Airolabs.ai (“Airolabs.ai”) is committed to maintaining the highest standards of information security and data protection. This Supplier Compliance Policy outlines the obligations and expectations for our Suppliers regarding the confidentiality, integrity, and availability of information. Suppliers are expected to adhere to these principles and guidelines to ensure compliance with our security and data protection standards.

a) For India Suppliers: Access our Information Security Management System Policy Statement.

b) For US Suppliers: Access our Information Security Management System Policy Statement.

Definitions

For the purpose of this policy:

a. Supplier: Any individual, company, or entity that provides goods, services, or access to systems or data to Airolabs.ai.

b. MSA (Master Services Agreement) / MCA (Master Consulting Agreement): A formal written agreement that outlines the terms and conditions under which a Supplier provides goods or services to Airolabs.ai.

c. NDA (Non-Disclosure Agreement): A legally binding agreement that governs the sharing of confidential information between Airolabs.ai and a Supplier.

d. Confidential Information: Any information, data, or material that is not publicly available or generally known, which is considered sensitive, proprietary, or confidential by Airolabs.ai. This includes, but is not limited to, trade secrets, customer data, business plans, financial information, pricings and costs, proprietary software, and any information marked as "confidential."

e. Data Encryption: The process of converting plain-text data into an unreadable format (cipher text) using encryption algorithms and encryption keys to protect data confidentiality.

f. Incident Response Plan: A documented strategy outlining the actions to be taken when a security incident or data breach occurs, including procedures for identifying, containing, and mitigating the incident.

g. Data Classification Framework: A systematic approach for categorizing data based on its sensitivity or criticality to the organization, often using labels such as "confidential," "internal use only," or "public."

h. Encryption Protocols: Secure communication methods and standards, such as SSL/TLS, IPsec, or PGP, used to protect data during transmission over networks.

i. Vulnerability Assessment: A systematic process of identifying and evaluating weaknesses in systems, applications, or processes that could be exploited by attackers.

j. Penetration Testing: A simulated attack on a computer system or network to identify vulnerabilities and assess security controls.

k. Data Retention Policy: A documented policy that defines how long data should be retained and when it should be securely disposed of or archived based on legal, business, and regulatory requirements.

l. Access Control Systems: Technical and physical mechanisms, such as key cards, biometrics, and authentication protocols, used to regulate access to facilities or systems.

Confidentiality, Integrity, and Availability of Information

a. Access Control: Suppliers shall implement robust access controls, including role-based access, strong authentication, and authorization mechanisms, as specified by Airolabs.ai.

b. Data Encryption: Suppliers must encrypt sensitive data both at rest and in transit using industry-standard encryption protocols approved by Airolabs.ai.

c. Regular Audits: Suppliers shall conduct periodic security audits and assessments to identify vulnerabilities and ensure compliance with Airolabs.ai' security policies.

d. Incident Response Plan: Suppliers must develop and maintain an incident response plan to address security breaches promptly and effectively in accordance with Airolabs.ai' guidelines.

e. Employee Training: Suppliers shall provide comprehensive security training to their employees to raise awareness and educate them on security best practices as defined by Airolabs.ai. Airolabs.ai expects the Supplier to demonstrate this as and when required.

Mitigation of Non-Compliance

a. Monitoring Tools: Suppliers are expected to implement continuous monitoring tools and systems to detect non-compliance issues in real-time and report them to Airolabs.ai.

b. Escalation Process: Suppliers must define a clear escalation process to report and address non-compliance, involving relevant stakeholders at Airolabs.ai. The Escalation matrix for the purpose of this clause is defined herein below:

c. Corrective Actions: In the event of non-compliance, Suppliers are required to develop a corrective action plan that includes root cause analysis and preventive measures. These plans must be shared with Airolabs.ai.

d. Documentation: Suppliers shall maintain documentation of all non-compliance incidents and actions taken for future reference and improvement. These records must be made available to Airolabs.ai upon request.

Information Transfer and Security

a. Data Classification: Suppliers shall classify data based on its sensitivity to determine appropriate transfer mechanisms and security controls in alignment with Airolabs.ai' data classification framework.

b. Secure Data Transfer Protocols: Suppliers are obligated to use secure communication protocols (e.g., VPNs, encrypted channels) for transferring sensitive information as per Airolabs.ai' standards.

c. Data Transfer Logs: Maintain logs of data transfers to ensure transparency and traceability. Provide access to these logs for auditing purposes if requested by Airolabs.ai.

d. Data Transfer Agreements: Suppliers must establish clear agreements and protocols for transferring data to Airolabs.ai, including responsibilities, encryption requirements, and other security measures.

Secure Disposal of Information

a. Data Retention Policy: Suppliers shall develop and enforce a data retention policy specifying how long data should be retained and when it should be securely disposed of, aligning with Airolabs.ai' policies.

b. Secure Shredding: Use secure shredding methods for physical documents and data storage devices in accordance with Airolabs.ai' guidelines and certification requirements.

c. Data Wiping: Employ secure data wiping techniques for electronic storage devices to prevent data recovery, following Airolabs.ai' recommended standards.

d. Documentation of Disposal: Maintain records of the disposal process, including dates and methods used, and provide these records to Airolabs.ai upon request.

Personnel and Physical Security

a. Access Control Systems: Suppliers must implement access control systems (e.g., key cards, biometrics) to restrict physical access to facilities as required by Airolabs.ai.

b. Visitor Logs: Maintain visitor logs and require visitors to sign in and out when entering and leaving facilities in line with Airolabs.ai' visitor access policies.

c. Employee Background Checks: Conduct background checks on employees to ensure trustworthiness and security clearance, if applicable, as specified by Airolabs.ai.

d. Security Awareness Training: Provide security awareness training to employees regarding physical security measures and procedures, following Airolabs.ai' standards.

Information Access and Handling

a. Access Requests: Suppliers shall establish a formal process for requesting access to information and assets, including approval mechanisms consistent with Airolabs.ai' access control policies.

b. Access Logs: Maintain access logs to track who accessed what information and when, and provide access to these logs for auditing purposes as needed by Airolabs.ai.

c. Data Encryption: Suppliers must apply encryption to sensitive data both in storage and during transmission as required by Airolabs.ai' encryption standards.

d. Data Handling Procedures: Develop and communicate clear procedures for handling sensitive information, including secure storage and disposal, following Airolabs.ai' guidelines.

e. Data Subjects Requests: If the Supplier receives requests from data subjects (individuals whose data is processed) regarding their rights under data protection laws, such as access, rectification, erasure, or data portability, the Supplier shall promptly inform Airolabs.ai and assist as necessary to fulfill these requests.

f. Disaster Recovery Site:

• The Supplier is responsible for establishing and maintaining a disaster recovery site at a geographically separate and secure facility. This site will serve as a critical component to ensure the continuity of services in the event of a catastrophic failure or disaster.
  
  
• Regular backups of all critical data and systems will be conducted to minimize data loss, and routine testing and maintenance of the disaster recovery site will be performed to verify its effectiveness in restoring services.
  
  
• The Supplier is also required to maintain up-to-date documentation of the disaster recovery procedures, which shall be made available to Airolabs.ai upon request. This clause is essential to guarantee that the Supplier has a robust plan in place for business continuity, safeguarding the interests of Airolabs.ai.
  
  

g. Change Management:

• The Supplier shall promptly notify Airolabs.ai of any proposed changes to the services or systems that may impact service levels, security, or compliance.
  
  
• The Supplier shall establish a formal change request process that outlines how changes will be documented, evaluated, approved, and implemented. Prior to implementing any changes, the Supplier shall conduct a thorough impact assessment to evaluate potential risks, including security and compliance considerations.
  
  
• Significant changes shall require prior written approval from Airolabs.ai, and the Supplier shall provide a detailed plan for implementation. All changes, including their impact assessments, approvals, and implementation plans, shall be documented and made available for review by Airolabs.ai.
  
  
• The Supplier shall conduct testing and validation of changes before production implementation to ensure minimal disruption and maintain service levels. A rollback plan shall be in place for each change to mitigate any unforeseen issues, and it shall be communicated to Airolabs.ai. This change management process ensures that any changes to the services or systems are carefully planned, evaluated, and documented to minimize risks, disruptions, and maintain compliance and security standards.

Indemnity and Penalties for Non-Compliance

a. Non-Compliance Penalty: In case of non-compliance, the Supplier shall be liable to pay a penalty determined as specified in the agreement with Airolabs.ai. In case no quantum is defined in the Agreement then the damages payable for the violation / breach of this policy shall be USD 100,000 or actual damage which ever is higher.

b. Legal Costs: The Supplier shall cover all legal costs, including attorney's fees, arising from their non-compliance, as outlined in the agreement.

c. Financial Damages: The Supplier shall compensate Airolabs.ai for any financial damages resulting from their non-compliance in accordance with the terms of the agreement.

d. Corrective Action: The Supplier must take immediate corrective actions to address non-compliance issues and prevent recurrence, as directed by Airolabs.ai.

e. Termination: Airolabs.ai reserves the right to terminate the agreement in cases of severe or repeated non-compliance, as specified in the agreement.

f. Audit Costs: The Supplier shall cover the costs of additional audits to verify compliance after a non-compliance incident, as detailed in the agreement.

Data Breach Notification

a. Prompt Notification: In the event of a data breach, the Supplier shall promptly but not later than 48 hours from the time of such incidence, notify Airolabs.ai in accordance with legal requirements and provide assistance in mitigating potential harm, as outlined in the agreement.

Training and Awareness

a. Employee Training: Ensure that employees are adequately trained and aware of data protection and information security practices, fostering a culture of vigilance and responsibility, as detailed in Airolabs.ai' security awareness program.

Continuous Improvement

a. Regular Review: Commit to regular review and update of security measures to adapt to evolving threats and regulations, aiming for continuous improvement in data protection and information security practices in collaboration with Airolabs.ai.

Incorporation into Other Agreements and Conflict Resolution

Wherever referred, this document shall be read as part of the applicable MSA, NDA, or any other document governing the relationship between Airolabs.ai and the Supplier. In case of any conflict between this policy and an agreement document, the terms and conditions of the agreement document shall prevail.

By entering into a business relationship with Airolabs.ai, Suppliers acknowledge and agree to comply with this Supplier Compliance Policy and all related agreements and standards. Failure to meet these obligations may result in penalties, termination of agreements, and legal actions. Airolabs.ai is committed to working collaboratively with Suppliers to ensure the highest level of security and data protection for all stakeholders.

Effective Date:

This Supplier Data Integrity and Compliance Policy is effective from May 4th, 2023 and it supersedes all existing policies on the subject matter.