Security Exhibit (fileAI Hosted)

This Security Exhibit (“Security Exhibit”) forms part of the fileAI Subscription Agreement (“Agreement”) between the fileAI company identified in the applicable Order Form (“fileAI”) and the Customer identified in the applicable Order Form (“Customer”). Capitalized terms not defined herein have the meanings set forth in the Agreement.

This Security Exhibit describes fileAI’s information security program and defines the shared responsibility model applicable to the Services.

This Security Exhibit:
(a) describes fileAI’s administrative, technical, and physical security measures;
(b) defines the Demarcation Point between fileAI and Customer responsibilities; and
(c) applies to the deployment model specified in an Order Form.

As specified in the Order Form, the Services are to be deployed as follows:
fileAI-Hosted. Services are hosted in infrastructure controlled by fileAI or its cloud providers.

3.1 Definition.  The “Demarcation Point” is the logical and technical boundary at which fileAI’s responsibility for security, availability, and performance ends and Customer’s responsibility begins. Unless otherwise specified in an Order Form, the Demarcation Point is the fileAI API gateway or service endpoint. 

3.2 Allocation of Responsibility. fileAI is responsible only for security controls up to and including the Demarcation Point. Customer is solely responsible for:
- the security, availability, and configuration of the Customer Environment;
- identity and access management within the Customer Environment;
- firewall rules, network segmentation, and endpoint security;
- third-party software, APIs, and integrations not controlled by fileAI;
- andcompliance of Customer systems with applicable laws and internal policies.

fileAI shall not be responsible for any security incident, data loss, or service failure originating outside the Demarcation Point.

fileAI maintains a formal, risk-based information security program aligned with industry standards, including SOC 2 Type II and ISO 27001 principles.

4.1 Administrative Safeguards
- Written information security policies reviewed annually
- Employee security awareness training
- Background checks for employees with privileged access
- Incident response and escalation procedures
- Vendor risk management program

‍4.2 Technical Safeguards
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest using industry-standard algorithms
- Role-based access controls (RBAC)
- Multi-factor authentication for privileged accounts
- Secure software development lifecycle (SSDLC)
- Continuous monitoring and logging

‍4.3 Physical Safeguards
- Data centers with controlled access and surveillance
- Redundant power and environmental controls
- Cloud provider physical security certifications

To receive a Service Credit, Customer must submit a written claim to fileAI’s support team within thirty (30) days of the end of the mon

‍5.1 Least Privilege. fileAI grants access to systems and data only on a need-to-know basis.

‍5.2 Customer Credentials. Where Customer provides credentials, API keys, or tokens to fileAI, Customer remains responsible for:
- the scope of access granted;
- rotation and revocation of credentials;
- ensuring credentials do not exceed necessary permissions.

fileAI is not responsible for misuse or compromise of Customer-provided credentials unless caused by fileAI’s breach of this Security Exhibit.th in which the Service Level was not met. Credits are not refundable and cannot be converted into cash.

6.1 Security Incidents. fileAI maintains an incident response plan and will investigate any confirmed security incident affecting Customer Data within the fileAI-controlled environment.

‍6.2 Notification. fileAI will notify Customer without undue delay, and in any event within forty-eight (48) hours, after confirming a security incident involving Customer Data, to the extent required by applicable law or the DPA.

‍6.3 Cooperation. fileAI will provide reasonable cooperation to support Customer’s legal or regulatory obligations, at Customer’s expense for time and materials beyond standard support.

7.1 Third-Party Reports. Upon written request, fileAI will make available its most recent SOC 2 Type II, ISO 27001, or equivalent independent audit report, subject to confidentiality obligations.

‍7.2 No Physical Audits. Customer shall not conduct on-site audits of fileAI facilities or systems unless expressly agreed in writing in an Order Form.

‍7.3 Questionnaires. fileAI may, at its discretion, respond to reasonable security questionnaires in lieu of audits.

Customer Data is logically segregated from other customers’ data in multi-tenant environments.

fileAI maintains business continuity and disaster recovery plans designed to restore availability within commercially reasonable timeframes for fileAI-controlled infrastructure.

Business continuity obligations do not apply to failures originating in the Customer Environment.

fileAI may update its security controls from time to time, provided such updates do not materially reduce the overall level of protection.

This Security Exhibit does not expand fileAI’s liability beyond the limits set forth in the Agreement unless expressly stated in an Order Form.

Security controls are provided on a best-practice basis and do not constitute a guarantee against all security incidents.

IN WITNESS WHEREOF, this Security Exhibit is incorporated into the Agreement as of the Effective Date.