Security and Data Privacy Policy

Effective Date: December 2023

Welcome to Contiinex! As a AI-based software product company, we are dedicated to
upholding the security and privacy of our users. This Security and Data Privacy Policy
outlines how we collect, use, and protect your information in the context of our AI software products. By using our AI products, you agree to the terms of this policy.

1. Information We Collect
   1. Interaction Data
      We collect information pertaining to your interactions with our software, including queries,
      preferences, and user-specific patterns.
   2. Technical Data
      Automatically gathered technical data includes information about your device, software
      configurations, and AI model usage patterns. This data is crucial for refining the
      performance and capabilities of our AI software.
      
      
2. How We Use Your Information
   1. User Assistance
      We may use your information to provide customer support, address queries, and
      communicate updates related to our AI software products.
   2. Analytics
      We analyze user behavior to gain insights into how our products are used and
      identify areas for improvement.
      
      
3. Data Security
   1. Secure Design
      Our software is designed with robust security measures to protect your data
      throughout its lifecycle
   2. Encryption
      Advanced encryption techniques are implemented to secure the transmission and
      storage of data
   3. Access Controls
      Access to AI-related data is restricted to authorized personnel, and we regularly
      review and update access controls to ensure data integrity.
      
      
4. Data Privacy
   1. User Consent for AI
      We only collect and process AI-related data with your explicit consent, and you retain
      control over your preferences.
   2. Limited AI Data Collection
      We restrict data collection to what is essential for the operation and enhancement of our AI
      software products.
   3. Third-Party AI Services
      When integrating with third-party AI services, we ensure that these services adhere to
      stringent privacy standards.
      
      
5. Compliance
   1. AI Regulatory Adherence We comply with all relevant data protection laws and regulations globally, aligning our practices with the evolving landscape of AI regulations.
   2. AI User Control You have the right to control your AI-related data. To exercise these rights, contact us at [info@contiinex.com]
      
      
6. Changes to the Policy
   1. We may update this policy to reflect changes in our AI software or applicable laws. We will notify you of any material changes.
      
      
7. Contact Information
   1. If you have any questions or concerns about this policy, please contact us at [info@contiinex.com]
      
      

Infrastructure / Network Security 

Dedicated Security Team
Our Security Team is on email support to respond to security alerts and events at info@contiinex.com

Protection
Our network is protected through regular audits, and network intelligence technologies, which monitor and/or block known malicious traffic and network attacks.

Architecture
Our network security architecture consists of multiple security zones. More sensitive systems, like database servers, are protected in our most trusted zones. Other systems are housed in zones commensurate with their sensitivity, depending on function, information classification, and risk. Depending on the zone, additional security monitoring and access controls will apply. DMZs are utilized between the Internet, and internally between the different zones of trust.

Network Vulnerability Scanning
Network security scanning gives us deep insight for quick identification of out-of-compliance or potentially vulnerable systems.

Third-Party Penetration Tests
In addition to our extensive internal scanning and testing program, each year, Contiinex employs third-party security experts to perform a broad penetration test across the Contiinex Production and Corporate Networks.

Vulnerability and patch management
Systems are scanned regularly for common vulnerabilities. Servers are patched on a regular schedule, with critical and high severity patches applied with the highest priority.

Security Incident Event Management
Our Security Incident Event Management (SIEM) system gathers extensive logs from important network devices and host systems. The SIEM alerts on triggers that notify the Security team based on correlated events for investigation and response.

Intrusion Detection and Prevention
Service ingress and egress points are instrumented and monitored to detect anomalous behavior. These systems are configured to generate alerts when incidents and values exceed predetermined thresholds and use regularly updated signatures based on new threats. This includes 24/7 system monitoring.

Logical Access
Access to the Contiinex Production Network is restricted by an explicit need-to-know basis, utilizes least privilege, is frequently audited and monitored, and is controlled by our Operations Team. Employees accessing the Contiinex Production Network are required to use multiple factors of authentication.

Security Incident Response
In case of a system alert, events are escalated to our 24/7 teams providing Operations, Network Engineering, and Security coverage. Employees are trained on security incident response processes, including communication channels and escalation paths.

Encryption

Encryption in Transit
All communications with Contiinex UI and APIs are encrypted via industry standard HTTPS/TLS (TLS 1.2 or higher) over public networks. This ensures that all traffic between you and Contiinex is secure during transit.

Encryption at Rest
Service Data is encrypted at rest in AWS using AES-256 key encryption.

Availability & Continuity

Redundancy
Contiinex employs service clustering and network redundancies to eliminate single points of failure. Our strict backup regime and/or our Enhanced Disaster Recovery service offering allows us to deliver a high level of service availability, as Service Data is replicated across availability zones.

Disaster Recovery
Our Disaster Recovery (DR) program ensures that our services remain available and are easily recoverable in the case of a disaster. This is accomplished through building a robust technical environment, creating Disaster Recovery plans, and testing activities.

Secure development (SDLC) 

Secure Code Training
At least annually, engineers participate in secure code training covering OWASP Top 10 security risks, common attack vectors, and Contiinex controls.
Framework Security Controls
Contiinex leverages modern and secure open-source frameworks with security controls to limit exposure to OWASP Top 10 security risks. These inherent controls reduce our exposure to SQL Injection (SQLi), Cross Site Scripting (XSS), and Cross Site Request Forgery (CSRF), among others.

Quality Assurance
Our Quality Assurance (QA) department reviews and tests our code base. Dedicated application security engineers on staff identify, test, and triage security vulnerabilities in code.

Separate Environments
Testing and staging environments are logically separated from the Production environment. No Service Data is used in our development or test environments.

Vulnerability Management

Dynamic Vulnerability Scanning
We employ third-party security tooling to continuously and dynamically scan our core applications against the OWASP Top 10 security risks. We maintain a dedicated in-house product security team to test and work with engineering teams to remediate any discovered issues.

Static Code Analysis
The source code repositories for both our platform and mobile applications are scanned for security issues via our integrated static analysis tooling.

Third-Party Penetration Testing
In addition to our extensive internal scanning and testing program, Contiinex employs third-party security experts to perform detailed penetration tests on different applications within our products.

Security Awareness Training

All employees participate in annual Information security Awareness and are assessed periodically.

Information security policies & procedures

Contiinex maintains a documented set of policies that regulate the use of information, including its receipt, transmission, processing, storage, controls, distribution, retrieval, access, and presentation. This includes the laws, regulations, and practices that regulate how Contiinex manages, protects, and disseminates confidential information. In addition, Information Security policies are published and communicated to all employees and all Employees acknowledge their responsibilities in protecting customer data as a condition of employment.

Risk Management

Contiinex performs Risk management through detailed methodology to identify information security risks, conduct risk assessment, risk evaluation and risk treatment of the identified risk.

Risk management process includes systematic application of management policies, procedures, and practices to the activities of communicating, consulting, establishing the context and identifying, analysing, evaluating, treating, monitoring, and reviewing risk.

Endpoint devices

Endpoint devices are secured with hard drive encryption, endpoint detection and remediation (EDR) and advanced malware detection with central management and control.

All devices are managed via a central, cloud based Mobile Device Management (MDM) system.

Physical Security

Contiinex offices are secured by keycard access and 24/7/365 monitoring via video cameras and alarms.

By using our solutions, you acknowledge that you have read and understood this Security and Data Privacy Policy.

Thank you for choosing Contiinex.