Data Protection and Security Policy

1. Overview and Scope

This section establishes the foundational security standards and defines the scope of application for our data protection measures across all platform components.

This Data Protection and Security Policy establishes comprehensive security standards for our Blazor application and associated infrastructure. This policy applies to all data processing activities, user information, and system operations within our platform.

1.1 Application Architecture

Defines the core technical components and integrations that form the foundation of our platform's security architecture.

• Platform: ASP.NET Core Blazor Application
• Authentication: ASP.NET Core Identity with Google and Facebook OAuth
• Database: Microsoft SQL Server
• Cloud Infrastructure: Google Cloud Platform
• Payment Processing: Stripe
• Email Services: Klaviyo
• Third-Party Integrations: Meta (Facebook/Instagram), Google OAuth, YouTube, WhatsApp Business, Telegram, Mercado Libre

2. Data Classification and Handling

Establishes clear categories for different types of data processed by our system and defines the legal basis for processing each category.

2.1 Data Categories

Categorizes all data types processed by our platform into distinct groups with specific handling requirements.

Personal Data:

• User authentication information (email, name, password hashes stored in the database)
• OAuth tokens and refresh tokens
• Stripe customer IDs
• Team membership and role assignments
• Profile pictures from social media platforms

Social Media Data:

• Meta account IDs and access tokens
• Facebook/Instagram posts and comments
• WhatsApp Business messages
• YouTube comments and interactions
• Telegram bot messages
• Mercado Libre product inquiries and responses
• Generated automated replies

AI Knowledge Data:

• Web crawl data from public pages (processed but not stored)
• User-uploaded documents (processed but not stored)
• AI training data derived from knowledge sources

System Data:

• Audit logs and security monitoring data
• Application performance metrics
• Error logs and debugging information

2.2 Data Processing Lawful Basis

Identifies the legal justification for processing each category of data in compliance with privacy regulations.

• Consent: For social media integrations and automated response generation
• Contract: For service provision and billing through Stripe
• Legitimate Interest: For security monitoring and fraud prevention

3. Data Encryption and Security

Comprehensive encryption protocols and security measures implemented to protect data both in transit and at rest.

3.1 Encryption in Transit

Security measures protecting data during transmission between systems and users.

• TLS 1.3: All data transmission protected by SSL/TLS certificates
• Certificate Management: Active certificates for icloneu.ai, www.icloneu.ai, hermes-ai.ai and www.hermes-ai.ai
• API Security: All API endpoints require secure HTTPS connections
• OAuth Security: Secure token exchange with Google and Facebook

3.2 Encryption at Rest

Protection measures for data stored in databases, configuration files, and backup systems.

• Database Encryption: SQL Server Transparent Data Encryption (TDE) enabled
• Configuration Security: Sensitive configuration data encrypted using ASP.NET Core Data Protection
• Token Storage: OAuth access tokens encrypted before database storage
• Backup Encryption: All database backups encrypted using AES-256

3.3 Key Management

Secure management and rotation policies for encryption keys used throughout the system.

• Google Cloud KMS: Encryption keys managed through Google Cloud Key Management Service
• Rotation Policy: Encryption keys rotated every 90 days
• Access Control: Key access limited to authorized system administrators

4. Access Control and Authentication

Comprehensive authentication and access control mechanisms to ensure only authorized users can access system resources.

4.1 User Authentication

Password requirements and account security measures implemented for user authentication.

4.2 Multi-Factor Authentication

Additional security layers beyond traditional password authentication to enhance account security.

• Email Verification: Required for new accounts using ASP.NET Core authentication (not required for Google or Facebook login)
• OAuth Integration: Google and Facebook authentication as additional security layer
• Two-Factor Authentication: OTP-based 2FA has been implemented for enhanced security

4.3 Session Management

Security controls for user sessions including cookie configuration and token management.

Cookie Security:

• SameSite=None for cross-origin requests
• Secure=Always for HTTPS-only transmission
• Session timeout after 24 hours of inactivity

Token Management: OAuth refresh tokens automatically renewed

5. Cloud Infrastructure Security

Security measures and configurations implemented across our Google Cloud Platform infrastructure.

5.1 Google Cloud Platform Security

Network, compute, and monitoring security configurations within our GCP environment.

Network Security:

• VPC Configuration: Private network with controlled ingress/egress
• Firewall Rules: Restrictive firewall configuration with specific service allowances
• VPN Access: WireGuard VPN for administrative access

Compute Security:

• Instance Security: Regular security patches and updates
• Access Control: IAM roles with principle of least privilege
• Monitoring: Cloud Security Command Center enabled

5.2 Firewall Configuration

Detailed firewall rules and network access controls protecting our infrastructure.

5.3 Database Security

Security measures protecting database access, connections, and backup systems.

• Network Isolation: Database accessible only from application servers
• VPN Access Control: Through WireGuard VPN, we control exactly who has access to the database servers
• Connection Security: Encrypted connections using TLS 1.2+
• Authentication: Strong database credentials with regular rotation
• Backup Security: Automated encrypted backups with 30-day retention

6. Monitoring and Intrusion Detection

Comprehensive monitoring systems and incident response procedures to detect and respond to security threats.

6.1 Security Monitoring

Continuous monitoring systems tracking security events and potential threats across all platform components.

• Application Logs: Comprehensive logging of authentication events, API access, and errors
• Audit Trail: Critical actions logged with user identification and timestamps
• Intrusion Detection: Automated monitoring for suspicious activity patterns
• Alert System: Real-time notifications for security events

6.2 Monitoring Metrics

Key security metrics and indicators tracked to identify potential security incidents.

• Failed Authentication Attempts: Track and alert on repeated failures
• Unusual API Usage: Monitor for abnormal request patterns
• Data Access Patterns: Track unusual data access or export activities
• System Performance: Monitor for potential DDoS or system compromise

6.3 Incident Response

Structured procedures for detecting, responding to, and recovering from security incidents.

• Detection: Automated alerting for security incidents
• Response Time: Initial response within 1 hour of detection
• Investigation: Detailed forensic analysis of security events
• Recovery: Documented procedures for system restoration

7. Data Retention and Deletion

Policies governing how long different types of data are retained and procedures for secure data deletion.

7.1 Retention Periods

Specific timeframes for retaining different categories of data based on legal and business requirements.

• User Account Data: Retained while account is active
• Social Media Content: Posts and messages retained for 1 year
• System Logs: Security logs retained for 3 years
• Audit Records: Critical audit logs retained for 7 years
• AI Knowledge Sources: Not retained - processed and used for AI training but not stored

7.2 Data Deletion Process

Step-by-step procedures for securely deleting user data upon request or after retention periods expire.

1. User Request: Account deletion can be initiated by user
2. Multiple Warnings: Users receive multiple confirmation warnings before deletion proceeds
3. Immediate Deletion: Once confirmed, user data is deleted immediately and cannot be recovered
4. Klaviyo Cleanup: Email address is immediately removed from Klaviyo mailing lists
5. Application Marking: Stripe customer ID is temporarily retained and marked as deleted in the application
6. Stripe Data Purging: Stripe customer data is purged after a delay once all invoices are finalized and billing is settled
7. Verification: Deletion completion verified and documented

7.3 Right to Be Forgotten

Implementation of user rights to have their personal data completely removed from our systems.

• Immediate Actions: User profile and authentication data deleted immediately after confirmation
• Integration Cleanup: All social media account connections and tokens removed immediately
• Content Removal: All posts, messages, and generated replies deleted immediately
• Email Service Cleanup: Email address immediately removed from Klaviyo
• Billing Data: Stripe customer ID marked as deleted and purged after billing settlement
• No Recovery: Deleted accounts cannot be recovered under any circumstances

8. Third-Party Data Handling

Policies and procedures for managing data shared with or received from third-party service providers.

8.1 Stripe Integration

Data handling procedures for payment processing through Stripe, ensuring PCI compliance and data security.

• Data Shared: Email address only for customer identification
• Payment Security: All payment data handled exclusively by Stripe
• PCI Compliance: No payment card data stored in our systems
• Customer Records: Stripe customer IDs temporarily retained when marked as deleted, then purged after billing settlement
• Billing Information: Users can fill out billing information through our interface, which is stored in Stripe. We request information from Stripe to display to users and send updates back to Stripe, but do not store this information ourselves
• Klaviyo Integration: We share data with Klaviyo for email services, including email verification and promotional communications. Email addresses are immediately removed from Klaviyo upon account deletion

8.2 Social Media Platform Integrations

Security measures for handling data from various social media platform integrations.

Meta Platform Integration (Facebook/Instagram):

• Authentication Data: Name, email, and profile picture from Facebook login
• Account Management: Meta account IDs and access tokens (encrypted)
• Content Data: Posts, comments, messages, and generated replies
• Token Security: Access tokens encrypted and regularly validated

WhatsApp Business Integration:

• Business Account Data: WhatsApp Business account IDs and access tokens (encrypted)
• Message Data: Business messages and automated replies
• Contact Information: Business contact details for message routing

YouTube Integration:

• Channel Data: YouTube channel IDs and access tokens (encrypted)
• Comment Data: Video comments and automated replies
• Video Metadata: Basic video information for comment management

Telegram Bot Integration:

• Bot Data: Telegram bot tokens and configuration (encrypted)
• Message Data: Bot messages and automated responses
• User Interactions: Bot user interactions and command responses

Mercado Libre Integration:

• Account Data: Mercado Libre account IDs and access tokens (encrypted)
• Product Data: Product inquiries and customer communications
• Transaction Support: Customer support messages and responses

8.3 Google Integration

Data handling procedures for Google OAuth authentication and related services.

• OAuth Data: Email and profile information for authentication
• No Additional Data: No other Google services data collected
• Token Management: Refresh tokens securely stored and managed

8.4 AI Knowledge Sources

Data handling procedures for AI training materials and knowledge sources.

• Document Uploads: Users can upload documents for AI training - processed but not stored
• Web Crawling: System performs web crawling of public pages only
• Data Processing: All information is used for AI training and lookup
• No Storage: We do not save copies of uploaded documents or crawled information
• Public Access Only: Web crawling is limited to publicly accessible pages

9. GDPR and CCPA Compliance

Comprehensive compliance measures for major privacy regulations including GDPR and CCPA requirements.

9.1 GDPR Compliance

Specific measures implemented to ensure full compliance with European General Data Protection Regulation.

• Legal Basis: Clear lawful basis for all data processing
• Data Minimization: Only necessary data collected and processed
• Rights Implementation: Full support for all GDPR rights
• Data Protection Officer: Designated contact for privacy matters
• Impact Assessments: Regular privacy impact assessments conducted

9.2 CCPA Compliance

Implementation of California Consumer Privacy Act requirements for California residents.

• Consumer Rights: Right to know, delete, and opt-out supported
• Data Categories: Clear disclosure of personal information categories
• No Sale of Data: We do not sell personal information to third parties
• Service Providers: All third parties governed by strict data agreements

9.3 Data Subject Rights

Implementation of individual rights allowing users to control their personal data.

• Access Rights: Users can download their data in structured format
• Rectification: Users can correct inaccurate personal information
• Deletion Rights: Complete data deletion within 30 days of request
• Portability: Data export in JSON format for transfer to other services (excludes knowledge sources as they are not stored)
• Objection Rights: Users can object to processing for legitimate interests
• Knowledge Sources Limitation: Downloaded data does not include knowledge sources uploaded by users, as we do not retain these documents

10. Cross-Origin Resource Sharing (CORS)

Security policies governing cross-origin requests and API access from external domains.

10.1 Custom CORS Policy

Dynamic CORS configuration allowing users to control API access from external domains.

• Origin Validation: Users define valid origins for API endpoint access
• Dynamic Configuration: CORS origins configurable per user account
• Security Headers: Comprehensive security headers implemented
• Request Validation: All cross-origin requests validated against user settings

11. Incident Response and Business Continuity

Comprehensive procedures for responding to security incidents and maintaining business operations during disruptions.

11.1 Data Breach Response

Structured response procedures for data breaches including detection, notification, and containment measures.

• Detection Time: Maximum 24 hours for breach detection
• Notification: Regulators notified within 72 hours if required
• User Communication: Affected users notified within 48 hours
• Containment: Immediate steps to prevent further data exposure

11.2 Business Continuity

Measures ensuring business operations can continue during system failures or disasters.

• Backup Systems: Automated daily backups with geographic redundancy
• Recovery Time: Maximum 4-hour recovery time objective
• Disaster Recovery: Comprehensive disaster recovery plan tested quarterly
• Data Integrity: Regular integrity checks and restoration testing

12. Policy Governance and Review

Framework for managing, reviewing, and updating security policies to maintain effectiveness and compliance.

12.1 Policy Management

Governance structure for policy maintenance, approval processes, and staff training requirements.

• Review Schedule: Annual policy review and updates
• Approval Process: Security team approval required for policy changes
• Training: Regular security training for all personnel
• Compliance Monitoring: Continuous monitoring of policy adherence

12.2 Documentation and Reporting

Regular reporting and documentation requirements for security metrics and compliance status.

• Security Metrics: Monthly security dashboard reporting
• Compliance Reports: Quarterly compliance status reports
• Audit Trail: Complete audit trail of all policy-related activities
• Version Control: All policy versions tracked and archived

13. Contact Information

Key contact information for data protection, security, and emergency response personnel.

Account Support: account@icloneu.ai
Security Issues and Privacy Concerns: wecare@icloneu.ai
Technical Support: support@icloneu.ai

Address: Paseo de los Laureles 404 - 201. Mexico City, 05120, Mexico

Data Protection Officer (DPO) for IcloneU:

• Name: Javier Bertran
• Company: Hermes AI
• Email: wecare@icloneu.ai