1. Definitions:
   1. Customer Data: Any information that is provided by customers or generated during the use of the Catio platform, including but not limited to business information and data generated by interactions with the Catio platform.
2. While Catio is not yet SOC2 certified, several members on our team are very familiar with, and have successfully managed the SOC2 certification process in previous companies. We are working toward SOC2 certification and in the meantime have implemented best practices to that effect.
3. In keeping with the SOC2 Principles (Security, Availability, Processing Integrity, Confidentiality, and Privacy), Catio has performed a product audit and checklist along the following categories:
   • Data Security:
   • Network Security
   • Application Security
   • Cloud Security
   • Tenant Isolation
   • Identity and Access Management (IAM)
   • Data Backup and Recovery
   • Compliance and Regulations
4. General Principles
   1. We will maintain a written information security policy.
   2. We have appointed one or more employees responsible for managing information security practices.
   3. All of our personnel with access to Customer Data are subject to confidentiality obligations.
   4. We provide information security awareness training to all employees annually.
   5. Passwords used by our personnel will be consistent with industry standard practices. Our personnel are required to use multi-factor authentication to access our critical systems and applications.
   6. We will maintain an incident response plan. If we become aware of any unauthorized access, use, or disclosure of Customer Data (each a “Security Incident”), we will notify you without undue delay. We will also remediate the Security Incident as it relates to our impacted systems in a timely fashion.
   7. We will maintain a business continuity plan consistent with industry standard practices.
5. Data Collection and Use Policies
   1. We primarily use Amazon Web Services to host Customer Data today. For more information about Amazon Web Services’ security measures, please visit: https://aws.amazon.com/compliance/programs/.
   2. We understand how important your data is and we’re highly sensitive to how it’s handled. We will only be storing your data in locations that have been fully evaluated by our team to be private and secure. Internal users, who are seasoned Staff / Principal Engineers, have internal access; but they are seasoned, and we are rapidly moving to fully restrict their data access, beyond authorized access for super admin / operation / consultative purposes.
   3. Transparency in Data Collection - Catio commits to complete transparency about the types of data we collect from our customers. This includes both personal data, such as names and contact information, and operational data, such as user interactions with our services and system logs. We provide clear information on how each type of data is utilized to enhance service delivery and user experience.
   4. Purpose Limitation - we collect data solely for the purposes explicitly outlined in our agreements and this policy. We limit the use of collected data to achieving these specified purposes and to delivering and improving the services agreed upon by our customers.
   5. Data Minimization - in adherence to data minimization principles, we ensure that only data necessary for specific, explicitly stated purposes is collected. We regularly review our data collection practices to ensure compliance with this principle.
   6. Customer Consent - we obtain explicit consent from customers before collecting their data, ensuring that the consent mechanisms are straightforward and accessible. This is particularly emphasized for the collection of sensitive data, where heightened transparency is maintained.
   7. Robust Security Measures - we employ state-of-the-art security measures to protect customer data against unauthorized access, disclosure, alteration, and destruction, as outlined in our Security and SOC2 overview.
   8. Third-Party Data Sharing - we do not share any customer data with any third-party service providers.
   9. Compliance with Legal Requirements - our data collection and usage practices are designed to comply fully with relevant data protection laws such as the GDPR and CCPA. We are committed to upholding the rights of data subjects, including access to data, correction, deletion, and portability.
   10. Review and Audit - we conduct regular reviews and audits of our data collection and usage practices to ensure ongoing compliance with this policy and to continuously improve our data handling processes. We also maintain documentation and audit trails of all of our processing activities performed with Customer Data. Upon request, we will provide you with access to the documentation referenced in this section and will also allow you to conduct reasonable audits of our service to ensure compliance with this policy.
6. Data Processing Policies
   1. To build out our platform to better suit your architecture and product requirements, we integrate two types of information from you, including (i) business and product requirements information, in the context of our Requirements module (“Strategic Materials”) and (ii) various data sources from your tech stack components, in the context of our Integrations module (“Other Materials”). This enables us to offer you highly personalized and informative observations, insights and recommendations, and further generated and simulated capabilities for your tech stack architecture.
   2. We will not use Strategic Materials, even in de-identified form, to train our service to advance our requirements module capability (the module for which we collect Strategic Materials in order to identify a complete set of architecture requirements) or any other capability, beyond our architecture understanding and evaluation.
   3. We may use your Customer Data (including usage metrics and trends) to develop or derive data or insights, or train our models, solely for the benefit of improving our architecture understanding and evaluation and solely in deidentified form, that cannot identify i) you from your use of the service (including usage metrics and trends), ii) your Customer Data, or iii) otherwise in connection with the service. This may include utilizing architecture and technical data to improve our product with regard to architecture understanding, evaluation, and modeling.
   4. We will outline our data deidentification and use processes, allow you to review and audit such processes, and we will always be governed by strict guidelines to prevent any use of your Customer Data to inform our model development beyond the stipulations of this policy.
   5. We enter into agreements with all services providers used by Catio to process Customer Data (ie. AWS) which are at least as restrictive as our Data Sharing and Security Policy. Our service providers are prohibited from using Customer Data for any AI or model training. We will remain responsible to you for the acts and omissions of our service provider that result in any breach of our obligations.
   6. We will only process Customer Data with AI systems which are hosted on our cloud service providers’ infrastructure. Catio primarily uses AWS Bedrock hosted AI systems today. For more information about AWS Bedrock’ security measures, please visit: https://aws.amazon.com/bedrock/faqs/.