1. To stop unauthorized persons from gaining access to processing systems with which personal data is
processed or used (access control),
Measures: Orai data is hosted by Google Cloud and Amazon Web Services. Both of which have SOCII
approval which mandates strong compliance with industry standard physical security.

2. To stop processing systems from getting used without authorization (access control),
Measures:
- Orai Employees are granted access to Orai systems according to their roles/team
- Strong Access control list mechanism on the backend to prevent other authorized enterprise users
from gaining access to User data.
- Terminated employees loose access to all systems within 24 hours of termination.
- All API calls related to non-public data require authentication.

3. To make sure that persons entitled to use a knowledge processing system have access only to the info
to which they need a right of access, which personal data can't be read, copied, modified or removed
without authorization within the course of processing or use and after storage (access control),
Measures:
- When granting access, grants are scoped to the minimum breadth and duration to complete the
relevant business task. Root access won't be granted unless absolutely necessary to perform the job
function.
- Access logs are monitored weekly to ensure no unauthorized access has taken place.
- IAM roles are used on cloud services to grant employees access to different cloud services.
4. To make sure that private data can't be read, copied, modified or removed without authorization
during electronic transmission or transport, which it's possible to see and establish to which entities the
transfer of private data by means of knowledge transmission facilities is envisaged (transmission
control),
Measures:
- At all stages (In-transit and at rest) data is always encrypted by strong cryptography.

- Access to and from servers is severely restricted by a firewall to ensure that only selected services have
access to server software.
- All API calls related to non-public data require authentication.

5. To ensure that it is possible to check and establish whether and by whom personal data has been
input into processing systems, modified or removed (input control),
Measures:
- Data changes cannot be made by unauthorized users.
- All data modification requests made by a user are logged in an immutable log and are maintained for 6
months.

6. To ensure that, in the case of commissioned processing of personal data, the data is processed strictly
in accordance with the instructions of the controller (job control),
Measures:
- All Employees go through mandatory security and privacy training created by a verified third-party.
- When granting access, grants are scoped to the minimum breadth and duration to complete the
relevant business task. Root access will not be granted unless absolutely necessary to perform the job
function.
- All requests for access are tracked by and requested from the CTO

7. To make sure that private data is shielded from accidental destruction or loss (availability control),
Measures: Backups of critical data systems are taken twice a day and redundant systems are maintained
in a geographically different region to handle disasters.

8. To make sure that data collected for various purposes are often processed separately,
Measures: Orai maintains strong access control lists to prevent unauthorized access of data. Along with
that we virtually separate our database in-order to maintain a virtual boundary between customer data.

9. To warrant that all other requirements of data protection law are adhered to,

Measures: Orai complies with the EU GDPR regulations. Along with that we use tools such as Vanta and
AWS StackGuard to maintain compliance on all company servers and devices.