EFFECTIVE DATE : 29/11/2023
Data Processing Addendum
In providing Butly.AI services, Butly.AI processes personal data related to customers, their representatives, end users, and customers' subscribers. In these activities, Butly.AI acts as a processor on behalf of a customer and as a controller. This Data Processing Addendum (“DPA”) outlines the terms and conditions of such processing by Butly.AI.
​
This DPA is an integral part of the Terms of Service (“Agreement”) entered into by and between Butly.AI, Inc., its subsidiaries or affiliates, as applicable (“Butly.AI”) and the customer, the party to the Agreement (“Customer”).
​
Table of Contents
​
-
Data Processing Addendum
1.1. Definitions
1.2. Relationships of the Parties
1.3. Sub-processing
1.4. Security Measures
1.5. Security Reviews and Reports
1.6. Data Breach and Notification
1.7. Data Subject Rights and Cooperation
1.8. Return or Deletion of Data
1.9. Miscellaneous
​
ANNEX 1. Details of Processing
1A. Butly.AI as a Processor
1B. Butly.AI as a Controller
​
ANNEX 2. Security Measures
​
ANNEX 3. International Provisions and Jurisdiction Specific Terms
​
​
1. Definitions
“Applicable Data Protection Laws” means all privacy and data protection laws and regulations applicable to either party under the Agreement. Every party determines on its own its Applicable Data Protection Laws and understands that for Butly.AI and Customer Applicable Data Protection Laws may be different.
​
"Controller” means a person or legal entity that determines the purposes and means of the Personal Data Processing.
​
“Customer” means Party to the Agreement with Butly.AI. Customer may be a client, marketing agency, individual, individual entrepreneur or legal entity on behalf of which End Users use the Service.
​
“Customer Account Data” means Personal Data related to Customer, its representatives and End Users which Butly.AI processes as a separate Controller as more particularly described in this DPA.
“Customer Content” means Personal Data related to End Users and Customer’s Subscribers which Butly.AI processes on behalf of Customer as a Processor in the course of providing the Service, as more particularly described in this DPA.
​
“Customer’s Subscribers” Data Subjects with whom Customer communicates with use of the Service and(or) whose data is uploaded to the Service by Customer (customers, prospective customers, social media and messaging platform contacts or other individuals).
​
“Data Breach” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data being Processed by Butly.AI. Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems.
​
“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
“End Users” means Customer and other Data Subjects with lawful access to the Service on behalf of or under a lawful authorization of Customer.
​
“Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar information defined in and governed by Applicable Data Protection Laws and means any information relating to Data Subject. Under this DPA, Personal Data covers Customer Content and Customer Account Data. If the term Personal Data is used, then such provisions apply to both Customer Content and Customer Account Data.
​
“Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
​
“Processor” means an entity that processes Personal Data on behalf of a Controller.
​
“Service” means any product or service provided by Butly.AI to Customer pursuant to the Agreement.
​
“Sub-processor” means any Processor engaged by Butly.AI to assist in fulfilling its obligations with respect to providing the Service pursuant to the Agreement or this DPA.
​
All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement.
​
​
2. Relationships of the Parties
2.1. Butly.AI as a Processor.
The parties acknowledge and agree that with regard to the Processing of Customer Content, Butly.AI is a Processor acting on behalf of Customer (whether itself a Controller or a Processor). Butly.AI Processes Customer Content in accordance with Customer’s instructions as set forth in Section 2.4. Butly.AIshall Process Customer Content only for the purposes described in this DPA and only in accordance with Customer’s instructions.
​
2.2 Butly.AI as a Controller.
The parties acknowledge that, with regard to the Processing of Customer Account Data, Butly.AI is an independent controller, not a joint controller with Customer. Butly.AI will Process Customer Account Data as a Controller in order to carry out the necessary functions, such as entering into the agreement, account management, compliance with law, accounting, tax, billing, audit, sales and marketing communication with Customer. Butly.AI will Process such data in accordance with its Privacy Policy, which can be found at www.az-group.io/privacy, and with applicable provisions of this DPA.
​
2.3. Details of Data Processing.
Details of Processing Customer Content and Customer Account Data are set in Annex 1. It further specifies the nature and purpose of the Processing, the duration of the Processing, the types of personal data and categories of data subjects, sources of Personal Data, Processors and Sub-processors engaged by Butly.AI.
​
2.4. Customer Instructions.
Butly.AI will Process Customer Content only in accordance with Customer’s instructions. By entering into the Agreement, including this DPA, Customer instructs Butly.AI to Process Customer Content in order to provide the Service.
​
2.5. Customer as a Processor.
If Customer is a processor on behalf of some other Controller, Customer warrants on an ongoing basis that the relevant Controller has authorized the instructions described in DPA and the appointment of Butly.AI as a sub-processor and Butly.AI’s engagement of Sub-processors as described in Section 3. Customer will immediately forward to the relevant Controller any notice provided by Butly.AI under this DPA to Customer (on the engagement of a new Sub-processor, Data Breach, request of data subjects, etc.).
​
2.6. Compliance with Law.
Each party will comply with its obligations under its Applicable Data Protection Laws with respect to its Processing of Personal Data.
​
2.7. Customer’s Obligations.
Customer agrees that it shall comply with its obligations under Customer’s Applicable Data Protection Laws with respect to its Processing of Personal Data and any processing instructions it issues to Butly.AI. In particular, Customer must provide notice and obtain all consents (or other legal grounds) and rights necessary under Customer’s Applicable Data Protection Laws for engaging Butly.AI to Process Customer Content on behalf of Customer and transfer of Customer Account Data to Butly.AI pursuant to the Agreement and this DPA.
​
Customer must inform Butly.AI about any requirements to Processing Customer Content by Butly.AI which are set under the Customer’s Applicable Data Protection Laws and are not covered directly by this DPA.
​
​
3. Sub-processing
3.1. Authorized Sub-processors.
Customer specifically authorizes and agrees that Butly.AI may engage Sub-processors to Process Customer Content. The Sub-processors currently engaged by Butly.AI and authorized by Customer are available at www.az-group.io/privacy. Customer also generally authorizes Butly.AI to engage new Sub-processors to Process Customer Content subject to procedure set in Section 3.3 of DPA.
​
3.2. Sub-processor Obligations.
With respect to all Sub-processors Butly.AI shall:
-
enter into a legally binding agreement with the Sub-processor, imposing data protection obligations substantially similar to those set out in this DPA; and
-
remain responsible for the Sub-processor’s compliance with the obligations of this DPA and for any acts or omissions of the Sub-processor that cause Butly.AI to breach any of its obligations under this DPA.
​
3.4. Engagement of New Sub-processors.
Butly.AI will notify Customer about the engagement of any new Sub-processor, if Customer subscribes to receive such updates at www.az-group.io/privacy. Butly.AI will send such notice at least ten (10) calendar days before the new Sub-processor accesses Customer Content. If Butly.AI reasonably believes that engaging a new Sub-processor and providing access to Customer Content on an expedited basis is necessary to protect the confidentiality, integrity or availability of the Customer Content or avoid material disruption to the Service, Butly.AI will give such notice as soon as reasonably practicable.
​
3.4. Objection.
If, within five (5) calendar days after receipt of notice from Butly.AI, Customer notifies Butly.AI that Customer objects to Butly.AI's appointment of a new Sub-processor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement and DPA for convenience with no refunds and Customer will remain liable to pay any committed fees in an order form, order, statement of work or other similar ordering documents.
If Customer does not notify Butly.AI of objections, within the specified period, Butly.AI is deemed authorized to engage a new Sub-processor by Customer.
​
​
4. Security Measures
4.1. Adequate Measures.
Butly.AI will implement and maintain throughout the term of this DPA technical and organizational security measures set forth in Annex 2 (“Security Measures”) to protect Personal Data from Data Breach and to preserve the security and confidentiality of the Personal Data, in accordance with Butly.AI’s security standards.
​
4.2. Confidentiality of Processing.
Butly.AI shall ensure that any person who is authorized by Butly.AI to Process Personal Data (including its staff, agents, subcontractors and Sub-processors) shall be under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
​
4.3. Customer Responsibilities.
Customer acknowledges and agrees that:
-
it has reviewed and assessed the list of Security Measures and deems it appropriate for the protection of Personal Data under Customer’s Applicable Data Protection Laws and provides appropriate safeguards for cross-border transfer of Personal Data, if applicable. Upon a Customer request, Butly.AI may implement additional measures or safeguards that may be reasonably required to enable the lawful transfer of Personal Data.
-
except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials and protecting the security of Personal Data when in transit, securing Customer’s systems and devices that it uses for accessing the Service.
​
4.4. Updates to Security Measures.
Customer acknowledges that the Security Measures are subject to technical progress and development and that Butly.AI may update or modify the Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Service purchased by the Customer. Customer is responsible for reviewing the information made available by Butly.AI relating to updated data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Customer’s Applicable Data Protection Laws.
​
​
5. Security Reviews and Reports
5.1. Security Reports.
Butly.AI uses external auditors to verify the adequacy of its security measures and obtained ISO 27001 certification for the Service. Such audits are performed at least annually by independent third-party security professionals at Butly.AI’s selection and result in the generation of a confidential audit report (“Audit Report”). Upon written request, and subject to reasonable confidentiality controls, Butly.AI will make available to Customer a summary copy of Butly.AIs most recent Audit Report.
​
5.2. Security Due Diligence.
In addition to the Audit Report, Butly.AI will respond to reasonable requests for information sent by Customer to confirm Butly.AI’s compliance with this DPA, including responses to Customer’s information security and due diligence questionnaires. Customer shall not exercise this right more than once per calendar year.
​
​
6. Data Breach and Notification
​
6.1. Notification Timeframe.
Upon becoming aware of a confirmed Data Breach, Butly.AI will notify Customer without undue delay and in no event later than 52 hours after the discovery of such incident unless prohibited by applicable law. A delay in giving such notice requested by law enforcement and/or in light of Butly.AI's legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay.
​
6.2. Content of Notification.
Such notices will describe, to the extent possible, details of the Data Breach, including steps taken to mitigate the potential risks and steps Butly.AI recommends Customer take to address the Data Breach.
​
6.3. Cooperation by Butly.AI.
Butly.AI shall cooperate with Customer and take such reasonable commercial steps to assist in the investigation, mitigation and remediation of each such Data Breach. Butly.AI’s notification of or response to a Data Breach under this section will not be construed as an acknowledgment by Butly.AI of any fault or liability with respect to the Data Breach.
​
6.4. Data Breach Notification to Authorities and Data Subjects.
Customer is solely responsible for fulfilling any third-party notification obligations related to any Data Breach under the Customer’s Applicable Data Protection Laws (e.g. notification to data protection authorities or communication to Data Subjects).
​
​
7. Data Subject Rights and Cooperation
7.1. Data Subjects Requests.
Butly.AI will upon Customer’s request provide Customer with the assistance that may be reasonably required by Customer to comply with its obligations under Customer’s Applicable Data Protection Laws to respond to Data Subjects’ requests to exercise their rights under Customer’s Applicable Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection), in cases where Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Service.
​
7.2. Authorization for Direct Requests to Butly.AI.
If Butly.AI receives a request from a Data Subject in relation to Customer Content, for unsubscription of the Data Subject from messages sent by Customer through the Service or for deletion of Customer Content in the Service with respect to the Data Subject in part or entirely, Customer authorizes and instructs Butly.AI to unsubscribe or delete Content Data related to such Data Subject.
​
7.3. Assistance by Butly.AI.
Butly.AI will provide Customer with reasonable assistance specifically requested by Customer to comply with its obligations under Customer’s Applicable Data Protection Laws, taking into account the nature of processing and the information available to Butly.AI as a Processor (e.g. with respect to the security of Processing, notification of Data Breach, data protection impact assessment, prior consultations with supervisory authorities). If such reasonable assistance requires Butly.AI to assign significant resources to that effort, it will be provided at a Customer’s expense.
​
​
8. Return or Deletion of Data
8.1. Upon receipt of a request by Customer and following the termination of the Agreement, Butly.AI must delete or return to Customer all Customer Content from Butly.AI’s systems. Notwithstanding the foregoing, Customer understands that Butly.AI may have to retain some parts of Customer Content if required by law according to its data retention policies and such data will remain subject to the requirements of this DPA.
​
​
9. Miscellaneous
9.1. Processing in the United States.
Customer acknowledges that provision of the Service and related Butly.AI’s activities as a Controller may also require processing of Personal Data by Sub-processors or Processors in countries outside the EEA and, including in the United States.
​
9.2. Way of Communication.
Butly.AI shall send all notifications mentioned in DPA via email provided by Customer during the sign-up process or post them in the user interface of the Service. All objections and requests by Customer mentioned in DPA or other communication related to Processing of Personal Data must be sent by Customer to the same email from which Customer received a Butly.AI’s notification or to hello@az-group.io.
​
9.3. Claims.
Any claims brought under or in connection with this DPA shall be subject to the terms and conditions, including but not limited to the exclusions and limitations, set forth in the Agreement.
​
9.4. No Third-party Beneficiary Rights.
This DPA does not confer any third-party beneficiary rights, it is intended for the benefit of the parties hereto and their respective permitted successors and assigns only, and is not for the benefit of, nor may any provision hereof be enforced by, any other person.
​
9.5. Governing Law.
This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by Customer’s Applicable Data Protection Laws or set in Jurisdiction Specific Terms under Annex 3.
​
9.6. Termination.
This Addendum will automatically terminate upon expiration or termination of the Agreement. Termination of DPA is only possible subject to termination of the Agreement.
​
9.7. Liability.
Customer further agrees that any regulatory penalties incurred by Butly.AI in relation to the Personal Data that arise as a result of, or in connection with, Customer’s failure to comply with its obligations under this DPA or any Customer’s Applicable Data Protection Laws shall count toward and reduce Butly.AI’s liability under the Agreement as if it were a liability to the Customer under the Agreement. Butly.AI is liable for any regulatory penalties incurred by Customer or Butly.AI in relation to the Personal Data that arise as a result of, or in connection with, Butly.AI’s failure to comply with its obligations under this DPA or Butly.AI’s Applicable Data Protection Laws.
Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any fines issued or levied against the other party by a regulatory authority or governmental body in connection with such other party’s violation of its Applicable Data Protection Laws.
​
9.8. Relationship with the Agreement.
This DPA forms an integral part of the Agreement and except as expressly set forth in this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA will govern. The parties agree that this DPA shall replace any existing DPA the parties may have previously entered into in connection with the Service.
​
​
ANNEX 1. Details of Processing
​
1A. Butly.AI as a Processor
​
Purpose and nature of Processing
Provision of the Service under the Agreement, including provision of support to the Customer, communicating regarding Customer Account (sending announcements, technical notices, updates, security alerts, and support and administrative messages) and responding to Service-related requests, questions and feedback, logging of activities, errors and incidents tracking, bugs and errors fixing, ensuring the accessibility, security and usability of the Service and its improvement in the interest of Customer.
​
Period for which the personal data will be retained
Until the termination or expiration of the Agreement in accordance with its terms.
​
Categories of data subjects
- End Users
- Customer’s Subscribers
​
Categories of personal data
End Users: identification information (name, email), publicly available social media profile information, linked pages and accounts, IT information (IP addresses, geographic location, usage data, cookies data, browser data), financial information (credit card details, account details, payment information).
Customer’s Subscribers:
- identification information, publicly available social media profile information (photo, name, date of birth, gender, geographic location),
-chat history and content, chatbot usage information and other electronic data submitted, stored, sent, or received by End Users and other personal information, the extent of which is determined and controlled by the Customer in its sole discretion,
- IT information (IP addresses, geographic location, usage data, cookies data, browser data).
​
Sensitive data
No. Other types of Personal Data are also not used to indirectly reveal information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation.
​
The frequency of the transfer
On a continuous basis until it is deleted in accordance with the Agreement and DPA terms.
​
Data source
Customers (or End Users) sign-up process and use of the Service by Customer (End User), including communication with subscribers and third-party integrations and apps linked by Customer (e.g. Facebook, Inc., Instagram, Telegram, Zapier and other integrations and apps specified which are linked by Customer to its account in the Service).
​
Onward transfer
See the list of Sub-processors at www.az-group.io/privacy.
The duration of sub-processing is limited to the retention period of Processing by Butly.AI specified in this list.
​
​
1B. Butly.AI as a Controller
​
Purpose and nature of Processing
Entering into the Agreement, account management, compliance with laws, including sanction laws, accounting, tax, billing, audit, sales and marketing communication with Customer.
​
Period for which the personal data will be retained
Until the termination of the Agreement, unsubscription from marketing communications and expiration of retention period required by law.
​
Categories of data subjects
- Customer and its representatives
- End Users
​
Categories of personal data
Customer and its representatives: full name, title, company, email.
End Users: identification information (id, name, email, status), linked pages and accounts, products in use, IT information (IP addresses, geographic location), financial information (credit card details, account details, payment information).
​
Sensitive data
Other types of Personal Data are also not used to indirectly reveal information about racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, health, sex life, or sexual orientation.
​
The frequency of the transfer
On a continuous basis until it is deleted in accordance with the Agreement and DPA terms.
​
Data source
Customers sign up process and use of the Service by Customer.
​
Onward transfer
See the list of Service Providers at www.az-group.io/privacy.
We may also disclose Personal Information to public authorities, such as law enforcement, if we are legally required to do so.
​
​
ANNEX 2. Security Measures
​
Butly.AI implements and maintains technical and organizational security measures designed to protect Personal Data from Data Breaches. We currently observe the Security Measures described in this Annex 2. If applicable, this Annex 2 serves as Annex II to the EU Standard Contractual Clauses.
​
1. Security Program and Policies
​
1.1. Butly.AI maintains and enforces a risk-based security program and framework that addresses how we manage security. Butly.AI’s security framework is based on the ISO 27001 Information Security Management System and includes the following areas: Policies and Procedures, Asset Management, Access Management, Cryptography, Physical Security, Operations Security, Communications Security, Business Continuity Disaster Recovery Security, People Security, Product Security, Cloud and Network Infrastructure Security, Security Compliance, Third-Party Security, Vulnerability Management, and Security Monitoring and Incident Response.
​
1.2. Our security program includes:
-
documented policies that we approve, publish and communicate to appropriate personnel internally and review at least annually,
-
documented, clear assignment of responsibility and authority for security program activities,
-
regular testing of the key controls, systems and procedures.
​
2. Risk and Asset Management
​
2.1. Butly.AI utilizes an integrated risk management approach with a focus on both technical and operational security practices. Ongoing and systematic risk assessment is a consistent part of selecting appropriate improvement protection controls and ensuring that Personal Data is safe.
​
2.2. Butly.AI takes reasonable actions to identify assets and their level of criticality. The full inventory and categorization are the basis to select and implement optimal technical and organizational security measures to make sure that the assets and information are protected.
​
3. Personnel security and awareness
​
3.1. Butly.AI's personnel (employees and contractors) do not process Personal Data without authorization. Personnel is obligated to maintain the confidentiality of any Personal Data and this obligation continues even after their engagement ends.
​
3.2. Butly.AI's personnel (employees and contractors) acknowledge their data security and privacy responsibilities under Butly.AI's policies.
​
3.3. Butly.AI is focused on employee security awareness as a key driver to improve overall security maturity level and culture. Butly.AI's personnel (employees and contractors) conduct security and privacy training at least annually.
​
3.4. Pre-employment verification checks are carried out on all new employees and contractors.
​
4. Access Management
​
4.1. Butly.AI manages access based on “Need to know” and “Least privilege” principles. That means that personnel is only permitted to have access to Personal Data when needed for the performance of their functions.
​
4.2. Butly.AI deactivates the authentication credentials of personnel immediately upon the termination of their employment or services.
​
4.3. In order to access the production environment and critical systems, a user must have a unique username and password and multi-factor authentication enabled.
​
4.4. Butly.AI implements measures to prevent information systems from being used by unauthorized persons, including the following measures (a) user identification and authentication procedures; (b) unique username/password (c) password complexity policies (special characters, minimum length, change of password) (c) automatic blocking (e.g., password or timeout).
​
4.5. Butly.AI performs access monitoring and logging for the production environment and critical systems.
​
5. Technical and Application Security Measures
​
5.1. Butly.AI has implemented and will maintain appropriate technical and application security measures, internal controls, and information security routines intended to protect Personal Data against accidental loss, destruction, or alteration; unauthorized disclosure or access; or unlawful destruction as follows:
-
Segregation of environments. Butly.AI segregates development and production environments to make sure that Personal Data is protected from any kind of unauthorized access.
-
Encryption in transit. All external network communications are protected with encryption. We support the latest recommended secure cipher suites to encrypt all traffic in transit, including the use of TLS 1.2 protocols, AES256 encryption, and SHA2 hash functions, whenever supported by the clients.
-
Encryption at rest. Customer data at rest is encrypted using FIPS 140-2 compliant encryption standards, which applies to all types of data at rest within Butly.AI's systems—relational databases, file drives, backups, etc. Access to cryptographic keys is restricted to a limited number of authorized Butly.AI personnel.
-
Redundancy. Butly.AI selects IT Infrastructure suppliers that are committed to provide mechanisms with built-in security best practices for confidentiality, integrity, and availability. Butly.AI's main IaaS provider AWS (Frankfurt, EU) is committed to meet the strict Disaster Recovery (DR) Service Level Agreement.
-
Vulnerability assessment. Butly.AI performs automated and manual application and infrastructure security testing to identify and patch potential security vulnerabilities. Critical software patches are evaluated, tested, and applied proactively.
-
Penetration Testing. We engage independent service providers to perform penetration tests to assess the potential system security threats at least on an annual basis.
-
Software Development and Acquisition. Butly.AI follows security-by-design principles across different phases of the Service creation lifecycle from requirements gathering and product design all the way through product deployment. For the software developed by Butly.AI, Butly.AI follows secure coding standards and procedures set out in its standard operating procedures.
-
Storage. Butly.AI's production databases and data processing servers are hosted in a data center located in AWS (Frankfurt, EU). Butly.AI maintains complete administrative control over the databases and virtual servers, and no third-party vendors have logical access to Personal Data.
-
Change Management. Butly.AI implements documented change management procedures that provide a consistent approach for controlling, implementing, and documenting changes (including emergency changes) for Butly.AI's software, information systems or network architecture.
-
Network security. All network access between servers is restricted, using access control lists to allow only authorized services to interact in the network. We utilize third-party tools to detect, mitigate, and prevent Distributed Denial of Service (DDoS) attacks.
​
6. Third-Party Provider Management
​
6.1. Butly.AI may use third-party providers to provide the Services. In selecting third-party providers who may gain access to, store, transmit or use Personal Data, Butly.AI conducts a quality and security assessment pursuant to the provisions of its standard operating procedures.
​
6.2. Butly.AI enters into written agreements with all of its providers which include confidentiality, privacy, and security obligations that provide an appropriate level of protection for Personal Data that these providers may Process.
​
7. Physical and Environmental Security
​
7.1. Butly.AI uses AWS data centers to host its production infrastructure. AWS data centers are strictly controlled both at the perimeter and at building ingress points by professional security staff utilizing video surveillance, intrusion detection systems, and other electronic means. Each data center has redundant electrical power systems that are available twenty-four (24) hours a day, seven (7) days a week.
​
7.2. Butly.AI offices have a physical security program that manages visitors, building entrances, video surveillance, and overall office security. All employees, contractors, and visitors are required to wear identification badges.
​
7.3. Butly.AI reviews third-party audit reports to verify that Butly.AI's service providers maintain appropriate physical access controls for the managed data centers.
​
8. Resilience and Service Continuity
​
8.1. Butly.AI implements measures to ensure the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident, including:
-
Ongoing Personal Data backup procedures. Backups are retained redundantly across multiple availability zones and encrypted in transit and at rest.
-
Butly.AI uses specialized tools to monitor the Service performance. The alert is triggered in the event of any suboptimal server performance or overloaded capacity.
-
Disaster recovery plans are in place to recover in case of Personal Data availability issues.
​
9. Security Certifications and Attestations.
​
9.1. Butly.AI holds the following security-related certifications and attestations:
-
ISO 27001 Certification. The International Organization for Standardization 27001 Standard (ISO 27001) is an information security standard that ensures office sites, development centers, support centers, and data centers are securely managed. This certification is valid for 3 years (renewal audits) and is subject to annual touchpoint audits (surveillance audits).
​
10. Information Security Incident Management
​
10.1. Butly.AI implements security incident management policies and procedures that address how we manage Data Breach and other security incidents.
​
10.2. In case of Data Breach Butly.AI will promptly investigate the incident upon discovery. To the extent permitted by applicable law, Butly.AI will notify Customer of a Data Breach. Data Breach incident notifications will be provided to Customers via email or in the other way agreed with Customer.