Data Security Policy

Last updated August 10, 2024

Find all information pertaining to our Data Security Policy

1 Scope

1.1 The following describes Quickpath AI’s Data Security Policy. This policy may be updated from time to time, however, terms effective at the time of signing a Proposal will apply throughout the duration of the applicable Term.

1.2 Defined terms provided under clause 1 of the Quickpath AI SaaS Terms and Conditions shall apply to this policy.

2 Organisational Access Control

2.1 Quickpath AI employees are required to comply with the company’s policies and procedures. These policies include:

  • (a) an obligation to not disclose proprietary or confidential information (including Subscriber-related information) to unauthorised parties; and
  • (b) an obligation to report any known security incidents to the company’s management for investigation and action.

2.2 Quickpath AI employees do not have direct access to Subscriber Data, except where necessary on a need-to-know basis to undertake:

  • (a) Technical support;
  • (b) system management, maintenance, backups; and
  • (c) other actions authorised by the Subscriber in writing.

2.3 Criminal background checks are performed for employees with access to Subscriber Data as part of the hiring process.

2.4 Quickpath AI trains its employees on the importance of information security and the Company’s approach to maintenance of information security. This training is conducted at the commencement of the employment and at regular intervals after commencement.

3 Cloud Infrastructure

3.1 Quickpath AI engages a cloud infrastructure provider ( IaaS Provider ) to host data in data centre facilities.

3.2 An IaaS Provider will:

  • (a) only allow its staff to access information relating to or data or a Subscriber for the period of time in which a legitimate business need for such privileges exists;
  • (b) only allow its staff to access the cloud infrastructure under its control for the period of time in which a legitimate business need for such privileges exists;
  • (c) log and audit all physical access to its data centre facilities;
  • (d) Notify Quickpath AI of the location of the data centres facilities (which may be located in various global regions);
  • (e) monitor electrical, mechanical, and life support systems and equipment at its data centre facilities to ensure any issues are immediately identified; and
  • (f) perform preventative maintenance to maintain the continued operability of the electrical, mechanical, and life support systems and equipment at its data centre facilities.

3.3 All data centre facilities used by a IaaS Provider:

  • (a) are online and serving customers i.e., no data centre facility is “cold”;
  • (b) in the event of failure, have automated processes to move Subscriber Data traffic away from the affected area;
  • (c) have backup power and environmental protection systems, which are regularly maintained and tested;
  • (d) have automatic fire detection and suppression equipment that has been installed to reduce risk and damage to data centre environments;
  • (e) have power backup and environmental protection systems in the event of an electrical failure for critical and essential loads in the facility;
  • (f) have electrical power systems designed to be fully redundant and maintainable without impact to operations, 24 hours a day, and seven days a week; and
  • (g) are conditioned to maintain systems, monitor and control temperature and humidity at appropriate levels.

4 Technical Security Measures

4.1 The Platform will include reasonably up-to-date versions of system security agent software which will include reasonably current and tested malware protection, patches and anti-virus protection.

4.2 Quickpath AI will create a disaster recovery plan designed to provide appropriate technical and operational controls to deliver the recovery time objective (RTO) and recovery point objective (RPO), as outlined in its Service Level Policy.

4.3 Unless otherwise agreed by Quickpath AI in writing, Subscriber are prohibited from performing their own penetration testing on any system of Quickpath AI.

4.4 Quickpath AI ensures that database infrastructure is segregated from the application servers and the internet via firewalls.

4.5 All communications are encrypted between the data exporter and the data centres using high-grade encryption (AES-256).

4.6 Access to Quickpath AI’s on-demand applications and services is only available:

  • (a) through secure sessions (https); and
  • (b) with an authenticated login and password.

4.7 Passwords for Quickpath AI’s on-demand applications and services are never transmitted or stored in their original form.

4.8 Quickpath AI’s application infrastructure is protected against intrusion by industry standard firewalls at the network, host, and application levels.

4.9 Several IaaS Provider instances are hosted on the same physical machine and are isolated from each other through a hypervisor layer.

4.10 IaaS Provider infrastructure has no access to raw disk devices, but instead are presented with virtualised disks.

5 Exclusions

5.1 The Platform may allow third party services interoperating with it to access, use, or otherwise process and transmit Subscriber Data.

5.2 This Data Security Policy does not apply to any processing, storage, or transmission of data outside the Platform.

5.3 Quickpath AI is not responsible for the security practices (or any acts or omissions) of any third party service providers engaged by or on behalf of Subscriber.

5.4 The Data Security Policy excludes:

  • (a) data or information shared with Quickpath AI that is not stored in the Platform; and
  • (b) data in a Subscriber’s virtual private network (VPN) or a third party network other than one that is under a contract with Quickpath AI to assist Quickpath AI in fulfilling its obligations to that Subscriber.

5.5 Quickpath AI excludes liability for any data used, processed, stored or transmitted by a Subscriber or other third parties in violation of these terms and conditions.