Introduction

Intellifold is committed to delivering a secure, reliable, and high-performing service to its clients. Our objectives are based on service commitments made to our customers, compliance with applicable laws and regulations, and adherence to internal policy and operational requirements.

Product Security

Our Process Mining & AI’s infrastructure includes the cloud hosted networking, compute and database components of Microsoft Azure.

Primary software used for support the Intellifold Process Mining & AI platform includes:

Our Security Commitments include:

• Authorised Access: Implementfeatures and configurations to authorise user access while restrictingunauthorised access.
• Intrusion Detection: We us intrusion detection to prevent and identify potential security attacks. We maintain logging to validate user logins and software use.
• Vulnerability Management: Conductregular vulnerability scans and annual penetration tests over the productionenvironment.
• IncidentManagement: Maintainoperational procedures for managing security incidents and breaches, includingnotification protocols.
• Data Retention and Disposal: We've implemented policies for secure data retention and disposal.
• Data Protection: We employ encryption technologies to safeguard system data both at rest and in transit.
• Non-Disclosure Agreements: We require confidentiality and non-disclosure agreements with employees, contractors, and third parties.
• Purpose Limitation: We use confidential information solely for purposes explicitly stated in agreements.

Our Availability Commitments include:

• System Availability: High uptime availability of production systems in line with SLAs.
• Performance Monitoring: We've implemented system performance and availability monitoring mechanisms such CPU and memory monitoring functions.
• Timely Response: We respond to customer requests in a timely manner.
• Business Continuity and Disaster Recovery: We maintain detailed business continuity and disaster recovery plans, including RPOs and RTOs.
• Operational Procedures: Our procedures support the achievement of SLA commitments to our customers.

Data Protection

Intellifold views its information and information systems as essential and fundamental to our business operations. We allocate resources to enhance information security practices across Intellifold. We manage risks to our information systems and protect any information or data from unauthorised access, loss, or misuse. To manage risks, Intellifold employs a range of access controls, security devices, and monitoring tools to scrutinise Intellifold information systems and security practices.

At Intellifold we handle confidential and personal data daily. This includes, but is not limited to, user information, supplier, customer, or product data, financial information, client and login credentials, or information collected from potential clients and third parties. Data Protection Principles and Data Security Measures apply to Personal data, Confidential data, and Sensitive data.

Intellifold adheres to the following data protection principles:

• ‍Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and in a transparent manner.
• ‍Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• ‍Data Minimisation: Data collected is adequate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
• ‍Accuracy: We ensure to keep data accurate and updated as needed. Client or third-party data is timestamped to verify its accuracy with the data provider when necessary. While we are not directly responsible for the accuracy of client or third-party data, we do maintain records of the last update for reference.
• Storage Limitation: Data is kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the data is processed or to adhere to applicable regulations.
• Integrity and Confidentiality: Data is processed in a manner that ensuresappropriate security, including protection against unauthorised or unlawfulprocessing and against accidental loss, destruction, or damage.

Data Security

We aim to maintain the highest levels of security across all servers, laptops, and software products. Appropriate security measures include antivirus software, hard drive encryption, security updates and patches, firewalls, access controls, event monitoring, network service security, access timeouts, password management, and other relevant security protocols. We regularly review and enhance these security measures to align with current technologies and industry-standard practices. We implement the following security measures to protect client, third-party, and internal data:

• Access Control: Access to client and company information is restricted to authorized personnel only. Intellifold products come with comprehensive access control options whichcan be set per individual component or module. Access rights can be configured with admin, developer, or viewer rights at project, data integration, data model,and solution level. Our software comes with intrusion detection and security logging functionality and enforces complex password use
• Encryption: When hosted through Intellifold all data in storage and in transit is encrypted. Our laptops also have hard drive encryption activated.
• Monitoring& Incident Response: To effectively respond to security incidents, Intellifold utilises monitoring tools to continuously assess and evaluate the performance of its systems. Additionally, antivirus software is deployed across multiple layers of our andour third-party provided infrastructure, enabling regular automatic updates ofantivirus definitions and emergency rollouts when necessary. Intellifold has in place a clear incident response plan to address security breaches promptly,minimising potential information loss or exposure, and notifying potentially impacted parties.
• Disaster Recovery & Business Continuity: We have established contingency plans to address potential disruptions to our operations and services. These plans cover scenarios that could affect our software products, client data, or our employees. We have partnered with leading third-party hosting providers to implement backup processes, enabling recovery in the event of a disruption.
• Retention& Disposal: Intellifold shall retain data as long as the company has a need for its use, orto meet regulatory or contractual requirements. Once data is no longer needed,it shall be securely disposed of or archived. Data owners, in consultation withlegal counsel, may determine retention periods for their data. Data classifiedas personal, confidential or sensitive shall be securely deleted when no longerneeded. Intellifold will assess the data and disposal practices of third-partyvendors. Only third parties who meet Intellifold requirements for secure datadisposal shall be used for storage and processing of client and Intellifolddata.
• Regular Audits: Regular security audits are conducted to identify and mitigate potential vulnerabilities. Our third-party providers have better practice security standards and are regularly audited for compliance. Intellifold only engages with third-party providers that meet our security standards, and as part of our vendor on-boarding process we evaluate these practices along with any assurance reports to determine appropriateness.

Compliance & Monitoring

We are very proud to have our processes SOC2 certified in 2025. See Vanta's Trust Center to see implemented controls and test results.

Also, for our providers we verify compliance with ISO27001 and SOC2 standards. Intellifold complies with all applicable data protection laws, and regular monitoring and reviews are conducted to ensure ongoing compliance. This includes:

• Australian Privacy Act 1988 and the 13 Australian Privacy Principles (APPs) for handling personal information.
• New Zealand Privacy Act 2020and the 13 Information Privacy Principles for handling personal information.
• ·General Data Protection Regulation (GDPR)for handling personal data as applicable in the European Union.
• UK General Data Protection Regulation (UKGDPR) as tailored to the United Kingdom and Data Protection Act 2018.
• Personal Data Protection Act (PDPA) as applicable in Singapore and other countries to govern the collection, use, and disclosure of personal data.
• DigitalPersonal Data Protection Act 2023 (DPDP Act) and Information Technology Act 2000 (IT Act) as applicable for data protection in India
• California Consumer Privacy Act (CCPA)for resident rights over their personal data, including the right to know what is collected and the right to request deletion.

We are excited to announce that we have successfully completed the SOC 2 Type 1 examination. This milestone underscores our commitment to maintaining the highest standards of security and operational excellence.

• The criteria for a description of a service organisation’s system in DC section 200, 2018 Description Criteria for a Description of a Service Organisation’s System in a SOC 2® Report (AICPA, Description Criteria) with regards to the Description.
• The trust services criteria relevant to Common Criteria/Security, Availability, Confidentiality(applicable trust services criteria) set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).