Revax

Revax Technologies Limited — Data Security Commitments

This document sets out the technical and organisational security measures that Revax Technologies Limited ("Revax") maintains in respect of customer data processed via its platform.

1. Infrastructure and Hosting

Customer data is hosted on Google Cloud Platform (GCP). The specific hosting region is determined on a per-deployment basis and communicated to the customer prior to onboarding. Revax does not transfer customer data outside of the agreed hosting jurisdiction.

2. Sub-processors

Revax uses the following categories of third-party sub-processors in connection with the platform:

Google Cloud Platform, Supabase, Neo4j, Langgraph, Anthropic, OpenAI

Customer data shared with AI model providers is transmitted solely for the purpose of generating outputs and is not used by those providers to train their models. Revax will notify customers of any material changes to this sub-processor list.

3. Encryption

All customer data is encrypted in transit using TLS 1.2 or higher. Customer data at rest is encrypted using AES-256 (or equivalent) via the native encryption capabilities of the relevant hosting and database providers.

4. Access Controls

Access to customer data is restricted to authorised Revax personnel on a least-privilege basis. All access to production systems requires multi-factor authentication (MFA). Access permissions are reviewed periodically and revoked promptly upon change of role or termination.

5. Security Incident Notification

In the event Revax becomes aware of any confirmed unauthorised access to, or loss or disclosure of, customer data (a "Security Incident"), Revax shall: (a) notify the affected customer without undue delay and in any event within 72 hours of becoming aware of the Security Incident; and (b) take reasonable steps to contain, investigate, and remediate the Security Incident.

6. Data Retention and Deletion

Revax retains customer data only for the duration of the applicable agreement. Following expiry or termination, Revax shall delete customer data from its production systems within 30 days, except where retention is required by law or expressly permitted under the applicable agreement.

7. Organisational Measures

Revax maintains an information security management programme aligned to ISO/IEC 27001:2022. This includes security awareness obligations for all personnel, regular review of security controls, and documented incident response procedures.