Data Security Policy
1. Scope
1.1 The following describes RobobAI’s Data Security Policy. This policy may be updated from time to time, however, terms effective at the time of signing a Quote will apply throughout the duration of the applicable Term.
1.2 Defined terms provided under clause 1 of the RobobAI SaaS Terms and Conditions shall apply to this policy.
2. Organisational Access Control
2.1 RobobAI employees are required to comply with the company’s policies and procedures. These policies include:
- an obligation to not disclose proprietary or confidential information (including Subscriber-related information) to unauthorised parties; and
- an obligation to report any known security incidents to the company’s management for investigation and action.
2.2 RobobAI employees do not have direct access to Subscriber Data, except where necessary on a need-to-know basis to undertake:
- Technical Support;
- system management, maintenance, backups; and
- other actions authorised by the Subscriber in writing.
2.3 Criminal background checks are performed for employees with access to Subscriber Data as part of the hiring process.
2.4 RobobAI execute regular employee access revalidation under the principle of least access.
2.5 RobobAI trains its employees on the importance of information security and the Company’s approach to maintenance of information security. This training is conducted at the commencement of the employment and at regular intervals after commencement.
2.6 RobobAI may engage Robobai Providers to perform some of its obligations under the terms and conditions. Robobai Providers will only access and use Subscriber Data in a manner consistent with the terms and conditions and this policy.
2.7 At the written request of a Subscriber, RobobAI will provide additional information regarding its RobobAI Providers and their locations. The Subscriber may send such requests to RobobAI’s Data Privacy Officer at privacy@robobai.com.
3. Cloud Infrastructure
3.1 Robobai engages cloud infrastructure provider (IaaS Provider) and platform as a service (PaaS Provider) to host data in data centre facilities.
3.2 These IaaS and PaaS Providers will:
- only allow its staff to access information relating to or data or a Subscriber for the period of time in which a legitimate business need for such privileges exists;
- only allow its staff to access the cloud infrastructure under its control for the period of time in which a legitimate business need for such privileges exists;
- log and audit all physical access to its data centre facilities;
- Notify RobobAI of the location of the data centres facilities (which may be located in various global regions);
- monitor electrical, mechanical, and life support systems and equipment at its data centre facilities to ensure any issues are immediately identified; and
- perform preventative maintenance to maintain the continued operability of the electrical, mechanical, and life support systems and equipment at its data centre facilities.
3.3 All data centre facilities used by a IaaS Provider:
- are online and serving customers i.e., no data centre facility is “cold”;
- in the event of failure, have automated processes to move Subscriber Data traffic away from the affected area;
- have backup power and environmental protection systems, which are regularly maintained and tested;
- have automatic fire detection and suppression equipment that has been installed to reduce risk and damage to data centre environments;
- have power backup and environmental protection systems in the event of an electrical failure for critical and essential loads in the facility;
- have electrical power systems designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week; and
- are conditioned to maintain systems, monitor and control temperature and humidity at appropriate levels.
4. Technical Security Measures
4.1 The Platform will include reasonably up-to-date versions of system security agent software which will include reasonably current and tested malware protection, patches and anti-virus protection.
4.2 Robobai will create a disaster recovery plan designed to provide appropriate technical and operational controls to deliver the recovery time objective (RTO) and recovery point objective (RPO), as outlined in its Service Level Policy.
4.3 Unless otherwise agreed by Robobai in writing, Subscriber are prohibited from performing their own penetration testing on any system of Robobai.
4.4 RobobAI ensures that database infrastructure is segregated from the application servers and the internet via firewalls.
4.5 All communications are encrypted between the data exporter and the data centres using industry standard encryption (AES-256).
4.6 Access to RobobAI’s on-demand applications and services is only available:
- through secure sessions (https); and
- with an authenticated login and password.
4.7 Passwords for RobobAI’s on-demand applications and services are never transmitted or stored in their original form.
4.8 RobobAI’s application infrastructure is protected against intrusion by:
- industry standard firewalls at the network, host, and application levels; and
- intrusion detection systems across all servers.
4.9 Where several IaaS Provider instances are hosted on the same physical machine they are isolated from each other through a hypervisor layer.
4.10 IaaS Provider infrastructure has no access to raw disk devices, but instead are presented with virtualised disks.
5. Exclusions
5.1 The Platform may allow third party services interoperating with it to access, use, or otherwise process and transmit Subscriber Data.
5.2 This Data Security Policy does not apply to any processing, storage, or transmission of data outside the Platform.
5.3 RobobAI is not responsible for the security practices (or any acts or omissions) of any third party service providers engaged by or on behalf of Subscriber.
5.4 The Data Security Policy excludes:
- data or information shared with Robobai that is not stored in the Platform; and
- data in a Subscriber’s virtual private network (VPN) or a third party network other than one that is under a contract with RobobAI to assist RobobAI in fulfilling its obligations to that Subscriber.
5.5 RobobAI excludes liability for any data used, processed, stored or transmitted by a Subscriber or other third parties in violation of these terms and conditions.
DSP v03 13.03.2023