Privacy policy.

Security Incident Notification

Alleaves will notify its customers within twenty-four (24) hours of learning of any event that may have compromised the confidentiality, integrity, or availability of any of its customer’s Data (a “Security Incident”).  Alleaves will provide its customers with (i) the date and time of the breach and the cause of the breach, if known; (ii) the identity and addresses, if available, of any individuals whose Personal Data may have been affected by the Security Incident and are part of its customers Data; (iii) the categories of data that may have been impacted; and (iv) the steps that Alleaves is taking to investigate and remediate the Security Incident.  Alleaves will take all reasonable efforts to remediate any Security Incident.  Alleaves will provide its customers with all information available information and documentation related to the Security Incident for its customers to determine the scope of its legal obligations for the Security Incident, including, without limitation providing access to log data of the Security Incident. Alleaves shall refrain from notifying, for or on behalf of its customers, any regulatory authority, consumer or other people of any such Security Incident unless its customers specifically request in writing that Alleaves do so.  its customers will have sole discretion for determining the content of any notices provided by its customers or related to its customers Data that was affected in any way by the Security Incident.

Access Controls

Appropriate controls include, but are not limited to, administrative controls that include policies and procedures, background checks, security and other relevant training on reasonable information security and privacy practices including the requirements under Applicable Laws, change of status controls, separation of duty controls, monitoring and supervising, use of least privileged access, testing of security controls, mechanisms, and procedures, and technical controls that include firewalls, encryption audit logs, antivirus software, alarms and alerts, limits to concurrent sessions for the same credentials, session lock after a period of inactivity, implementation of the principle of least privilege for granting access, access control list, intrusion detection system, and intrusion prevention system.  As part of its security obligations,.

Identification, Authentication, and Authorization Controls.

Appropriate controls include, but are not limited to, issuing identification values (e.g., user name or its customers count number) to ensure end users’ identity, using authentication methods to prove end user identity the ability to implement two-factor authentication, and using authorization methods to control the access of objects by end users

Vulnerability and Patch Management.

Alleaves will promptly address any flaws or weakness in the Service or any Alleaves systems security procedures, design, or implementation that could be exercised and result in harm or unauthorized access to a system, the Service, or its customers Data through an Update to prevent the foregoing.  Unless otherwise specified by its customers, security Updates will be applied within fourteen (14) days from its release for critical Updates, sixty (60) days for important security patches, and twelve (12) months for all other applicable Updates.

Risk Management Practices.

Alleaves has implemented and will maintain internal risk management practices to ensure the confidentiality, integrity, and availability of its customers Data.

Privacy Practices.

Alleaves has implemented and maintained a privacy program that complies with all Applicable Laws.  Alleaves complies and will comply throughout the Term, with its privacy notices and policies and any other notices and policies of Alleaves that relate to the use, collection, transfer, processing, access, protection, storage, or destruction of any type of Personal Data.

Annual Security Assessment.

Alleaves will perform an annual security assessment and will evaluate risks to the confidentiality, integrity, and availability of its customers data on Alleaves’s network or systems and a documented plan to correct or mitigate risks as described in industry standard guidance.

Data Sanitization and Safe Disposal.

Where disposal of its customers confidential information is approved, Alleaves agrees that disposal or reuse of all media, hardware, or portable devices that may have contained its customers confidential information shall be subject to a data sanitization process that meets or exceeds DoD 5220.22-M 3-pass specifications or any future specification that may replace it. Certification of the completion of data sanitization shall be provided to its customers within 10 days of completion.

Restrictions on Use and Sharing of its Customers Data.

Except as necessary for Alleaves to provide the service or to carry out its obligations as expressly set forth in this Agreement, Alleaves may not (i) use its customers data for any purpose, including without limitation aggregation, market research, and benchmarking or share, license, release, transfer, sell or convey its customers Data to any third party.

Domestic Service.

Alleaves warrants that the data center(s) that are used to host, store, or process its customers Data are strictly confined to the continental United States and no customer data shall be sent, processed, stored or hosted anywhere in the world outside of the continental United States, except at the direction of its customers.

System Backups.

Alleaves will daily back-up its customers data to a commercially reasonable location and in a commercially reasonable manner.  Upon its customer’s written request to Alleaves, Alleaves shall provide a copy of such backup of its customer’s data.