VISALAW AI | Security Addendum

VISALAW AI

Security Addendum

Enterprise Security Controls and Commitments

Last Updated: 03.17.2026

Visalaw Ventures, INC

This Security Addendum is part of Your Terms with Visalaw Ventures, INC (“Visalaw”). Any

capitalized terms used but not defined in this Security Addendum have the meanings given in the

Terms, Agreement, or DPA, as applicable.

VISALAW AI | Security Addendum

1. Audits and Certifications

1.1. The information security management system used to provide the Service will be assessed by

independent third-party auditors against the following standards, and Visalaw will make Third-

Party Audit reports available to You upon written request:

• SOC 2 Type II
• ISO 27001 [Target date: Q4 2026] 1.2. Third-Party Audit reports are made available to You as described in Section 10. 1.3. To the extent that Visalaw decides to discontinue a Third-Party Audit, Visalaw will adopt an equivalent, industry-recognized alternative.

2. Hosting Location of Customer Data and Content

2.1. Customer Data and Content will be stored and processed by Visalaw and its vendors in data

centers located in the United States. By default, Customer Data is hosted on AWS US East 1 and

MongoDB US East 1 regions. Data is replicated across multiple regions within the United States for

redundancy and disaster recovery purposes. All replicated regions are within the United States

unless otherwise agreed in writing.

2.2. You may request to have Your Customer Data and Content stored in a specific geographic

region. Visalaw will use commercially reasonable efforts to accommodate such requests, subject to

operational feasibility and any applicable additional fees.

3. Encryption

3.1. Visalaw encrypts Customer Data and Content at-rest using AES 256-bit (or better) encryption

provided by our cloud service providers (AWS, MongoDB). Visalaw uses Transport Layer Security

(TLS) 1.2 or higher for data in-transit. Sensitive data is protected by encryption at rest at the

database level.

3.2. Encryption keys are managed by our cloud service providers and protected from unauthorized

access. We do not currently use customer-managed or tenant-specific encryption keys. We rotate

encryption keys in accordance with our cloud providers’ key management practices.

4. System and Network Security

4.1. Visalaw personnel access to our Cloud Environment is with a unique user ID and is consistent

with the principle of least privilege. All access requires multi-factor authentication.

4.2. Visalaw personnel will not access Customer Data or Content except (i) to provide or support

the Service or (ii) to comply with the law or a binding order of a governmental body.

VISALAW AI | Security Addendum

4.3. Personnel accessing our Cloud Environment will use devices with security controls that include

encryption, endpoint protection, and centralized management.

4.4. Our Cloud Environment leverages industry-standard threat detection tools with regular

signature updates, used to monitor and alert on suspicious network activity.

4.5. Visalaw engages an independent third party to conduct penetration tests of the Service at least

annually. Summary results will be provided to You upon written request.

4.6. Visalaw uses automated tools to scan for vulnerabilities. We score vulnerabilities and timely

address them: critical vulnerabilities within 30 days, high vulnerabilities within 60 days, and

medium and low vulnerabilities within 90 days. These timelines align with Visalaw’s internal

Vulnerability Management Policy.

4.7. Visalaw will engage a third party to conduct web application-level security assessments on the

Service at least annually.

VISALAW AI | Security Addendum

5. Administrative Controls

5.1. Visalaw maintains security awareness and training programs for its personnel at onboarding

and at least annually thereafter, covering topics such as phishing, social engineering, password

hygiene, and data handling.

5.2. Visalaw trains all software developers on secure development practices appropriate to their

role at least annually, including OWASP Top 10 awareness and secure coding techniques consistent

with Visalaw’s SDLC Policy.

5.3. Visalaw personnel are required to sign confidentiality agreements and acknowledge

responsibility for reporting security incidents.

5.4. Visalaw revokes all system and physical access for separated personnel within 1 business day

of the effective termination date, consistent with Visalaw’s System Access Control Policy.

5.5. Visalaw reviews external threat intelligence and prioritizes remediation of critical and high

vulnerabilities in accordance with the timelines in Section 4.6.

5.6. Visalaw will conduct background screening checks for all personnel with access to Customer

Data and Content, to the extent permitted by applicable law.

6. AI Model Security

6.1. Customer Data and Content processed through AI models are transmitted via encrypted API

connections to Visalaw’s contracted model providers (Subprocessors). Customer Data and Content

is not persistently stored by model providers beyond the duration necessary to process the API

request.

6.2. Model providers are contractually prohibited from (i) training on Customer Data or Content,

(ii) retaining Customer Data or Content beyond the duration of a single API call, and (iii) making

Customer Data or Content available to any third party.

6.3. Visalaw operates a shared-infrastructure model with logical data separation enforced at the

application and database layers. Customer queries and model responses (Content) are logically

isolated per customer. Every record is scoped by a unique organisation identifier (organisationId),

enforced at the API layer via access tokens. Embeddings are stored in a shared vector index with

tenant isolation enforced via metadata filters (organisationId, draftId) and application-enforced

organisation scope on every query. No customer’s data is used to influence another customer’s

results, recommendations, or model behavior.

6.4. Visalaw maintains documentation of data flows showing how Customer Data and Content are

routed through its architecture, including which Subprocessors receive data at each stage.

6.5. Customer Data will not be used in development or testing environments. Where production

data patterns are needed for testing, Visalaw uses tokenized, anonymized, or de-identified data

VISALAW AI | Security Addendum

consistent with its SDLC Policy. Any such data will be limited to de-identified operational metadata

consistent with the Data Processing Addendum.

7. Vendors and Subprocessors

7.1. Visalaw ensures that any of its vendors that process Customer Data or Content maintain

security measures consistent with this Security Addendum. All subprocessor agreements include

data residency restrictions and the security requirements derived from Visalaw’s Vendor

Management Policy, including geographic limits on where data can be stored or transmitted.

7.2. Visalaw maintains a list of subprocessors, available in the Trust Portal and by request.

VISALAW AI | Security Addendum

8. Physical Data Center Controls

8.1. Our Cloud Environment is maintained by one or more cloud service providers. We ensure that

our cloud service providers maintain physical security controls including:

• Physical access controlled at building ingress points
• Visitor identification and sign-in requirements
• Server access managed by access control devices
• Regular review of physical access privileges
• Monitoring and alarm response procedures
• CCTV surveillance
• Fire detection and protection systems
• Back-up and redundancy systems
• Appropriate climate control systems

9. Incident Detection and Response

9.1. If Visalaw becomes aware of a breach of security leading to the destruction, loss, alteration,

unauthorized disclosure of, or access to Customer Data or Content (“Security Incident”), Visalaw

will notify You without undue delay, and in any event within 24 hours after initial detection.

9.2. In the event of a Security Incident, Visalaw will promptly take reasonable steps to contain,

investigate, and mitigate the impact of the Security Incident.

9.3. Visalaw will provide You with timely information about the Security Incident, including the

nature and consequences of the breach, the categories of data affected, the corrective measures

taken or proposed, and any other information required by applicable Data Protection Law.

10. Customer Audit Rights

10.1. Upon request, and at no additional cost to You, Visalaw will provide You and/or Your

appropriately qualified third-party auditor with the results of recent SOC 2 Type II reports or

equivalent audit reports, penetration test summary reports, and responses to reasonable security

questionnaires.

10.2. Once a year, You may submit reasonable security questionnaires (not to exceed 100 questions

total) and requests for documentation. Visalaw will respond within 30 business days.

10.3. In the event of a Security Incident involving Customer Data or Content, Visalaw commits to

engage an independent forensic assessor to investigate the incident at Visalaw’s expense and share

the findings with affected customers under appropriate confidentiality protections.

VISALAW AI | Security Addendum

11. Customer Responsibilities

11.1. It is Your responsibility to ensure that You are authorized to use any Input or Customer Data

with the Service and that their use complies with applicable laws and regulations.

11.2. You are responsible for managing and securing Your methods to access the Service

(passwords, SSO connections, etc.).

11.3. You are responsible for keeping Your relevant IT systems up-to-date and appropriately

patched.

12. Business Continuity and Disaster Recovery

12.1. Visalaw maintains business continuity plans that detail how operations will be maintained

during an unplanned disruption. These plans are tested at least annually and updated as needed

based on test results.