Opptify AB — Security Policy

1. Purpose & Scope

This Security Policy describes the technical and organizational measures (“TOMs”) Opptify AB (“Opptify”) applies to protect the confidentiality, integrity, and availability of the Opptify SaaS platform, supporting infrastructure, and corporate systems that process Personal Data or Customer Data.

2. Governance & Principles

• Risk-based approach aligned with industry best practices and GDPR.
• Security by design & default across the product lifecycle.
• Least privilege & need-to-know access.
• Defense in depth across identity, application, data, and network.

3. Data Residency & Architecture

• EU/EEA data residency: Primary production databases are hosted in the EU/EEA.
• Multi-tenant isolation: Logical separation per tenant; strict authorization; prod/non-prod segregation.
• Encryption: TLS 1.2+ in transit; encryption at rest (e.g., AES-256 class). Keys managed via cloud KMS with access controls and auditing.

4. Identity & Access Management

• Strong authentication; MFA required for privileged/admin access.
• RBAC with least-privilege for personnel and service accounts.
• Joiner-Mover-Leaver process; periodic access reviews.
• Secrets management via secure vaulting; no plaintext secrets in code/CI logs.

5. Secure Development Lifecycle (SSDLC)

• Code review and change management for all production changes.
• Automated dependency/vulnerability scanning, secret detection, and build integrity checks in CI/CD.
• Separate staging; controlled releases with monitoring and rollback.
• Third-party components tracked and updated per disclosures.

6. Vulnerability Management

• Continuous vulnerability scanning of applications and infrastructure.
• Remediation targets: Critical – as promptly as practicable; High – expedited; Medium/Low – within reasonable timelines based on risk/exploitability.
• Automated daily checks for configuration drift, dependencies, and endpoint health.

7. Penetration Testing

• Independent third-party penetration testing of the platform.
• A current penetration test certificate (or executive summary) is available on request under NDA.
• High/Critical findings are remediated in line with good industry practice.

8. Logging, Monitoring & Detection

• Centralized logging of application, infrastructure, and security events with access restrictions.
• Monitoring & alerting for anomalous behavior and potential security incidents.
• Log retention appropriate to operations, investigations, and legal requirements.

9. Incident Response & Breach Notification

• Documented Incident Response Plan (triage, containment, eradication, recovery).
• Post-incident reviews and corrective actions after material events.
• For a Personal Data Breach affecting Customer Data, Opptify will notify the Customer without undue delay and provide information to support GDPR obligations.

10. Business Continuity & Backups

• Daily backups of production databases with off-site copies in the EU/EEA.
• Point-in-time recovery (PITR) within the configured retention window.
• Disaster recovery procedures and periodic restoration tests.

11. Sub-processors & AI Usage

Opptify engages carefully selected sub-processors for hosting, storage, monitoring, support tooling, search/indexing, and AI-assisted features. The current list (name, purpose, processing region) is maintained at https://opptify.com/legal/sub-processors and is referenced by the ToS and DPA. Material changes are notified in advance per the DPA/ToS change-notification and objection process.

AI usage. Certain features may invoke an AI API provider as a processor for tenant-scoped interpretation/search. Such APIs are configured so that: (a) Customer Data is not used to train provider models; (b) data is not retained beyond transient processing except limited anti-abuse retention required by the vendor; and (c) processing is limited to the Customer’s tenant context. Any international transfers (if applicable) are governed by the DPA.

12. Customer Responsibilities

• Maintain appropriate user access controls, strong passwords/SSO, and prompt de-provisioning.
• Observe the Acceptable Use Policy (AUP) and avoid uploading prohibited/special-category data unless expressly agreed.
• Configure in-product security settings (e.g., roles/permissions) appropriately for your organization.

13. Policy Maintenance & Changes

This Policy is versioned and may be updated periodically. Material changes that diminish security commitments will be notified to Customers at least 30 days in advance, consistent with the ToS.

Prior versions may be archived and made available on request.