Data Protection Policy for Rask AI

Brask Inc

Purpose

This policy outlines procedures and technical controls for data protection.

Scope

Production systems that handle Rask AI customer data must follow this policy.

Definitions

Production Data: Data that is actively used and maintained for business operations and customer services.

Production Systems: Systems and infrastructure that create, receive, store, or transmit Rask AI customer data.

Roles and Responsibilities

The Brask ML Infrastructure Department maintains and updates this policy. The CEO and legal department approve this policy and any changes.

Policy

Brask policy requires that:

  • Handle and protect data according to classification and approved encryption standards.
  • Store data of the same classification together; avoid mixing sensitive and non-sensitive data. Apply security controls based on the highest classification in a repository.
  • Employees do not have direct administrative access to production data, except in emergencies (e.g., forensic analysis, disaster recovery).
  • Disable unnecessary services on all Production Systems.
  • Log all access to Production Systems.
  • Enable security monitoring on all Production Systems (activity and file integrity monitoring, vulnerability scanning, malware detection).

Data Protection Implementation and Processes

Customer Data Protection

Rask AI uses AWS with data replicated across multiple regions for redundancy and disaster recovery.

Brask employees follow these processes to protect Production Data:

  • Implement and review controls to prevent improper alteration or destruction.
  • Store confidential data to support access logs and automated security monitoring.
  • Segment and restrict access to Customer Production Data to authorized customers.
  • Encrypt all Production Data at rest using Brask-managed keys.
  • Protect encryption keys and key-generating machines from unauthorized access; only privileged accounts can access key material.

Access

Employee access to production is disabled by default and requires approval. Temporary access is granted as needed and reviewed by the security team case by case.

Separation

  • Customer data is logically separated at the database/datastore level using unique customer identifiers.
  • The API layer enforces separation by requiring client authentication with a chosen account.
  • Once authenticated, the customer's unique identifier is included in the access token.
  • The API uses this token to restrict data access to the authenticated account.
  • All database/datastore queries include the account identifier to ensure proper data segregation.

Monitoring

Rask AI uses Amazon CloudWatch to monitor cloud services. In case of system failure, key personnel are notified via text, chat, or email for corrective action.

Confidentiality/Non-Disclosure Agreement (NDA)

Brask uses NDAs to protect confidential information with legally enforceable terms, applicable to internal and external parties. Key elements include:

  • Information definition
  • Agreement duration
  • Actions upon termination
  • Responsibilities to prevent unauthorized disclosure
  • Ownership of information and IP
  • Permitted use and rights
  • Audit and monitoring activities
  • Reporting unauthorized disclosures
  • Return or destruction of information upon termination
  • Actions for breach of agreement
  • Periodic review

Data At Rest

Encryption

Encrypt all databases, data stores, and file systems according to Rask AI Encryption Policy.

Retention

Categorize stored data and apply a retention schedule per Rask AI Asset Management and Data Retention Policies.

Considerations for retention:

  • Legal and contractual requirements
  • Data type (e.g., accounting records, database records, audit logs)
  • Storage media type (e.g., paper, hard drive, server)

Storage and Disposal

Properly store and handle data at rest. Considerations include:

  • Authorization for access and management
  • Identification of records and retention periods
  • Technology changes and access during retention
  • Retrieval timeframe and format
  • Disposal methods

Data Deletion

Properly delete sensitive data when no longer required, in line with Brask’s business objectives, laws, and third-party agreements. Keep records of deletion.

Data in Transit

Necessity

Transfer data only when strictly necessary for business processes.

Transfer Factors

Before choosing the method of data transfer, the following must be considered:

  • Information nature, sensitivity, confidentiality, and value
  • Data size
  • Impact of potential data loss

Encryption

To ensure the safety of data in transit:

  • Encrypting all external transmissions end-to-end with Brask-managed keys, including cloud and third-party vendors.
  • Using strong protocols, key exchanges, and ciphers for internet and intranet connections.

End-user Messaging Channels

Restricted and sensitive data is not allowed to be sent over electronic end-user messaging channels such as email or chat, unless end-to-end encryption is enabled.