Next Chapter Software Inc.

Canada

Customer data is retained for as long as the account is in active status. Data enters an “expired” state when the account is voluntarily closed. Expired account data will be retained for 30 days. After this period, the account and related data will be removed. Customers that wish to voluntarily close their account should request a copy of their data through support channels prior to closing their account. If a customer account is involuntarily suspended, then there is a 30 day grace period during which the account will be inaccessible but can be reopened if the customer meets their payment obligations and resolves any terms of service violations. If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good standing so that the user interface will be available for their use. After 60 days, the suspended account will be closed and the data will enter the “expired” state. It will be permanently removed 30 days thereafter (except when required by law to retain).

Stored Sensitive data that is no longer required will be properly deleted in accordance with Next Chapter Software Inc’s business objectives, applicable laws and regulations, and relevant third-party agreements. A record of such deletion will be kept. The following methods will be used to delete data: - Encryption Keys disposed - AWS Secure Delete (RDS and S3)

- Data must be handled and protected according to its classification requirements and following approved encryption standards, if applicable. - Whenever possible, store data of the same classification in a given data repository and avoid mixing sensitive and non-sensitive data in the same repository. Security controls, including authentication, authorization, data encryption, and auditing, should be applied according to the highest classification of data in a given repository. - Employees shall not have direct administrative access to production data during normal business operations. Exceptions include emergency operations such as forensic analysis and manual disaster recovery. - All Production Systems must disable services that are not required to achieve the business purpose or function of the system. - All access to Production Systems must be logged. - All Production Systems must have security monitoring enabled, including activity and file integrity monitoring, vulnerability scanning, and/or malware detection, as applicable. 1. Stored data must be properly stored and handled while at rest. Considerations for storage and disposal of data at rest in conjunction with Next Chapter Software Inc *Asset Management Policy*, *Data Classification Policy* and *Data Retention Policy* include: ◦ Authorization to access or manage stored data ◦ Proper identification of records and their retention period ◦ Technology change and ability to access data throughout retention period ◦ Acceptable timeframe and format to retrieve data ◦ Appropriate methods of disposal

United States

Our entire infrastructure is cloud-hosted on AWS.

AWS

no

yes

OpenAI

Not Applicable (we do not store any data with LLM)

Not Applicable (we do not store any data with LLM)

Not Applicable (we do not store any data with LLM)

If a customer wishes to manually backup their data in a suspended account, then they must ensure that their account is brought back to good standing so that the user interface will be available for their use. After 60 days, the suspended account will be closed and the data will enter the “expired” state. It will be permanently removed 30 days thereafter (except when required by law to retain).

no

2023-04-07

yes

no

yes

security@getunblocked.com

no

no

yes

- Source Control (github/gitlab/bitbucket) - Notion - StackOverflow - Linear - Confluence - Jira

no