Bliko can act as both a Data Controller and a Data Processor of personal data under the General Data Protection Regulation 2016/679 (hereinafter, "GDPR"). For example, Bliko will be the Data Controller of personal data when a Client enters into a contract directly with us for the processing of the Client's data. However, in most cases, due to the nature of our business, Bliko does not have a direct relationship with the data subjects and solely processes the end-user's personal data on behalf of the clients and according to their instructions. Therefore, if you are an employee using our platform, we act solely as Data Processors of your data. Our Clients decide the purposes for which they use our Platform, as well as the means of data collection to the extent of our platform's functionalities. For users navigating our website, Bliko will be the Data Controller for the data collected here, such as cookies, or any data that is relevant to enjoy our content.

In the event that Bliko detects a security breach, a security breach analysis procedure will be activated to determine:

• The nature of the security breach.

• The categories of personal data affected.

• The approximate number of data subjects affected.

• The approximate number of personal data records affected; and

• The consequences of the breach.

Parallel to the investigation, Bliko will take the appropriate immediate containment and correction actions and will proceed to log the incident to ensure traceability of incidents within the organization.

Following the analysis, Bliko will determine whether the supervisory authority must be notified, evaluating whether the personal data breach could pose a risk to the rights and freedoms of the data subjects affected by the breach.

Furthermore, Bliko will decide if it is necessary to notify the affected data subjects.

In any case, as the data processor, Bliko will communicate the security breach to the client within less than 48 hours. This communication will include:

• Risk mitigation measures taken.

• Technological improvements.

• Changes in incident management.

• Updated procedures.

If you become aware of a security incident at Bliko, please report it to info@bliko.ai.

Information to provide (when applicable):

• Description of the incident:
• Name of the affected company and user:
• Type of data affected:
• Scope of the detected incident:
• Degree of impact on the rights of the data subjects:

Bliko is certified under ISO/IEC 27001:2013 and renewed its certification in March 2023. Currently, this represents the highest level of the global information security standard available, providing our clients with assurance that we adhere to stringent international standards in security.

Bliko has a SOC2 Type I report as of August 2022 and a SOC2 Type II report as of February 2024.

Details and related certification reports can be shared upon formal request and after the applicant signs a Non-Disclosure Agreement (NDA).

All our services run in the cloud. We do not host or run our own routers, load balancers, DNS servers, or physical servers.

All of our customers' data is stored on Amazon Web Services (AWS) servers in Frankfurt, Germany, a suite of cloud services that ensures maximum security. Companies such as Netflix or Airbnb trust AWS to manage the data of millions of users.

The Amazon Web Services data center is protected by three physical layers of security. Additionally, the facilities are protected against impacts and are only accessible via a non-transferable personal card and PIN.

You can read more about their security practices here: AWS Security

Our network security architecture consists of several security zones. We monitor and protect our network to ensure no unauthorized access occurs through the use of a Virtual Private Cloud (VPC), a firewall that monitors and controls incoming and outgoing network traffic.

• Encryption in Transit: All data sent to or from our infrastructure is encrypted in transit using industry best practices through Transport Layer Security (TLS). You can view our report on SSLLABS.

• Encryption at Rest: We rely on AWS Key Management Service (AWS KMS) to manage our cryptographic keys. By default, the "SYMMETRIC_DEFAULT" encryption algorithm is selected, which currently represents AES-256-GCM, a symmetric algorithm based on the Advanced Encryption Standard (AES). These keys are used to encrypt/decrypt our S3 buckets, databases, secrets manager, lambda, Redshift, and Lightsail.

We retain your data for a period of 1 year after you close your account. After this period, all data is completely deleted from our servers. Once deleted, data can only be recovered for 30 days.

• We utilize technologies to monitor exceptions, logs, and detect anomalies in our applications.

• We collect and store logs to provide an audit trail of activity in our applications. Depending on the plan chosen by our customers, administrators can track all actions and usage of employee logs on the platform, gaining increased visibility. More information about audit logs can be found here.

We develop following best practices and security frameworks (OWASP Top 10, SANS Top 25) to ensure the highest level of security in our software:

• We regularly review our code for security vulnerabilities.

• We routinely update our dependencies to ensure none of them have known vulnerabilities.

• We use Static Application Security Testing (SAST) to detect security vulnerabilities in our codebase and enforce code standards.

• We actively address security incidents reported by bug bounty hunters or pentest providers. Our latest pentest was conducted by Cobalt (https://cobalt.io/). Internal vulnerability scans are performed continuously, as well as ongoing penetration testing through HackerOne (https://hackerone.com/bliko).

• We keep secrets out of the code.

• We keep operating system and Docker images up to date and run services with a non-privileged role.

• We ensure environment separation and function segregation during the development process. Developers do not have the ability to migrate changes to production environments.

• We utilize technologies to monitor exceptions, logs, and detect anomalies in our applications.

• We collect and store logs to provide an audit trail of activity in our applications. Depending on the plan chosen by our customers, administrators can track all actions and usage of employee logs on the platform, gaining increased visibility. More information about audit logs can be found here.

• We protect our users against data breaches by monitoring and blocking brute force attacks.

• Single Sign-On (SSO) is available through Google, Microsoft, and LinkedIn accounts.

• Access control based on permissions is offered on all our accounts and allows our users to define permissions.

• We use AWS Cognito, which by default, supports multi-factor authentication.

• We utilize GitHub's security tools to receive alerts in case of vulnerabilities. The security team applies patches routinely.

• We conduct quarterly access rights reviews on our critical applications, including steps like reviewing authorizations, generic accounts, and ensuring that access is removed from terminated employees.

All payment instrument processing is securely outsourced to Stripe, which is certified as a Level 1 PCI Service Provider. We do not collect any payment information and are therefore not subject to PCI obligations.

• We manage accounts centrally.

• We rely on a password management system.

• We use named accounts with 2FA implemented.

• We rotate passwords every 90 days.

• We conduct onboarding and offboarding of new employees using a checklist that accounts for the best security practices.

• We ensure that access privileges adhere to the principle of least privilege.

• We employ physical security measures in our offices to ensure that only our employees have access.

• We routinely remind our employees about the importance of locking their computers.

• We have established procedures regarding the use of mobile devices and removable media.

We ensure that all our employees receive specific training in data protection and information security. Additionally, there are security training sessions and workshops focused on secure software development practices.

We conduct background checks for potential new hires.

Bliko will make every effort to be available with a monthly uptime percentage of at least 99.50%. Subject to SLA Exclusions, if we fail to meet the Service Commitment, the customer will be eligible to receive a Service Credit. This means we guarantee that the customer will not experience more than 21.56 minutes per month of Downtime.

Bliko performs daily data backups and retains the backups for 30 days. High availability is ensured with RDS Multi-AZ. Since data loss would require simultaneous incidents in both availability zones, this significantly reduces the possibility of data loss. Our Recovery Time Objective (RTO) is 1 hour, and our Recovery Point Objective (RPO) is 1 day.

Plans related to business continuity and disaster recovery are formally documented in accordance with the requirements of the ISO27001 and SOC2 frameworks.

Service Credits are calculated as a percentage of the total charges owed on your Bliko invoice for the monthly billing cycle in which the Downtime occurred.

For a monthly uptime percentage below 99.50%, you will be eligible for a service credit of 5% of the current period's charges.

We will apply Service Credits only towards future payments for the provision of services.

To receive a Service Credit, you must submit a claim by sending an email to support@bliko.co indicating the dates and times of each detected Downtime incident.

If we confirm the monthly uptime percentage of such request and it is less than the Service Commitment, we will issue the Service Credit within the billing cycle of the following month in which the confirmed request was made.

If the client fails to make the request or does not provide the required information above, they will be disqualified from receiving the Service Credit.

The Service Commitment does not apply to any unavailability:

• Caused by factors outside Bliko's reasonable control, including any force majeure event, internet access, or issues beyond Bliko's demarcation point.

• That results from any actions or inactions of the customer with a third party.

• That results from the customer's equipment, software, or other technology and/or third party equipment, software, or other technology (not under our direct control).

• That results from any Maintenance.

If availability is impacted by factors other than those used in our calculation of the monthly uptime percentage, we may issue a Service Credit considering such factors at our discretion.

Here you can find our updated privacy policy.

Here you can find the terms and conditions of Bliko.

By way of illustration but not limitation, Confidential Information shall be understood as information referring to customer data, its existence, structure, promotion and sales plans, source and object codes of computer programs, systems, techniques, inventions, processes, patents, trademarks, registered designs, copyrights, know-how, trade names, technical and non-technical data, drawings, sketches, financial data, plans for new products, data related to customers or potential customers as well as any other information used in the business scope of Bliko and the Client.

The obligation of confidentiality shall remain in force even after the termination, for any reason, of the contractual relationship between the parties without generating any type of compensation.

The breach of the confidentiality obligation assumed in this agreement or the failure to return the Confidential Information as established above shall entitle either Party to claim the full amount of damages caused by such breach.