Last Updated: 14th September 2025
1. INTRODUCTION
1.1. This Security Addendum (“Security Addendum”) supplements the Privacy Policy and General Terms with regard to the Service owned and operated by or on behalf of BRIEF TECH PTE. LTD., its Affiliates (collectively “BriefTech”, “we”, “us” or “our”). This Security Addendum forms part of the terms and conditions, governing Your specific relationship with BriefTech. Capitalized terms not defined in this Security Addendum have the meanings given to them in the General Terms.
1.2. Acknowledgement and Consent - By interacting with us, visiting our website http://brieftech.ai (“Website”) or accessing the Service, You acknowledge and agree that You accept the practices, requirements, and/or policies outlined in this Security Addendum.
2. CLOUD INFRASTRUCTURE SECURITY
2.1. P&C Data, Confidential Information and Personal Data will be stored by BriefTech and its vendors in data centers located in the geographic region specified on Your currently operative order form or as agreed to otherwise in writing. In the absence of such specification, the location of storage will be in Singapore.
2.2. You may request to have Your P&C Data and Confidential Information stored in a separate specific geographic region. BriefTech will use commercially reasonable efforts subject to agreeable fees to do so where supported by our underlying cloud service provider(s) and where otherwise in compliance with applicable laws and regulations.
3. ENCRYPTION
3.1. BriefTech encrypts P&C Data and Confidential Information at-rest using AES 256-bit (or better) encryption. BriefTech uses Transport Layer Security (or better) for P&C Data and Confidential Information in-transit over public or untrusted networks.
4. SYSTEM AND NETWORK SECURITY AND CONTROLS
4.1. The computing services utilized to offer the Service are cloud-based and provided to BriefTech via one or more cloud service providers and represent our “Cloud Environment.”
4.2. BriefTech personnel access to our Cloud Environment is with a unique user ID and is consistent with the principle of least privilege. Access requires a secure connection, SSO, multi-factor authentication (2FA), and passwords meeting or exceeding reasonable length and complexity requirements.
4.3. BriefTech personal will not access P&C Data or Confidential Information except (i) to provide or support the Service at the express written authorization of the owner or (ii) to comply with the law or a binding order of a governmental body.
4.4. In accessing our Cloud Environment, our personnel will utilize security controls that include encryption and that also include endpoint detection.
4.5. Our Cloud Environment operates exclusively on serverless and fully managed services—no virtual machines—and thus rely on our cloud provider’s built-in anti-malware, patch management, and OS-hardening controls to secure all underlying infrastructure.
4.6. BriefTech follows industry practices such as mitigating relevant security vulnerabilities identified in the Open Web Application Security Project (OWASP) Top 10, including cross-site request forgery, cross-site scripting (XSS), SQL injection (SQLi), authentication and authorization vulnerabilities, and other. All code is reviewed prior to being merged into the main branch. Third-party dependencies are continually monitored for vulnerabilities and we ensure we stay up to date with the latest secure libraries.
4.7. BriefTech reviews all highly-privileged accounts (“administrator” or “root” accounts) in systems that contain or have access to P&C Data and Confidential Information at least annually and reduces administrative access if it is no longer needed (in other words, the least privilege principles are followed).
5. VENDORS AND SUB-PROCESSORS
5.1. BriefTech ensures that any of its vendors that process P&C Data or Confidential Information maintain security measures consistent with our obligations under this Security Addendum.
6. DATA CENTER CONTROLS
6.1. Our Cloud Environment is maintained by third party cloud service provider. We ensure that our cloud service providers data centers have appropriate controls as audited under their third-party audits and certifications. Our cloud service provider will have SOC 2 Type II annual audit and ISO 27001 certification, or industry recognized equivalent frameworks. Such controls include:
6.1.1. Physical access to facilities are controlled at building ingress points;
6.1.2. Visitors are required to present ID and must be signed in;
6.1.3. Physical access to servers is managed by access control devices;
6.1.4. Physical access privileges are reviewed regularly;
6.1.5. Facilities utilize monitor and alarm response procedures;
6.1.6. Facilities utilize CCTV;
6.1.7. Facilities have adequate fire detection and protection systems;
6.1.8. Facilities have adequate back-up and redundancy systems; and
6.1.9. Facilities have appropriate climate control systems
6.2. BriefTech does not maintain physical offices other than for limited corporate and executive purposes. Under no circumstances is P&C Data or Confidential Information stored or hosted at such offices.
7. INCIDENT DETECTION AND RESPONSE
7.1. If BriefTech becomes aware of a breach of security leading to the destruction, loss, alteration, unauthorized disclosure of, or access to P&C Data or Confidential Information (a “Security Incident“), BriefTech will notify You without undue delay, and in any case, within 72 hours after becoming aware. You will be notified at the security notice email address indicated on Your currently operative Order Form or Engagement Letter or as otherwise determined appropriate by BriefTech.
7.2. In the event of a Security Incident as described above, BriefTech will promptly take reasonable steps to contain, investigate, and mitigate any Security Incident and its impact.
7.3. BriefTech will provide You with timely information about the Security Incident, including the nature and consequences of the Security Incident, the status of our investigation, and a contact point from which additional information may be obtained. BriefTech will also share information about the measures taken or proposed by BriefTech to mitigate or contain the Security Incident after the investigation into the Security Incident has concluded. You acknowledge that because BriefTech personnel may not have visibility to the content of P&C Data and Confidential Information, it may be the case that we are unable to provide detailed analysis of the type of P&C Data and Confidential Information impacted by the Security Incident. Communications in connection with a Security Incident will not be construed as an acknowledgment by BriefTech of any fault or liability with respect to the Security Incident.
8. AUDIT LOGGING
8.1. BriefTech will create, protect, and retain information system audit records to the extent needed to maintain integrity, and will enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity. Actions of human information system users can be uniquely traced to those users.
8.2. Audit logs are retained for the minimum of 1 year, and may be retained up to a maximum of 10 years. Audit logs are protected against tampering.
9. CUSTOMER RESPONSIBILITIES
9.1. You are responsible for managing and securing Your methods to access the Service (for example, password, SSO connections, email inboxes for email-code-authentication, etc.).
9.2. User credentials must be kept confidential and may not be shared with unauthorized parties. A single account may not be shared among multiple persons. You must promptly report any suspicious activities related to Your account(s) (such as when You reasonably believe that credentials have been compromised).
9.3. You are responsible for keeping Your relevant IT systems (such as the browser You use to access the Service) up-to-date and appropriately patched.