This policy is designed to provide transparency into our security practices and controls for customers, including InfoSec committees, IT departments, audits, and other responsible third parties conducting security reviews and due diligence.

The Tidal AI service consists of:

• Consulting Services: Expert guidance on AI implementation and strategy
• Learning Content: Educational resources and training materials
• Third-Party Platform Access: Access to a white-labeled AI platform for workflow automation

Tidal AIBI, LLC is an authorized reseller of the Third-Party Platform and may provide configuration, implementation services, and customer support for the solution.

For purposes of this document, "Customer(s)" refers to customers of Tidal AIBI, LLC that procure the Tidal AI service and/or access to the Third-Party Platform via Tidal AIBI, LLC.

This policy covers:

• Tidal AIBI, LLC administrative, operational, and governance controls related to delivering the service
• Security controls and assurances attributable to the Third-Party Platform that processes and stores customer data used for AI workflows
• The shared responsibility model between Tidal AIBI, LLC, the Third-Party Platform, and customer ("User Entity") controls

4.1 Shared Responsibility Model

Security and compliance are achieved through a shared responsibility model:

• Tidal AIBI, LLC: Customer onboarding, solution configuration guidance, security communications, and oversight of third-party/vendor assurances as applicable
• Third-Party Platform: Operation of the SaaS environment, application security controls, logical access controls within the platform, encryption, logging/monitoring, vulnerability management, backup/availability controls, and incident response processes for the platform
• User Entity (Customer): Identity governance for its users, appropriate use of the service, local endpoint security, and implementation of complementary user entity controls described in Section 11

4.2 Ethics, Confidentiality, and Personnel Practices

Tidal AIBI, LLC maintains a security-minded culture and expects personnel and approved contractors to adhere to confidentiality and acceptable-use expectations. Where applicable, background screening and onboarding/offboarding practices are used to reduce insider risk.

5.1 SOC 2 Type II Assurance (Third-Party Platform)

5.2 Additional Attestations and Vendor Assurances

Tidal AIBI, LLC reviews vendor assurances (including SOC reports and other security documentation) as part of vendor due diligence and ongoing risk management.

6.1 Data Handling

Any private or sensitive data submitted for AI processing is processed and stored only within the Third-Party Platform's secured environment, in accordance with the platform's controls and contractual commitments.

6.2 Data Use Limitations (No Training on Customer Data)

6.3 Encryption

The Third-Party Platform uses industry-standard encryption to protect data in transit and at rest. This includes TLS (1.2 or higher) for data in transit and strong encryption controls for stored data. Where applicable, encryption key management is restricted to authorized personnel and systems.

6.4 Data Retention and Deletion

Data retention and deletion are governed by contractual commitments, operational requirements, and applicable law. Upon termination or request (as contractually supported), data may be deleted or returned per agreed procedures.

7.1 Logical Access Controls

The Third-Party Platform uses role-based access control (RBAC) to help ensure users can access only the information and features appropriate for their role (least privilege).

7.2 Authentication and MFA

Strong authentication controls are used for administrative access, including multi-factor authentication (MFA). Where supported, token-based one-time password (OTP) MFA is preferred; SMS-based MFA is not recommended for privileged administrative access.

7.3 Access Provisioning and Reviews

Access is granted based on documented roles and business need. Periodic reviews are performed for privileged access and role definitions, and access is removed when no longer authorized.

7.4 Customer-Controlled Integrations and External Data Access

Integrations that connect the Third-Party Platform to customer systems (for example, Microsoft 365) are enabled by end users using their own existing access rights within the customer's environment. The Third-Party Platform accesses customer data only to the extent authorized by the individual user and/or the customer's directory policies.

No customer administrator access is required on the customer side (front end or back end) to enable standard integrations; users authorize access using their own accounts and permissions.

Customers should apply least-privilege access by ensuring users only have access to the files, mailboxes, sites, or records appropriate for their role within systems such as Microsoft 365.

Where supported, single sign-on (SSO) can be enabled between the Third-Party Platform and the customer's identity provider/directory (for example, Microsoft Entra ID) to centralize authentication and enforce customer password/MFA policies.

8.1 Monitoring and Logging

The Third-Party Platform maintains logging and monitoring capabilities to support detection, investigation, and response to security events. User actions and system events may be logged for audit and troubleshooting purposes.

8.2 Incident Response

Incident response policies and procedures are maintained to guide reporting, triage, containment, eradication, recovery, and post-incident review. Tidal AIBI, LLC coordinates customer communications and escalation with the Third-Party Platform as appropriate.

9.1 Vulnerability Management

The Third-Party Platform maintains a vulnerability management program intended to identify, prioritize, and remediate security issues in a timely manner.

9.2 Penetration Testing

Penetration testing is conducted using an accepted industry standard methodology, and may include external and internal perspectives, as well as application and network-layer testing.

9.3 Change Management / SDLC

Documented change management and SDLC practices are maintained to control changes to application code and infrastructure. Development and testing environments are logically separated from production, and changes are approved prior to production deployment.

10.1 Backups

Backup processes are maintained to support data recovery objectives. Backups are encrypted and access to backup systems is restricted to authorized personnel.

10.2 Availability and Capacity

The Third-Party Platform monitors service capacity and performance and plans for scaling to support availability commitments.

11.1 Subservice Organizations

The Third-Party Platform may rely on subservice organizations (for example, cloud infrastructure providers) for certain controls such as physical security of data centers and environmental protections. Subservice organizations are expected to maintain controls that complement the Third-Party Platform's controls.

11.2 Complementary User Entity Controls (Customer Responsibilities)

Customers should implement controls that complement the service, including:

• Understand and comply with contractual obligations related to use of the service
• Maintain accurate administrative and technical contact information for security communications
• Maintain their own systems of record as appropriate for their business requirements
• Supervise, manage, and control the use of the service by their personnel (including acceptable use and role assignment)
• Maintain their own disaster recovery and business continuity plans to address temporary inability to access the service
• Provide timely notification of actual or suspected security incidents (including suspected compromised accounts used for integrations)
• Implement and maintain appropriate identity governance and access controls in connected systems (e.g., Microsoft 365), since integrations inherit each user's permissions

Because the Third-Party Platform operates as a cloud-hosted SaaS service, physical and environmental security of underlying data center facilities is primarily the responsibility of the applicable cloud hosting provider(s). The Third-Party Platform's assurance program (including SOC 2 Type II) addresses how these dependencies are managed within the overall control environment.

This policy is reviewed at least annually and updated as business, technical, or regulatory conditions change. Material changes may be communicated to customers through appropriate channels.

For security questions, audits, or due diligence requests, contact Tidal AIBI, LLC through your authorized account representative.