Security Compliance

Last Updated: April 10, 2025

​

At aimproved.com ("Company"), we are committed to safeguarding the personal and sensitive data entrusted to us. Our Data Security Policy outlines the measures we take to protect data, ensuring its confidentiality, integrity, and availability. This policy applies to all employees, contractors, suppliers, and partners involved in processing or accessing data on behalf of the Company.

​

1. Data Protection Principles

We are dedicated to the following principles to protect all data:

• Confidentiality: Ensuring that data is only accessible to authorized individuals.

• Integrity: Ensuring that data is accurate, complete, and trustworthy.

• Availability: Ensuring that data is accessible when required by authorized users.

• Accountability: Ensuring that there are clear responsibilities for data protection.

​

2. Data Classification

Data must be classified based on its sensitivity and importance to the Company. The classification determines how the data will be handled, protected, and disposed of. All data should be classified as:

• Public: Information intended for public disclosure.

• Internal: Information that is not confidential but is intended for internal use only.

• Confidential: Sensitive information that must be protected due to legal, contractual, or privacy obligations.

• Highly Confidential: Information requiring the highest level of protection due to its critical nature.

​

3. Data Access Control

We implement strict controls on who can access data. Access is granted based on:

• Need-to-know basis: Only authorized individuals are allowed access to specific data necessary for their job roles.

• Role-based access control (RBAC): Access levels are assigned based on job roles and responsibilities.

• Authentication and authorization: Secure login methods (e.g., passwords, multi-factor authentication) are required to access data.
   

4. Data Encryption

We ensure that sensitive data is protected using encryption during transmission and at rest. This includes:

• Encryption in Transit: Data transmitted over networks is encrypted to prevent unauthorized access during transmission.

• Encryption at Rest: Sensitive data stored on systems or devices is encrypted to ensure its protection in case of unauthorized access.

​

5. Data Minimization

We follow the principle of data minimization, which means collecting only the minimum amount of personal or sensitive data necessary for legitimate business purposes. We avoid excessive or unnecessary data collection.

​

6. Data Retention and Disposal

Data will be retained only for as long as necessary to fulfill its purpose. When data is no longer needed, we ensure that it is securely disposed of or anonymized, including:

• Secure Deletion: All data must be deleted using secure methods to ensure that it cannot be reconstructed or retrieved.

• Data Anonymization: When appropriate, data may be anonymized to ensure privacy while still enabling useful analysis.

​

7. Security Incident Response

We have a comprehensive security incident response plan in place to detect, respond to, and recover from data breaches or security incidents. The plan includes:

• Incident Detection: Continuous monitoring for potential security breaches.

• Incident Notification: Prompt notification to affected individuals and regulatory bodies in accordance with legal requirements.

• Incident Resolution: Swift corrective actions to contain and resolve the breach.

​

8. Third-Party Data Security

We require that third-party vendors, contractors, and partners who handle or access our data comply with our data security standards. This includes:

• Due Diligence: Vetting third parties for their ability to meet our data protection requirements.

• Contractual Obligations: Ensuring third parties have appropriate data protection clauses in their contracts.

• Audits and Assessments: Regular monitoring and auditing of third-party practices to ensure compliance with our data security standards.

​

9. Employee Training and Awareness

We ensure that all employees receive regular training on data security best practices, including:

• Security Awareness: Educating employees on potential data security threats such as phishing, malware, and social engineering.

• Data Handling Procedures: Training employees on how to handle, store, and dispose of data securely.

​

10. Compliance with Legal and Regulatory Requirements

We adhere to all applicable data protection laws and regulations, including:

• General Data Protection Regulation (GDPR) for individuals in the EU.

• California Consumer Privacy Act (CCPA) for individuals in California.

• Any other relevant local, regional, or international data protection laws.

​

11. Monitoring and Auditing

We regularly monitor and audit our data security practices to identify and address potential vulnerabilities. This includes:

• Vulnerability Scanning: Routine scans to detect security weaknesses.

• Audit Trails: Maintaining logs of data access and usage for accountability and transparency.

​

12. Data Security Violations

We take violations of our data security policies seriously and will take appropriate actions, including:

• Disciplinary Measures: Employees found violating data security policies may face disciplinary actions.

• Corrective Actions: Any identified security gaps will be addressed promptly to mitigate risks and prevent future incidents.

​

13. Contact Information

For questions, concerns, or reports related to data security, please contact the Company’s Data Security Department at security@aimproved.com.

​

​