended Support: Possible extended support or custom migration services for an additional fee based on individual requirements

12. LIMITATIONS OF LIABILITY

12.1 Service Credit Exclusivity

The service credits described in this SLA represent the sole and exclusive remedy for any failure by Innovatica to meet the service level commitments outlined herein.

12.2 General Liability

Innovatica’s liability for any claims arising from the use of the platform is limited to the amount paid by the user for the service in the 6 months preceding the claim. This limitation applies regardless of the cause of the claim, whether it is contractual, tortious, or based on other legal theories.

12.3 Data Loss or Corruption

Innovatica is not liable for any loss, corruption, or damage to user data, including but not limited to issues arising from system failures, user error, or unauthorized access. Users are encouraged to maintain their own data backups.

12.4 Service Interruptions

In the event of service interruptions, Innovatica’s liability is limited to providing a service credit as outlined in this SLA. Innovatica is not liable for any indirect, incidental, or consequential damages, including loss of profits, reputation, or business opportunities, resulting from downtime.

12.5 Third-Party Services

Innovatica is not liable for any issues arising from third-party services integrated with the platform, such as cloud infrastructure, APIs, or external software. The liability for such issues lies with the third-party provider, and users are encouraged to refer to their respective SLAs.

12.6 Force Majeure

Neither party will be held liable for any failure or delay in performing its obligations under the agreement due to circumstances beyond its reasonable control, including but not limited to natural disasters, acts of government, war, terrorism, labor strikes, internet outages, or any other events deemed as force majeure. In such cases, the affected party must promptly notify the other party and make reasonable efforts to resume performance. If the force majeure event continues for more than 30 days, either party may terminate the agreement without liability.

13. DISPUTE RESOLUTION

13.1 Arbitration

In the event of any disputes arising from the use of the Brilio platform, both parties agree to resolve the matter through binding arbitration, rather than through court proceedings. Arbitration will be conducted under the rules of the International Chamber of Commerce (ICC) and will take place in Abu Dhabi, United Arab Emirates, unless otherwise mutually agreed. The decision made by the arbitrator(s) will be final and legally binding. Both parties agree to bear their own legal costs and share equally in the costs of the arbitration process.

13.2 Limitation Period

Any claims arising from the use of the Brilio platform must be initiated within 12 months from the date the cause of action arose. After this period, any claims or disputes related to the platform will be barred and cannot be pursued. This limitation period applies to all claims, including those related to contract breaches, damages, or other legal matters.

13.3 Class Action Waiver

Both parties agree that any disputes or claims arising from the use of the Brilio platform will be resolved individually and not as part of any class, collective, or representative action. Users waive the right to participate in any class action, collective action, or similar proceeding. All claims must be brought on an individual basis in arbitration, as specified in the dispute resolution section. This waiver applies to the fullest extent permitted by law.

14. GOVERNING LAW

14.1 Applicable Law

This SLA shall be governed by and construed in accordance with the laws of the United Arab Emirates, without giving effect to any principles of conflicts of law.

14.2 Jurisdiction

Subject to the arbitration provisions in Section 13, the courts of Ras Al Khaimah, United Arab Emirates, shall have exclusive jurisdiction to adjudicate any dispute arising out of or in connection with this SLA.

15. SLA MODIFICATIONS

15.1 SLA Updates

Innovatica reserves the right to modify this SLA at any time. Any material changes will be communicated to Customers at least 30 days prior to implementation.

15.2 Continued Use

Customer’s continued use of the Brilio platform following the effective date of any SLA modification constitutes acceptance of the modified terms.

16. RELATIONSHIP WITH BUSINESS CONTINUITY AND DISASTER RECOVERY POLICY

16.1 Incorporation by Reference

This SLA incorporates the Business Continuity and Disaster Recovery Policy by reference. In the event of any conflict between this SLA and the Business Continuity and Disaster Recovery Policy, the terms of this SLA shall prevail.

16.2 Policy Updates

Any updates to the Business Continuity and Disaster Recovery Policy will be communicated to users following the same notification procedures outlined in Section 15 of this SLA.

17. DATA PROCESSING AND COMPLIANCE

17.1 Compliance Framework

Innovatica complies with relevant data protection regulations, including but not limited to the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and other applicable regulations. The specific terms governing data processing activities are detailed in our Data Processing Agreement.

17.2 Data Processing Activities

As detailed in our Privacy Policy and Data Processing Agreement, Brilio processes user data for the purposes of:

  • Providing and maintaining the Platform
  • Improving and developing the Platform
  • Ensuring security and preventing fraud
  • Providing customer support
  • Complying with legal obligations

17.3 Data Processing Agreement

Enterprise customers and other users, as applicable, may be required to enter into a Data Processing Agreement with Innovatica. This agreement details the specific terms under which Innovatica processes user data and ensures compliance with applicable data protection laws.

18. AGENT-SPECIFIC PROVISIONS

18.1 Agent Content and Functionality

Innovatica is not responsible for the content, accuracy, or functionality of Agents created by users or third parties. Users are solely responsible for the Agents they create and the data they use to train these Agents.

18.2 Agent Availability

The availability of user-created Agents is subject to the same uptime guarantees as the broader Brilio platform, as outlined in Section 2 of this SLA. However, performance issues specific to individual Agents due to their configuration, training data, or other factors controlled by the Agent creator are not covered by these guarantees.

18.3 Agent Monitoring

Innovatica monitors Agents for compliance with our Acceptable Use Policy and Agent Content Guidelines. Agents found to be in violation of these policies may be removed or suspended in accordance with our enforcement procedures.

19. INTELLECTUAL PROPERTY PROVISIONS

19.1 Ownership of Platform

Innovatica retains all rights, title, and interest in and to the Brilio platform, including all related intellectual property rights. This SLA does not grant users any rights to the Platform except for the limited right to use the Platform as permitted by this SLA and the Master Terms of Service.

19.2 User-Generated Content

As detailed in our Intellectual Property License Agreement and AI Output Ownership and Assignment Agreement, the ownership and licensing of content created using the Platform is governed by specific terms based on the type of content and the subscription tier of the user.

19.3 Agent Content

Agent creators retain ownership of their Agent content as specified in the Agent Creator Agreement and the Intellectual Property License Agreement. Agent users receive a license to use Agent-generated content according to the terms specified by the Agent creator and Innovatica’s Master Terms of Service.

20. SUBSCRIPTION-SPECIFIC PROVISIONS

20.1 Service Levels by Subscription Tier

Different subscription tiers (free, standard, plus, premium, and enterprise) may receive different levels of service, particularly regarding support response times and availability.

20.2 Enterprise Custom Terms

Enterprise subscribers may negotiate custom SLA terms as part of their Enterprise Subscription Agreement. In the event of any conflict between this SLA and the custom terms in an Enterprise Subscription Agreement, the custom terms shall prevail for that specific Enterprise subscriber.

21. CONTACT INFORMATION

For questions regarding this SLA or to report service issues, please contact:

Support Email: support@innovatica.ai
Legal Inquiries: legal@innovatica.ai
Business Hours: Monday to Friday, 9:00 AM to 5:00 PM GST
Physical Address: VUNE0632, Compass Building – Al Hulaila, Al Hulaila Industrial Zone-FZ, Ras Al Khaimah, United Arab Emirates

This SLA has been crafted to align with the information provided about Innovatica Technologies and the Brilio platform while incorporating best practices for AI platform service level agreements. It addresses all required sections, includes provisions for UAE law, and considers international compliance requirements such as GDPR.

BRILIO SECURITY POLICY

Last Updated: 20/May/2025 02:37

1. INTRODUCTION

1.1 Purpose and Scope. This Security Policy (“Policy”) outlines the security measures, protocols, and standards implemented by Innovatica Technologies FZ-LLC (“Innovatica,” “we,” “us,” or “our”) to protect the Brilio platform (“Brilio” or the “Platform”), its infrastructure, and all data processed within it. This Policy applies to all users, employees, contractors, and third parties who access or use the Brilio platform.

1.2 Relationship to Other Documents. This Security Policy (“Policy”) is part of Innovatica’s comprehensive legal framework for the Brilio platform and should be read in conjunction with our:

  1. Terms of Service
  2. Privacy Policy
  3. Data Processing Agreement
  4. Data Retention and Deletion Policy
  5. Business Continuity and Disaster Recovery Policy
  6. Service Level Agreement
  7. Acceptable Use Policy
  8. AI Ethics and Responsible Use Policy
  9. Intellectual Property License Agreement
  10. API Terms of Use

In case of any conflict between this Policy and any of the above documents, the more specific document shall prevail with respect to its subject matter.

1.3 Security Commitment. Innovatica is committed to maintaining the highest standards of security for the Brilio platform. Innovatica implements industry-leading security standards throughout the Brilio platform. Our infrastructure undergoes regular independent security reviews by qualified experts to identify and mitigate potential vulnerabilities and to maintain the highest level of protection for our systems and user data. We take proactive measures to prevent, detect, and respond to security incidents while continuously improving our security posture.

2. DATA ENCRYPTION AND PROTECTION

2.1 Encryption Standards

2.1.1 Data in Transit. All data transmitted to and from the Brilio platform is encrypted using Transport Layer Security (TLS) version 1.2 or higher, with a commitment to implement the latest secure versions as they become industry standard. This ensures that all communications between users and our platform remain secure and protected from interception.

2.1.2 Data at Rest. All data stored on the Brilio platform is automatically encrypted at rest using Advanced Encryption Standard (AES-256) encryption. This includes:

  1. User account information
  2. Agent data and content
  3. Knowledge bases
  4. Uploaded documents
  5. Vectorized data and data chunks
  6. Log files and analytics data

2.1.3 Key Management. We implement robust key management procedures including:

  1. Regular key rotation schedules
  2. Secure key storage using hardware security modules (HSMs)
  3. Strict access controls for encryption keys
  4. Separation of duties for key management personnel

2.2 Data Classification. Data on the Brilio platform is classified according to sensitivity levels in compliance with industry standards and applicable regulations to ensure appropriate security controls are applied:

Classification Description Examples Security Controls
Public Information intended for public consumption Agent descriptions, public documentation Standard platform security
Internal Information for internal use System configurations, non-sensitive logs Access controls, encryption
Confidential Sensitive information User personal data, payment information Strong encryption, strict access controls, audit logging
Restricted Highly sensitive information Authentication credentials, encryption keys Highest level of protection, specialized access controls

3. ACCESS CONTROL

3.1 Role-Based Access Control (RBAC). Brilio implements a comprehensive Role-Based Access Control (RBAC) system to ensure that access to platform resources is strictly limited to authorized personnel on a need-to-know basis. The RBAC system implements the principle of least privilege, ensuring users have only the minimum permissions necessary to perform their job functions.

3.1.1 Standard User Roles:

  1. Platform Administrator: Full access to all platform settings and configurations
  2. Security Administrator: Access to security settings, audit logs, and incident response tools
  3. Support Personnel: Limited access to troubleshoot user issues
  4. Agent Creator: Access to create and manage AI agents
  5. End User: Access to utilize AI agents according to permissions

3.1.2 Access Review Procedures:

  1. All user access rights are reviewed quarterly
  2. Privileged accounts are reviewed monthly
  3. Changes in job responsibilities trigger immediate access right reviews
  4. Automated tools monitor and alert on unusual access patterns

3.2 Authentication Security

3.2.1 Password Requirements:

  1. Minimum length of 12 characters
  2. Complexity requirements (combination of uppercase, lowercase, numbers, and special characters)
  3. Password history enforcement (previous 10 passwords cannot be reused)
  4. Maximum password age of 90 days
  5. Account lockout after 5 failed login attempts within a 30-minute period
  6. Notification to users of password change or reset attempts
  7. Option for users to view their recent login history

3.2.2 Multi-Factor Authentication (MFA):

  • MFA is required for all administrative access
  • MFA is strongly recommended for all user accounts
  • MFA is enforced for accounts accessing sensitive data
  • Supported MFA methods include authenticator apps, security keys, and SMS verification

3.2.3 Session Management:

  1. Automatic session timeout after 30 minutes of inactivity
  2. Secure session tokens with appropriate expiration
  3. Session invalidation upon password change or suspicious activity
  4. Concurrent session limitations

3.3 API Authentication and Security:

  1. All API access requires secure authentication using industry-standard protocols
  2. API keys must be stored securely using encryption
  3. API requests are subject to rate limiting with clearly defined thresholds
  4. Automated monitoring systems detect and respond to unusual API usage patterns
  5. Mandatory regular rotation of API credentials based on risk assessment
  6. Implementation of OAuth 2.0 or similar protocols for third-party integrations

4. INFRASTRUCTURE SECURITY

4.1 Cloud Security. Brilio is 100% cloud-hosted, utilizing Microsoft Azure services in the North Europe (Ireland) region. All infrastructure components are deployed within this secure cloud environment in compliance with applicable data protection regulations, including GDPR. There is no on-premises infrastructure. Our cloud security measures include:

4.1.1 Azure Security Controls:

  1. Implementation of Microsoft Azure Security Center recommendations
  2. Regular review of Azure Security Score
  3. Utilization of Azure Security Baselines
  4. Implementation of Azure Policy for security compliance

4.1.2 Network Security:

  1. Virtual network isolation
  2. Network security groups with restrictive rules
  3. Web Application Firewall (WAF) for web-facing components
  4. DDoS protection
  5. Traffic encryption between all services
  6. Regular network vulnerability scanning

4.1.3 Compute Security:

  1. Hardened virtual machine images
  2. Automated patching schedules
  3. Host-based intrusion detection
  4. Immutable infrastructure practices
  5. Container security for containerized workloads

4.2 Physical Security. While Brilio is cloud-hosted, Innovatica maintains physical security controls for:

4.2.1 Corporate Offices:

  1. Access control systems with multi-factor authentication
  2. Video surveillance of all entry points
  3. Visitor management procedures
  4. Alarm systems and monitoring

4.2.2 Employee Equipment:

  1. Disk encryption for all company devices
  2. Mobile device management (MDM) solutions
  3. Clear desk and clear screen policies
  4. Secure disposal procedures for hardware

5. VULNERABILITY MANAGEMENT

5.1 Vulnerability Assessment

5.1.1 Regular Scanning Schedule:

  1. Weekly automated vulnerability scans
  2. Monthly comprehensive vulnerability assessments
  3. Quarterly independent security assessments
  4. Annual penetration testing

5.1.2 Vulnerability Prioritization. Vulnerabilities are prioritized based on:

  1. CVSS score
  2. Exploitation potential
  3. Data sensitivity
  4. Business impact

5.2 Patch Management

5.2.1 Patching Timelines:

  1. Critical vulnerabilities: Within 24 hours
  2. High vulnerabilities: Within 7 days
  3. Medium vulnerabilities: Within 30 days
  4. Low vulnerabilities: Next maintenance cycle

5.2.2 Patch Testing:

  1. Testing in development environment prior to production deployment
  2. Rollback procedures for failed patches
  3. Change management documentation for all patches

5.3 Code Security

5.3.1 Secure Development Practices:

  1. Secure coding standards for all developers
  2. Security code reviews
  3. Static application security testing (SAST)
  4. Dynamic application security testing (DAST)
  5. Software composition analysis to identify vulnerable dependencies

5.3.2 DevSecOps Integration:

  1. Security integrated throughout the development pipeline
  2. Automated security testing in CI/CD processes
  3. Security as code implementation
  4. Immutable infrastructure deployment

6. SECURITY TESTING AND AUDITING

6.1 Testing Schedule

Security Activity Frequency Responsibility Documentation Requirements
Vulnerability Scanning Weekly Security Team Scan reports, remediation plans
Penetration Testing Annually External Security Firm Detailed findings, recommendations, remediation plan
Red Team Exercises Annually External Security Firm Exercise scope, findings, lessons learned
Application Security Testing With each major release Development Team Test results, security signoff
Social Engineering Tests Bi-annually Security Team Test methodology, results, training needs

 

6.2 Audit and Compliance

6.2.1 Internal Audits:

  1. Quarterly internal security audits
  2. Review of security controls effectiveness
  3. Policy compliance verification
  4. Access rights review
  5. Security metrics assessment

6.2.2 External Audits:

  1. Annual third-party security assessments
  2. Compliance audits as required by regulations
  3. Customer security assessment facilitation

6.3 Security Certifications. Innovatica pursues the following security certifications for the Brilio platform:

  1. ISO/IEC 27001 (Information Security Management)
  2. SOC 2 Type II
  3. Cloud Security Alliance STAR certification
  4. GDPR compliance validation
  5. Additional regional certifications as required by our global operations and customer base

Additional certifications may be pursued based on business requirements and market demands.

7. INCIDENT RESPONSE

7.1 Incident Response Plan. Innovatica maintains a comprehensive Incident Response Plan that includes:

7.1.1 Incident Classification:

Severity Description Examples Response Time Notification Requirements
Critical Severe impact on service, data, or reputation Data breach, system compromise, unauthorized access to sensitive data Immediate (within 15 minutes) Executive team, affected users, regulators as required by applicable laws including GDPR, UAE Federal Decree-Law No. 45 of 2021, CCPA, and other relevant regulations
High Significant impact on service or security Targeted attack, unauthorized access < 1 hour Security team, affected department heads
Medium Limited impact on service or security Suspicious activity, minor vulnerabilities < 4 hours Security team
Low Minimal impact on service or security Policy violations, minor issues < 24 hours Team lead

 

7.1.2 Incident Response Phases:

  1. Preparation: Maintaining response capabilities, tools, and procedures
  2. Detection and Analysis: Identifying and assessing security events
  3. Containment: Limiting the impact of confirmed incidents
  4. Eradication: Removing the cause of the incident
  5. Recovery: Restoring systems to normal operation
  6. Post-Incident Analysis: Learning from incidents to improve security

7.2 Security Incident Reporting

7.2.1 Internal Reporting. All employees, contractors, and third-party service providers are required to report suspected security incidents immediately to the security team through:

  1. Dedicated security incident email address
  2. Security incident hotline
  3. Security incident reporting portal

7.2.2 External Reporting. For external security researchers and users who discover potential security vulnerabilities:

  1. Responsible disclosure program with clearly defined scope and guidelines
  2. Dedicated security contact information prominently displayed on our website
  3. Vulnerability reporting process with guaranteed acknowledgment within 24 hours
  4. Bug bounty program with defined reward tiers for different severity levels
  5. Legal safe harbor provisions for good-faith security research

7.3 Data Breach Response. In the event of a confirmed data breach:

7.3.1 Notification Timeline:

  1. Internal stakeholders: Within 24 hours
  2. Affected users: As required by applicable laws and regulations (generally within 72 hours)
  3. Regulatory authorities: As required by applicable laws and regulations (generally within 72 hours)

7.3.2 Notification Content. Breach notifications will include, as applicable:

  1. Description of the breach
  2. Categories of data affected
  3. Approximate number of individuals affected
  4. Potential consequences of the breach
  5. Measures taken to address the breach
  6. Contact information for further inquiries

8. EMPLOYEE SECURITY

8.1 Security Training

8.1.1 Training Requirements:

  1. Comprehensive security awareness training for all employees upon hiring with documented completion requirements
  2. Quarterly security refresher training for all employees with validation of understanding
  3. Monthly security bulletins and updates on emerging threats
  4. Role-specific technical security training for development and operations staff
  5. Advanced security certification requirements for security team members
  6. Specialized training on data protection regulations including GDPR, CCPA, and UAE data protection laws

8.1.2 Training Content:

  1. Data protection and privacy
  2. Secure coding practices (for developers)
  3. Password security and authentication
  4. Phishing awareness
  5. Social engineering defense
  6. Incident reporting procedures
  7. Compliance requirements

8.2 Personnel Security

8.2.1 Pre-Employment:

  1. Background checks for all employees
  2. Reference verification
  3. Verification of credentials and qualifications
  4. Signing of confidentiality and acceptable use agreements

8.2.2 During Employment:

  1. Regular performance evaluations including security aspects
  2. Ongoing security training and awareness
  3. Clear documentation of security responsibilities

8.2.3 Termination of Employment:

  1. Prompt revocation of access rights
  2. Return of all company equipment and data
  3. Exit interviews including security reminders
  4. Continuing obligations regarding confidentiality

9. THIRD-PARTY SECURITY

9.1 Third-Party Risk Management. The Brilio platform integrates with third-party services and products including but not limited to OpenAI, Anthropic (Claude), LlamaIndex, and Stripe. To manage the security risks associated with these integrations while ensuring compliance with applicable regulations:

9.1.1 Vendor Assessment:

  1. Security assessment prior to engagement
  2. Review of vendor security documentation
  3. Verification of security certifications
  4. Assessment of compliance with relevant regulations

9.1.2 Contractual Requirements:

  1. Comprehensive security requirements in all third-party service agreements
  2. Data protection clauses aligned with GDPR, CCPA, and UAE Federal Decree-Law No. 45 of 2021
  3. Clearly defined data processing roles (controller/processor)
  4. Mandatory right to audit provisions with defined frequency
  5. Incident reporting obligations with specific timeframes (within 24 hours)
  6. Requirement for third parties to maintain compliance with this Security Policy
  7. Provisions for secure and compliant termination of services

9.2 Ongoing Monitoring:

  1. Regular security reviews of critical vendors
  2. Tracking of vendor security incidents
  3. Assessment of vendor security patches and updates
  4. Review of vendor security certifications and audits

10. COMPLIANCE AND STANDARDS

10.1 Regulatory Compliance. Innovatica ensures the Brilio platform complies with applicable laws and regulations worldwide, including but not limited to:

  1. General Data Protection Regulation (GDPR)
  2. California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  3. Virginia Consumer Data Protection Act (VCDPA)
  4. Colorado Privacy Act (CPA)
  5. Health Insurance Portability and Accountability Act (HIPAA), where applicable
  6. UAE Federal Decree-Law No. 45 of 2021 on Personal Data Protection
  7. UAE Federal Decree-Law No. 34 of 2021 on Combatting Rumors and Cybercrimes
  8. Personal Data Protection Act (Singapore)
  9. Personal Information Protection Law (China)
  10. Other applicable regional data protection and cybersecurity regulations

10.2 Security Standards. The Brilio platform security controls are aligned with industry-recognized standards and frameworks, including:

  1. ISO/IEC 27001, 27017, and 27018
  2. NIST Cybersecurity Framework
  3. CIS Controls
  4. OWASP Top 10
  5. Cloud Security Alliance Cloud Controls Matrix

10.3 Compliance Monitoring:

  1. Regular compliance assessments
  2. Automated compliance monitoring tools
  3. Compliance reporting to management
  4. Remediation planning for compliance gaps

11. BUSINESS CONTINUITY AND DISASTER RECOVERY

For detailed information on our business continuity and disaster recovery procedures, please refer to our Business Continuity and Disaster Recovery Policy. The security aspects outlined in this section are intended to complement the comprehensive measures detailed in that policy, with a specific focus on maintaining security controls during system recovery operations. Key security aspects include:

11.1 Backup and Recovery:

  1. Regular automated backups of all critical data
  2. Encryption of backup data
  3. Secure offsite storage of backups
  4. Regular testing of restore procedures

11.2 Resilience:

  1. Redundant infrastructure components
  2. Geographic distribution of services
  3. High availability configurations
  4. Load balancing and failover capabilities

12. MONITORING AND LOGGING

12.1 Security Monitoring

12.1.1 Monitoring Systems:

  1. Security Information and Event Management (SIEM) system
  2. Intrusion Detection and Prevention Systems (IDPS)
  3. Network traffic analysis
  4. User behavior analytics
  5. Application performance monitoring

12.1.2 Alert Management:

  1. Security alert prioritization
  2. Escalation procedures
  3. 24/7 monitoring for critical systems
  4. Automated response capabilities for common threats

12.2 Log Management

12.2.1 Log Collection:

  1. Centralized log collection from all systems with real-time aggregation capabilities
  2. Tamper-proof log integrity protection using cryptographic mechanisms
  3. Retention in accordance with our Data Retention and Deletion Policy, with a minimum retention period of 12 months for security-relevant logs
  4. Strict log access controls with multi-factor authentication for security personnel
  5. Immutable log storage for critical security events
  6. Compliance with regulatory requirements for log retention in relevant jurisdictions

12.2.2 Log Analysis:

  1. Automated log analysis for security events
  2. Correlation of events across systems
  3. Regular log reviews by security personnel
  4. Forensic capabilities for incident investigation

13. SECURITY POLICY MANAGEMENT

13.1 Policy Review. This Security Policy will be reviewed:

  1. Annually as part of our regular security review process
  2. Following significant security incidents
  3. When there are major changes to our infrastructure or business operations
  4. In response to changes in applicable laws or regulations

13.2 Policy Updates. Updates to this Security Policy will be:

  1. Approved by senior management
  2. Documented with version control
  3. Communicated to all relevant stakeholders
  4. Implemented with appropriate training and awareness

13.3 Policy Exceptions. Exceptions to this Security Policy may be granted only:

  1. In writing by the Chief Information Security Officer or equivalent, with documented approval from senior management
  2. For a specific, limited timeframe not exceeding 90 days without re-approval
  3. With comprehensive compensating controls documented and implemented
  4. With mandatory monthly review of all active exceptions
  5. With a formal risk assessment conducted and documented for each exception
  6. With a remediation plan to achieve full compliance within the exception timeframe

14. AI SECURITY CONSIDERATIONS

14.1 AI Model Security

14.1.1 Model Integrity:

  1. Protection against model poisoning attacks
  2. Verification of model origin and integrity
  3. Secure model update processes
  4. Version control and rollback capabilities for AI models

14.1.2 Prompt Injection Prevention:

  1. Input validation and sanitization for all AI interactions
  2. Detection systems for malicious prompt patterns
  3. Containment mechanisms for potential prompt injection attacks
  4. Regular review and updates of injection prevention measures

14.1.3 Output Filtering:

  1. Content safety filtering for all AI-generated outputs
  2. Detection and prevention of harmful or inappropriate content
  3. Bias detection and mitigation mechanisms
  4. Human review processes for flagged content

14.2 AI Data Security

14.2.1 Training Data Protection:

  1. Secure storage of AI training datasets
  2. Data minimization and pseudonymization where applicable
  3. Access controls specific to training data
  4. Audit logs for all access to training datasets

14.2.2 Inference Data Protection:

  1. Secure handling of user inputs to AI systems
  2. Encryption of inference requests and responses
  3. Minimization of data retention from inference operations
  4. Clear boundaries between user data spaces

14.3 AI Risk Management

14.3.1 Risk Assessment:

  1. Regular AI-specific security risk assessments
  2. Evaluation of potential misuse scenarios
  3. Assessment of data leakage risks
  4. Vulnerability analysis for AI components

14.3.2 Mitigation Strategies:

  1. Implementation of rate limiting for AI services
  2. Usage monitoring and anomaly detection
  3. Containment strategies for compromised AI systems
  4. Fallback mechanisms for AI system failures

15. PRIVACY-ENHANCING TECHNOLOGIES

15.1 Data Minimization Techniques

15.1.1 Purpose Limitation:

  1. Collection and processing of data only for specified, explicit purposes
  2. Regular review of data collection practices to ensure alignment with stated purposes
  3. Technical controls to prevent use beyond specified purposes

15.1.2 Technical Measures:

  1. Automated data minimization processes
  2. Use of differential privacy techniques where appropriate
  3. Implementation of data anonymization and pseudonymization
  4. Structured processes for data deletion when no longer needed

15.2 Privacy by Design Implementation

15.2.1 Development Lifecycle Integration:

  1. Privacy risk assessments at each development stage
  2. Privacy-focused architecture reviews
  3. Regular privacy impact assessments
  4. Integration of privacy requirements into the software development lifecycle

15.2.2 Default Privacy Settings:

  1. Privacy-protective default configurations
  2. User-friendly privacy controls
  3. Granular consent management systems
  4. Transparent data usage indicators

15.3 Cross-Border Data Transfers

15.3.1 Transfer Mechanisms:

  1. Implementation of appropriate safeguards for international data transfers
  2. Standard contractual clauses where applicable
  3. Assessment of receiving country’s data protection framework
  4. Technical measures to ensure compliance with transfer restrictions

15.3.2 Data Sovereignty Controls:

  1. Geofencing capabilities for data storage and processing
  2. Regional deployment options to meet data residency requirements
  3. Data location tracking and verification mechanisms
  4. Compliance documentation for regional data protection requirements

16. SUPPLY CHAIN SECURITY

16.1 Third-Party Security Assessment

16.1.1 Vendor Security Qualification:

  1. Initial security assessment before engagement
  2. Documentation of vendor security posture
  3. Verification of security certifications and compliance
  4. Risk-based vendor categorization

16.1.2 Continuous Monitoring:

  1. Ongoing assessment of vendor security practices
  2. Periodic reassessment based on risk level
  3. Monitoring of vendor security incidents
  4. Tracking of vendor software updates and patches

16.2 Software Supply Chain Security

16.2.1 Software Composition Analysis:

  1. Inventory of all third-party components and dependencies
  2. Automated scanning for known vulnerabilities
  3. Version control and update management
  4. License compliance verification

16.2.2 Secure Development Practices:

  1. Verification of vendor secure development processes
  2. Code signing requirements for third-party software
  3. Integrity verification of software components
  4. Security testing of third-party integrations

16.3 Hardware and Infrastructure Supply Chain

16.3.1 Cloud Provider Security:

  1. Thorough assessment of Azure security controls
  2. Monitoring of cloud provider compliance status
  3. Verification of cloud provider security certifications
  4. Regular review of shared responsibility implementation

16.3.2 Physical Infrastructure (where applicable)

  1. Secure procurement processes for hardware components
  2. Verification of hardware authenticity
  3. Secure configuration baseline for all infrastructure components
  4. Chain of custody documentation for critical hardware

17. SECURITY METRICS AND REPORTING

17.1 Key Security Indicators

17.1.1 Operational Metrics:

  1. Mean time to detect security incidents
  2. Mean time to respond to security incidents
  3. Patch implementation timeframes
  4. Security control effectiveness measurements
  5. Vulnerability remediation timeframes

17.1.2 Risk Metrics:

  1. Number of identified security risks by severity
  2. Risk remediation rates
  3. Changes in risk scores over time
  4. Security debt measurements

17.2 Executive Reporting

17.2.1 Reporting Frequency:

  1. Monthly security status reports to senior management
  2. Quarterly comprehensive security reports to executive leadership
  3. Annual security program assessment
  4. Ad-hoc critical issue reporting as needed

17.2.2 Report Content:

  1. Summary of security incidents and responses
  2. Key security metrics and trends
  3. Progress on security initiatives
  4. Resource allocation and budget utilization
  5. Emerging threats and mitigation strategies

17.3 Customer Security Reporting

17.3.1 Transparency Reports:

  1. Regular publication of sanitized security metrics
  2. Incident disclosure in accordance with regulatory requirements
  3. Documentation of security program improvements
  4. Verification of security certification status

17.3.2 Customer-Specific Reporting:

  1. Custom security reports for enterprise customers
  2. Security review meetings with key customers
  3. Evidence sharing for customer compliance requirements
  4. Security roadmap communications

18. CONTACT INFORMATION

For questions, concerns, or to report security incidents related to the Brilio platform, contact:

  • Security Operations Center (24/7): security@innovatica.ai
  • Emergency Incident Reporting: +971 509 083 742 (24/7)
  • Non-Emergency Security Inquiries: +971 509 083 742 (business hours)
  • Data Protection Officer: dpo@innovatica.ai

19. GOVERNING LAW

This Security Policy shall be governed by and construed in accordance with the laws of the United Arab Emirates, without regard to its conflict of law provisions.