Introduction

Intellifold is committed to delivering a secure, reliable, and high-performing service to its clients. Our objectives are based on service commitments made to our customers, compliance with applicable laws and regulations, and adherence to internal policy and operational requirements.

Product Security

Our Security Commitments include:

• Authorised Access: Our platform and internal software configuration use role based access and require Multi Factor Authentication (MFA).
• Intrusion Detection: We us intrusion detection to prevent and identify potential security attacks. We maintain logging to validate logins and software use.
• Vulnerability Management: We conduct regular vulnerability scans and annual penetration tests for our platform.
• Incident Management: We maintain operational procedures for managing security incidents and breaches, including notification protocols.
• Data Retention and Disposal: We've implemented policies for secure data retention and disposal, in line with privacy regulations.
• Data Protection: We use encryption across communcation and storage to safeguard client and internal data both at rest and in transit.
• Non-Disclosure Agreements: We require confidentiality and non-disclosure agreements with employees, contractors, and third parties.
• Purpose Limitation: We use confidential information solely for purposes explicitly stated in agreements.

Our Availability Commitments include:

• System Availability: High uptime availability of production systems in line with SLAs.
• Performance Monitoring: System performance and availability monitoring mechanisms such CPU, disk space and memory monitoring.
• Timely Response: Clear response times and SLAs to ensure timely communication and follow-up.
• Business Continuity and Disaster Recovery: Detailed business continuity and disaster recovery plans, including RPOs and RTOs.
• Operational Procedures: Procedures that support SOC2 and the achievement of SLA commitments to our customers.

Our Process Mining & AI’s infrastructure includes the cloud hosted networking, compute and database components of Microsoft Azure.

Primary software used for support the Intellifold Process Mining & AI platform includes:

Data Protection

Intellifold views its information and information systems as fundamental to our business operations. We allocate resources to enhance information security and practices. We manage risks to our information systems and protect information or data from unauthorised access, loss, or misuse. To manage risks, Intellifold employs a range of access controls, security devices, and monitoring tools across information systems and security practices.

At Intellifold we handle confidential and personal data daily. This includes, but is not limited to, user information, supplier, customer, or product data, financial information, client and login credentials, or information collected from potential clients and third parties. Data Protection Principles and Data Security Measures apply to Personal data, Confidential data, and Sensitive data.

Intellifold adheres to the following data protection principles:

• ‍Lawfulness, Fairness, and Transparency: Data is processed lawfully, fairly, and in a transparent manner.
• ‍Purpose Limitation: Data is collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
• ‍Data Minimisation: Data collected is appropriate, relevant, and limited to what is necessary in relation to the purposes for which it is processed.
• ‍Accuracy: We keep data accurate and updated as needed. All client and third-party data is timestamped to verify accuracy with the provider when necessary. While we are not directly responsible for the accuracy of client or third-party data, we do maintain records of the last update for reference.
• Storage Limitation: Data is kept in a form that permits identification of data subjects for no longer than is necessary and for the purposes for which the data is processed, or to adhere to applicable regulations.
• Integrity and Confidentiality: Data is processed in a manner that ensures appropriate security, including protection against unauthorised or unlawfulprocessing and against accidental loss, destruction, or damage.

Data Security

We aim to maintain the highest levels of security across all servers, laptops, and software products. Appropriate security measures include antivirus software, hard drive encryption, security updates and patches, firewalls, access controls, event monitoring, network service security, access timeouts, password management, and other relevant security protocols. We regularly review and enhance these security measures to align with current technologies and industry-standard practices. We implement the following security measures to protect client, third-party, and internal data:

• Access Control: Access to client and company information is restricted to authorised personnel only. Intellifold products come with comprehensive access control options which can be set per individual component or module. Access rights can be configured with admin, developer, or viewer rights at project, data integration, data model, and solution level. Our software comes with intrusion detection and security logging functionality.
• Encryption: When hosted through Intellifold all data in storage and in transit is encrypted. Our laptops also have hard drive encryption activated.
• Monitoring & Incident Response: To effectively respond to security incidents, Intellifold utilises monitoring tools to continuously assess and evaluate the performance of its systems. Additionally, antivirus software is deployed across multiple layers of our andour third-party provided infrastructure, enabling regular automatic updates ofantivirus definitions and emergency rollouts when necessary. Intellifold has in place a clear incident response plan to address security breaches promptly,minimising potential information loss or exposure, and notifying potentially impacted parties.
• Disaster Recovery & Business Continuity: We have established contingency plans to address potential disruptions to our operations and services. These plans cover scenarios that could affect our software products, client data, or our employees. We have partnered with leading third-party hosting providers to implement backup processes, enabling recovery in the event of a disruption.
• Retention & Disposal: Intellifold retains data as long as the company has a need for its use, or to meet regulatory or contractual requirements. Once data is no longer needed, data is securely disposed of or archived. Data owners, in consultation with legal counsel, may determine retention periods for their data. Data classified as personal, confidential or sensitive is securely deleted when no longer needed. Intellifold will assess the data and disposal practices of third-party vendors. Only third parties who meet Intellifold requirements for secure data disposal shall be used for storage and processing of client and Intellifold data.
• Regular Audits: Regular security audits are conducted to identify and mitigate potential vulnerabilities. Our third-party providers use better practice security standards and are regularly audited for compliance. Intellifold only engages with third-party providers that meet our security standards, and as part of our vendor on-boarding process we evaluate these practices along with any assurance reports to determine appropriateness.

Compliance & Monitoring

We are very proud to have our processes SOC2 certified in 2025. See Vanta's Trust Center to see implemented controls and current test results.

Also, for our providers we verify compliance with ISO27001 and SOC2 standards. Intellifold complies with all applicable data protection laws, and regular monitoring and reviews are conducted to ensure ongoing compliance. This includes:

• Australian Privacy Act 1988 and the 13 Australian Privacy Principles (APPs) for handling personal information.
• New Zealand Privacy Act 2020and the 13 Information Privacy Principles for handling personal information.
• ·General Data Protection Regulation (GDPR)for handling personal data as applicable in the European Union.
• UK General Data Protection Regulation (UKGDPR) as tailored to the United Kingdom and Data Protection Act 2018.
• Personal Data Protection Act (PDPA) as applicable in Singapore and other countries to govern the collection, use, and disclosure of personal data.
• DigitalPersonal Data Protection Act 2023 (DPDP Act) and Information Technology Act 2000 (IT Act) as applicable for data protection in India
• California Consumer Privacy Act (CCPA)for resident rights over their personal data, including the right to know what is collected and the right to request deletion.

We are excited to announce that we have successfully completed the SOC 2 Type 2 examination. This milestone underscores our commitment to maintaining the highest standards of security and operational excellence.

• The criteria for a description of a service organisation’s system in DC section 200, 2018 Description Criteria for a Description of a Service Organisation’s System in a SOC 2® Report (AICPA, Description Criteria) with regards to the Description.
• The trust services criteria relevant to Common Criteria/Security, Availability, Confidentiality(applicable trust services criteria) set forth in TSP section 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria).