Privacy Policy

We go above and beyond legal requirements to protect all of your data. This document outlines additional precautions we take to keep your customers’ data safe.

Personnel

Our engineering team includes people who have played significant roles in both startups and large organisations. They have experience building Internet-facing applications that house highly confidential and mission-critical data.

Incident Response

In the event of a data security incident, all key personnel are requested to respond immediately. Those in charge of affected parts of our application and infrastructure are notified and assembled to address the incident quickly. Upon notification, incident resolution time is on the order of minutes.

Following a data security incident, a post-mortem analysis is performed. The outcome of our analysis is discussed internally and shared among the relevant personnel. The analysis includes actionable items to help make it easier to detect and prevent the occurrence of similar incidents in future.

Build Automation

We deploy code on our production server tens, and in some cases, hundreds, of times per day. This enables us to respond to data security incidents with code changes within minutes.

We have a semi-automated deployment system, which requires us to peer-review all code changes before being deployed to our production servers. Code changes are reflected across all of our production servers within minutes. We use GitHub and AWS to help automate this process.

Infrastructure

All of our services are cloud-based. We do not run our own infrastructure.

All of our own data services are hosted in Amazon Web Services (AWS) facilities across the EU. We do not have control over where our third-party services are hosted, for example, Google Analytics. All of our clients’ customer data is hosted and processed using AWS.

Our infrastructure is spread across 2 AWS data centres (also known as availability zones). This adds redundancy to our system, as should one of the data centres fail unexpectedly, our services will continue to work.

Data Storage and Access

All of our customer data is stored in the European Union.

Customer data is stored in multi-tenant data stores. This means that we do not have individual data stores for each customer. Should you wish to have your own dedicated datastore, please contact us and we can discuss your requirements.

In order to prevent one customer from accessing another customer’s data, we have a number of low-level code checks that fail upon not being provided with the logged-in customer identifier. We employ automated testing prior to every code change being deployed on our production services. Additionally, we periodically perform code audits to prevent this from happening.

Internally, all database entity types have a client identifier field. All queries are required to provide a client identifier. This check has been implemented at a low-level. It ensures that one client cannot access the data of another client.

We have set up a virtual private cloud (VPC). Two subnets live inside our VPC; a public subnet and private subnet. Our database services live inside our private subnet. This means that only servers in the public subnet can communicate with our database servers. All ports (besides HTTP (80) and HTTPS (443)) on servers living inside our public subnet have been restricted to whitelisted IPs defined in a security group. The whitelisted IPs are the addresses that we use internally and are inaccessible from sources outside our network.

We only permit server access to public keys whitelisted on our servers. This prevents SSH server access from computer devices outside of our organisation.

Data storage and Access

All data sent to and from Traitly is encrypted in transit using state-of-the-art 256-bit encryption.

Our platform and API are SSL-only.

Authentication

Traitly is served 100% over HTTPS.

We use two-factor authentication (2FA) and stringent password policies across our own and third-party services we use. These include GitHub, AWS, Google, and Traitly.

Data Processing Agreement

1. Purpose of processing

This Document ("Agreement") sets out the legal agreement between you, your directors, employees, contractors, agents and assigns, collectively the "Customer" and the "Company": AIBL TECHNOLOGIES LIMITED, an Irish incorporated entity with its registered offices as Unit 8, Crawford Commercial Park, Bishop Street, Cork Ireland ("Traitly") for compliance with General Data Protection Regulation (GDPR).

The Company is engaged by Customer to provide a dynamic knowledge base and support services using logic and machine learning techniques (hereinafter - the Purpose), which requires the Company's access to the data about the employees of the Customer and data pertaining to the Customer.

2. Data processed

Data contained in the third-party platforms the Customer uses, as well as data generated within the Company’s platform (hereinafter together the Data).

3. Duration of processing

The Company shall process Data for no longer than required for the purpose of the Agreement between the Company and the Customer.

4. General Recipient's obligations.

Company is obliged to:

  • a) process the Data only to the extent such processing is needed for the purpose;

  • b) ensure that its employees, directors and other officers having access to the Data within all the period of this Agreement (also after termination of their employment, contractual and other relations with the Company) are bound, whether via contract or statutory obligation to keep the Data confidential in accordance with the terms of this Agreement applicable to the Company;

  • c) give access to the Data to a limited number of employees, directors and other officers, who need to know the Data for the purpose;

  • d) fully comply with Regulation (EU) 2016/679 (General Data Protection Regulation) and other applicable laws and regulations;

  • e) process the Data only on documented instructions from the Customer;

  • f) take all appropriate technical and organisational measures required under Article 32 of General Data Protection Regulation to ensure the security of Data;

  • g) assist the Customer by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests for exercising the data subject's rights;

  • h) notify the Customer immediately if it becomes aware of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Data and provide such further information as the Customer may reasonably require;

  • i) assist the Customer in ensuring compliance with the obligations relating to the security of processing, data breach notification and data protection impact assessment, taking into account the nature of processing and the information available to the Company;

  • j) make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this Data Processing Agreement and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

The Company shall process Data for no longer than required for the purpose of the Agreement between the Company and the Customer.

5. Sub-processing.

The Company can engage third parties to process the Data provided (i) this is required for the Purpose and (ii) it has obtained a specific written authorization of the Customer. Where the Company engages another processor for carrying out specific processing activities, it (i) bears full responsibility for the actions of third persons, to which it disclosed the Data, with regard to such Data and (ii) warrants and represents that the same data protection obligations as set out in this Data Processing Agreement shall be imposed on that other processor by way of a contract. In particular, the Company is obliged to ensure that such third persons:

  • a) are informed on the confidential character of the Data provided to them;

  • b) at the time of disclosure are bound via contract to keep the Data confidential substantially in accordance with the terms of this Agreement applicable to the Company;

  • c) give access to the Data to a limited number of employees who need to know the Data for the purpose they were received for;

  • d) do not disclose the Data to any other third person;

  • e) use the Data purely for purposes for which it was provided;

  • f) comply with confidential undertakings established by this Agreement for the Company, as they were the Company;

  • g) return or destroy the Data once they are no more needed for the purpose.

6. Order of Precedence.

This Data Processing Agreement is an integral part of License Agreement entered into upon registration with the Company’s software by the Customer (hereinafter – the Agreement). Provisions of this Data Processing Agreement prevail over other provisions of the Agreement in case of their contradiction.