Information Security Policy

Last updated: November 2025

1. Purpose and Scope

This Information Security Policy establishes the framework for protecting Gridex AI's information assets, customer data, and technology infrastructure. The policy defines security standards, responsibilities, and procedures to ensure the confidentiality, integrity, and availability of all information systems.

Scope: This policy applies to all employees, contractors, consultants, temporary workers, and third parties who access Gridex AI systems, networks, or data, regardless of location or device ownership.

2. Roles and Responsibilities

Information security is a shared responsibility across the organization:

2.1 Security Officer

Name: Tamas Szilagyi

Email: [email protected]

Responsibilities:

Overall management of information security program
Security incident response coordination
Security policy development and enforcement
Security risk assessment and mitigation
Compliance monitoring and reporting
Security awareness and training coordination

2.2 All Personnel

Protect company and customer data from unauthorized access
Use strong authentication and follow password policies
Report security incidents and suspicious activities immediately
Complete required security awareness training
Comply with all information security policies
Use company resources responsibly and ethically

3. Data Classification

Gridex AI classifies data into three categories to determine appropriate security controls:

3.1 Public Data

Information intended for public disclosure or already publicly available.

Examples:

Marketing materials and public website content
Published product documentation
Public blog posts and press releases

Controls: No special handling required, but integrity must be maintained.

3.2 Confidential Data

Internal business information that could harm the company if disclosed.

Examples:

Business plans and internal strategies
Financial information and pricing models
Employee information (non-sensitive)
Internal technical documentation
Non-public product roadmaps

Controls: Access restricted to employees with business need; encrypted in transit; secure storage required.

3.3 Highly Confidential Data

Sensitive information that could cause significant harm if disclosed, including all customer data.

Examples:

Customer personal data (names, emails, business information)
Customer conversation logs and AI interactions
Authentication credentials and API keys
Subscription status metadata (payment processing handled by Stripe, a PCI-compliant third party - we do not store credit card data or invoices)
OAuth tokens for third-party integrations (Google Calendar, Meta Messenger/WhatsApp)
Customer knowledge base documents and embeddings
Security configurations and vulnerability information
Source code and proprietary algorithms

Controls: Strict access controls with MFA required; encrypted at rest and in transit; audit logging enabled; regular access reviews; secure deletion procedures.

4. System Architecture and Trust Boundaries

Gridex AI operates a cloud-native architecture entirely within the Microsoft Azure ecosystem. This section describes the system components, trust boundaries, and data flows.

4.1 System Components

4.2 Trust Boundaries

Trust boundaries define where data crosses from untrusted to trusted zones. Gridex AI enforces security controls at the following boundaries:

5. Access Control and Authentication

Gridex AI implements strong access controls to protect systems and data:

5.1 Authentication Requirements

5.2 Access Control Principles

5.3 Password Policy

Minimum 12 characters for all accounts
Must not be reused across Gridex AI and personal accounts
Change immediately if compromise suspected
Never share passwords with anyone, including IT support
Do not write down or store unencrypted
Avoid common patterns (e.g., "Password123", "Welcome123")

6. Data Protection and Encryption

Gridex AI implements comprehensive encryption to protect data throughout its lifecycle:

6.1 Encryption Standards

6.2 Infrastructure Security

6.3 AI Model Data Protection

Customer data used with AI models receives special protection:

Azure OpenAI Service ensures customer prompts and completions are NEVER used to train AI models
Customer data is NOT available to Microsoft or other Azure customers
Data remains exclusively within customer's Azure tenant
Complete data isolation between different Gridex AI customers
No human reviewers access customer data without explicit permission

7. Email and Communications Security

7.1 Email Usage Policy

8. Network and Wireless Security

8.1 Wireless Network Security

9. Security Incident Response

Gridex AI maintains a comprehensive Incident Response Policy to handle security events effectively.

For detailed incident response procedures, severity classifications, and response times, please refer to our Incident Response Policy.

10. Business Continuity and Disaster Recovery

Gridex AI maintains business continuity and disaster recovery capabilities to ensure service availability:

10.1 Data Backup and Recovery

11. Employee Responsibilities

All Gridex AI personnel must adhere to the following security practices:

12. Policy Compliance and Enforcement

12.1 Compliance Monitoring

Regular security audits and vulnerability assessments
Automated security monitoring and alerting
Access log reviews and anomaly detection
Periodic security awareness training and testing
Third-party security assessments and penetration testing

13. Policy Review and Updates

This Information Security Policy is reviewed and updated at least annually, or more frequently in response to significant security incidents, regulatory changes, or business needs. All personnel will be notified of material changes and required to acknowledge updated policies.

14. Questions and Contact Information

For questions about this Information Security Policy or to report security concerns:

Security Officer: Tamas Szilagyi

Email: [email protected]

TeleCetli Kft.

7634 Pécs, Darázs dűlő 70., Hungary