AI Angels Group
Data Security Policy
Effective Date: September 13, 2025
MANDATORY NOTICE: Security is a non-negotiable requirement for participation in AI Angels Group. Any attempt to probe, disclose, undermine, or bypass our security controls is strictly prohibited and may result in immediate termination of access, preservation of evidence, and referral to the appropriate authorities.
1. Purpose & Scope
This Policy describes the technical, organizational, and administrative measures AI Angels Group ("AAG," "we," "us," or "our") applies to protect information assets, including personal information, investor records, startup information, confidential business plans, due diligence materials, communications, and system telemetry. This Policy applies to all Members, investors, founders, advisors, employees, contractors, visitors, and service providers who access or process AAG information.
2. Governance & Accountability
- Security program overseen by designated security and compliance officers and subject to executive review.
- Policies and standards reviewed at least annually, or upon material change to risk or regulatory requirements.
- Mandatory security awareness training and confidentiality obligations for staff, contractors, and vendors with access to sensitive information.
3. Data Classification & Handling
- Data classified at minimum as: Public, Internal, Confidential, and Restricted.
- Confidential and Restricted data require strict access controls, encryption, monitoring, and documented handling procedures.
- Investor applications, founder submissions, pitch decks, due diligence materials, identity verification documents, and other confidential business information are treated as Confidential Information under our Terms of Service and applicable confidentiality obligations.
4. Encryption
- In Transit: TLS encryption is enforced for all external and internal communications using modern protocols and cipher suites.
- At Rest: Strong encryption protects databases, backups, storage volumes, and secrets repositories.
- Key Management: Encryption keys are segregated, access-controlled, rotated regularly, and managed according to least-privilege principles.
5. Access Control & Authentication
- Role-Based Access Control (RBAC) with least privilege and need-to-know enforcement.
- Multi-factor authentication (MFA) is required for privileged access.
- Formal joiner, mover, and leaver processes ensure timely provisioning and de-provisioning of access rights.
6. Network & Infrastructure Security
- Segmentation of public, application, and data environments with deny-by-default firewall rules.
- Hardened operating system and infrastructure configurations.
- Continuous monitoring for intrusion attempts, DDoS attacks, and infrastructure anomalies.
7. Application Security
- Secure Software Development Lifecycle (SSDLC) incorporating code reviews, automated testing, and threat modeling.
- Rapid remediation of critical vulnerabilities and dependency management.
- Secrets are never stored in source code repositories. Secure coding practices, parameterized queries, input validation, and output encoding are mandatory.
8. Logging, Monitoring & Detection
- Centralized logging of authentication events, administrative actions, and security-relevant activities.
- Continuous monitoring for indicators of compromise and suspicious behavior.
- Protected audit logs with appropriate retention and integrity controls.
9. Incident Response
- Documented Incident Response Plan (IRP) with defined roles, escalation paths, and evidence preservation procedures.
- Containment, eradication, recovery, root-cause analysis, and corrective actions following security incidents.
- Notifications will be provided where required by applicable law.
10. Business Continuity & Disaster Recovery
- Regular encrypted backups of critical systems and data.
- Periodic restoration testing and documented Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
- Disaster recovery exercises conducted at defined intervals.
11. Vendor & Third-Party Risk
- Security due diligence is performed before onboarding third-party providers.
- Contracts include appropriate confidentiality, security, and audit provisions.
- Vendor performance and security posture are reviewed based on risk.
12. Data Retention & Disposal
- Retention is aligned with applicable legal, contractual, regulatory, and operational requirements.
- Secure disposal of electronic and physical media is performed using industry-accepted methods appropriate to the classification of the data.
13. Privacy & Data Protection
- Processing of personal information complies with applicable privacy legislation, including GDPR where applicable.
- Data minimization, purpose limitation, and least-access principles are applied throughout our operations.
14. Member Responsibilities
- Maintain strong, unique passwords and enable multi-factor authentication where available.
- Do not share accounts or disclose Confidential Information.
- Promptly report suspected security incidents, unauthorized access, or compromised credentials.
- Comply with all applicable platform rules, confidentiality obligations, and verification requirements.
15. Prohibited Activities
- Unauthorized scanning, penetration testing, scraping, reverse engineering, or security research without prior written authorization.
- Introduction of malware, automated attack tools, exploits, or attempts to bypass security controls.
16. Responsible Disclosure
If you believe you have identified a security vulnerability, contact us through our designated secure reporting channel with sufficient detail to reproduce the issue. Do not access, modify, or exfiltrate data. Authorized coordinated disclosure may be permitted; unauthorized disclosure constitutes a violation of our Terms of Service and confidentiality obligations.
17. Confidentiality & Enforcement
All security architecture, procedures, communications, monitoring information, and operational security practices are considered Confidential Information. Unauthorized disclosure or misuse constitutes a material breach of our Terms of Service and may result in immediate and permanent termination of access, legal action, and referral to the appropriate authorities.
18. Updates
We may update this Policy periodically to address evolving technology, threats, legal requirements, or operational changes. Material changes will be posted on this website. Continued use of AI Angels Group constitutes acceptance of the revised Policy.
19. Governing Law
This Policy is governed by the laws of the State of California, United States of America, without regard to conflict-of-law principles. The courts of California shall have exclusive jurisdiction over disputes arising from or relating to this Policy.
FINAL NOTICE: AI Angels Group will act swiftly and decisively to protect the confidentiality, integrity, and availability of its systems and information. If you are unwilling to comply with these security obligations, do not use our platform.
```