Security Measures Notice

This Security Measures Notice forms part of, and is subject to, the Master Services Agreement or other written or electronic terms of service or subscription agreement between Lampi AI and Customer that reference this Security Measures Notice (the “Agreement”), and is effective on the Effective Date of the Agreement.

This document describes the technical and organizational security measures and controls implemented by Lampi AI to protect Personal Information and ensure the ongoing confidentiality, integrity and availability of the Services.

More details on the measures we implement are available upon request.

Lampi AI reserves the right to revise these technical and organizational measures at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for Personal Data that Lampi AI processes in providing its Services.

Customer acknowledges that it is responsible for the review of the information made available by Lampi AI in this notice and to determine whether the Security Measures meet Customer’s requirements and legal obligations under applicable laws.

Capitalized terms not defined in this document have the meanings given in the DPA or Master Services Agreement.

1. Technical measures

Data hosting. Except otherwise agreed by the Parties, all of our Services are hosted with the following Sub-Processors:

• Vercel,

• Scaleway,

• OVH Cloud.

• Google Cloud Platform (GCP),

They all employ a robust security program with multiple certifications.

Encryption at rest. All Customer Data, including Personal Information, are encrypted at rest using AES-256.

Customer Data is encrypted when at rest in cloud storage and databases.

Encryption in transit. All communication between files and servers are encrypted end-to-end through an SSL connection.

Security certification. As of now, Lampi AI does not hold any official certifications regarding the security of its information system or the Services.

Physical security. Lampi AI leverages robust and well recognized third-party providers to host its entire Platform or parts of it, and defers all data center physical security controls to them.

Usage of data. We never sell, share or use Customer Data, inputs or outputs for training models, except solely at the customer demand in case of fine-tuning needs for a dedicated AI model. In the case where Customer requires training of a Third-Party Model or Open-Source Model with Customer Data, any Personal Information is anonymized or deleted from datasets.

Third Party Services. In the context of the Services, Customer acknowledges that Third-Party Services are limited to Platform hosting and to the case where a Customer or End User uses on its own choice a Third-Party Model provided by a Third-Party Services provider available on the Platform.

The list of Sub-Processors is available in the Sub-Processors Notice.

Code analysis. Lampi AI performs code reviews on all software updates including threat modeling and security design.

Credential. Lampi AI assigns cryptographic keys that are roles based to users. Cryptographic keys are generated and valid for two (2) weeks.

Vulnerability and patch management. Lampi AI performs vulnerability scanning and package monitoring on infrastructure-related hosts and its product continuously, patching externally- and internally-facing services regularly. Issues that are discovered are triaged and resolved according to their severity within Lampi AI’s environment.

Customer Role-based access. To limit access based on the principle of least privileged access and prevent conflict of interest, Customer can enforce differential access to each feature, including access to choice of large language models, based on the users' responsibilities or seniority.

Access administration. Customer can establish processes to provide appropriate access to its users and remove accesses.

Account access. Measures to ensure that End Users authorized to use Lampi AI have access only to their Account pursuant to their access rights:

• Recovery of lost passwords is done by requesting a signed link to the user’s email account — no passwords are sent in plain text over email, chat, phone, or any other communication method.

• Lampi AI requires single sign-on (SSO).

• We block brute-force attacks by locking out employee accounts after five (5) incorrect password attempts.

• Lampi AI uses best-practice tools for vulnerability scanning, malicious activity detection, and blocks suspicious behavior automatically.

2. Organizational measures

Employee awareness and training. Lampi AI ensures that employees who are working with systems and data are formally aware of, and educated about, the security and privacy policies and procedures with which they must comply. Lampi AI provides employees training to ensure ongoing capabilities to carry out the security measures established.

System access control. Measures that prevent unauthorized persons from using IT systems and processes:

• When provisioning access, Lampi AI adheres to the principle of least privilege and role-based permissions — meaning our employees are only authorized to access Lampi AI’s data that they reasonably must handle to fulfill their job responsibilities. Access to cloud infrastructure and other sensitive tools are limited to experienced and authorized employees who require it for their role.

• The same employees will access, with Customer permission, Customer Data data for the sole purpose of debugging/troubleshooting or recovering content. Access is based on a need to know / need to do principle.

• Lampi AI utilizes multi-factor authentication for access to its sensitive systems and programs.

• We block brute-force attacks by locking out employee accounts after five (5) incorrect password attempts.

Risk management. Measures to ensure that the appropriate risk management and security risk management in place include but are not limited to:

• Lampi AI conducts periodic reviews and assessments of risks, monitoring and maintaining compliance with Lampi AI’s policies and procedures.

• Lampi AI ensures periodic, effective reporting of information security conditions and compliance to senior internal management.

• Lampi AI hosts periodic security risk management training, including but not limited to data protection for all employees, including an initial onboarding training for new employees to review and ensure compliance with up-to-date security risk management procedures and policies.

• Lampi AI’s personnel might follow dedicated training or comply to specific background check in order to interact with specific customer or have access to specific credentials for singular customer like government entities.

Safeguarding email. Measures to ensure that the appropriate operations security safeguarding email in place include but are not limited to:

• Lampi AI utilizes Google’s world-class email security to protect all inbound and outbound emails from malware.

• Lampi AI leverages Google’s email spam filtering services to guard against spam, virus, and phishing attacks.

• Employees of Lampi AI immediately notify staff of email identified as potentially infected or harmful and ensure that the potential threat is blocked and quarantined. The verification and assessment of whether an email is malicious or not is automated and based on the rules but rather based on the competency of each Lampi AI employee — educated on a periodic basis to identify harmful emails.

Security regarding personnel. Measures to ensure that Lampi AI’s personnel comply with the laws and regulations of the country, and ensuring that personnel abides by the relevant terms and conditions of supplier and Customer agreements:

• Lampi AI’s personnel are required to conduct themselves in a manner consistent with the Lampi AI’ guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards. Lampi AI conducts reasonably appropriate background checks to the extent legally permissible and in accordance with applicable local labor law and statutory regulations.

• Personnel is required to execute a confidentiality agreement and must acknowledge receipt of, and compliance with, Lampi AI’s confidentiality and privacy policies. Personnel is provided with security training. Lampi AI’s personnel will not process Customer Data without authorization.

Responding to security incidents. Lampi AI maintains policies and procedures for responding to potential security incidents. Lampi AI defines the types of events that must be managed via our incident response process. Incidents are classified by severity and response procedures are tested and updated at least annually.

Secure development. Lampi AI uses a secure development life cycle process to assess the security risk of each development project.

Version control. All code is stored in a version-controlled repository with changes subject to peer review and continuous integration testing. Defects found in this process must be remediated prior to deployment.